Motivation
You are stuck in a location that has no access to the Internet. But you are able to access the organization network from your laptop, wanderlust. And some privileged machines in the org network have unfettered access to the Internet. Although you own some machines in the org network, the sad thing is that none of your machines has direct access to the Net. How do you get a taste of the Internet in such a scenario?
The org network is firewalled using a (pretty porous!) firewall, which we’ll nickname wally. One such entry point is to a Linux server you own, monopod. Monopod does not have direct access to the Net. However, another Linux server gatekeeper has direct access, and also runs a Squid proxy (port 3128) to which monopod has access. Who wants to log in to a text-only Linux server to browse the Net? You do not have a login on gatekeeper, and so you cannot tweak its Squid proxy to suit your tastes. Given these constraints, how do you whet your appetite for a slice of WWW?
Here’s how.
The first thing to notice is that you already have a path to the Internet from one of your own machines (monopod). The question is how to extend this path so that one end reaches wanderlust. Evidently, monopod has to act as a hop on the way and should forward your requests to gatekeeper. The obvious solution is to tunnel your way from wanderlust, through monopod, to gatekeeper; the problem here is that you do not have a login on gatekeeper. (Even if you do, it is configured to allow only requests originating from specific machines – and wanderlust is not one of them.) Gatekeeper can be given only proxy requests, and only monopod can do that. Working backwards, it can be seen that a good solution is to set up monopod as a Squid proxy that forwards your requests to gateway. Now, how can we convert all that hand-wavy stuff into actual practice?
First, install Squid on monopod. Make the following changes to the configuration.
- Configure gatekeeper as a parent in the cache hierarchy. Insert the following line:
cache_peer gatekeeper.yourOrg.com parent 3128 0 no-query default never_direct allow all
- Ensure that only wanderlust is allowed through the proxy on monopod.
acl wanderlust 1.2.3.4 http_access allow wanderlust http_access deny all
Now point your browser to the proxy running on monopod, and you’re done! Happy browsing.
Note
If the hop machine, monopod can connect to the Internet in multiple ways, add these lines in its Squid configuration. This is to block all requests from machines other than wanderlust from being forwarded to gatekeeper. (The acl inserted earlier [Step #2 above] is sufficient for the identifier ‘wanderlust’ to be recognized by the config.)
cache_peer_access gatekeeper.yourOrg.com allow wanderlust cache_peer_access gatekeeper.yourOrg.com deny all
My experiments with computers 