Some of our systems have extra "security needs", and they are not allowed to initiate outgoing connections by default. This means that IP ACLs are used so that they can only reach neccessary services (SMTP gateway, DNS resolvers, NTP etc).
Because those hosts do need access to some web sites (mostly for software updates), we use a proxy server to allow them access to those domains.
If you have an IPv6-only host that only needs access to some outside HTTP resources, then this approach kills two birds with one stone:
- Many services are run on CDNs such as Akamai, which renders IP ACLs into a nightmare. A proxy solves this by allowing domains/URLs.
- Some services are only accessible via IPv4 (Microsoft Update, hostupdate.vmware.com, Secunia.com). A dual stack proxy does the protocol translation. If those web sites were the only problems on the IPv6-only system, this is just what you need, and you can avoid using additional complex systems such as NAT64/DNS64.
Because we do not need any caching, but only the access restriction part, I choose tinyproxy because it is very light weight and simple.
The only downside is that the tinyproxy that sits in Ubuntu 12.04 does not listen on both IPv4 and IPv6 at the same time
2013-01-04 Shame on me... I didn't test properly , but tinyproxy does work on both protocols
I assumed that this result:
root@proxy:~# netstat -tlnpvw | grep tinyproxy
tcp6 0 0 :::8888 :::* LISTEN 3946/tinyproxy
meant that it didn't listen on v4... but I was wrong. In summary:
Listen :: #This will accept connections on IPv6, but also on IPv4: IPv4-mapped IPv6 addresses are used: #CONNECT Jan 04 15:29:13 [23566]: Connect (file descriptor 6): host.terena.org [::ffff:192.87.30.2] Listen 0.0.0.0 # This will listen on IPv4 only Listen 2001:610:148:dead::666 # This will listen only on the specified IPv6 address. Not nice, but workable.
Whitelist
I configured tinyproxy to block everything, except a list of domains, by using this configuration:
FilterDefaultDeny Yes Filter "/etc/whitelist" FilterExtended On
Don't just add domains to the list, because it will be interpreted as regular expressions.
So if you add microsoft.com, the domain roguedomain-microsoft.com will also be accepted.
My list looks like this:
^(.*\.|)(s-)?microsoft\.com$ ^(.*\.|)windowsupdate\.com$ ^(.*\.|)microsoftupdate\.com$ ^(.*\.|)secunia\.com$ ^(.*\.|)vmware\.com$ ^(.*\.|)msftncsi\.com$ ^(.*\.|)public-trust\.com$ ^(.*\.|)thawte\.com$
Monitoring
To keep an eye on any refused domain that your hosts might try to access, run this script every morning, after the log files have been rotated (7AM on Ubuntu systems is good):
#!/bin/sh # Filter PIDs that handled refused domains TP_LOG="/var/log/tinyproxy/tinyproxy.log" grep 'Proxying refused' "$TP_LOG" | sed -r 's/.*(\[[0-9]+\]).*/\1/g' | sort | uniq | while read pid do grep \\$pid "$TP_LOG" done | grep -B2 refused