ForewordΒΆ

Warning

Please consider this tutorial as a proof-of-concept only. If you are a novice network administrator take everything described here with a huge grain of salt and seek professional advice before implementing it in the production. The explicit proxying scenario is almost always better than transparent one described in this tutorial.

Our goal is to enforce web filtering in our network for all outbound HTTP/HTTPS traffic. We will implement this by using Squid proxy for interception of traffic and Web Safety ICAP server for web filtering.

For specific reasons which cannot be reconsidered we cannot follow the normal, explicit proxy way of doing things and decide to forcibly filter all HTTP/HTTPS connections on our gateway. As users browsers are not configured to use proxy directly this deployment scenario is usually called NAT intercept.

Our gateway machine will be based on RHEL 9 (Rocky Linux). Our network will accommodate addresses from 10.0.0.0 subnet with network mask set to 255.255.0.0. All workstations in our network will have 10.0.0.1 set as default gateway. Our gateway will have two network interface cards (NIC) with the following parameters:

  1. ens160 - network card facing public Internet with address assigned by DHCP of Internet Service Provider.

  2. ens192 - network card facing our private lan with address statically set to 10.0.0.1, netmask 255.255.0.0

The following shows results of ip addr command run on our gateway:

[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:61:37:a7 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 192.168.5.10/24 brd 192.168.5.255 scope global noprefixroute ens160
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe61:37a7/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:61:37:b1 brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 10.0.0.1/24 brd 10.0.0.255 scope global noprefixroute ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe61:37b1/64 scope link noprefixroute
       valid_lft forever preferred_lft forever