September 21, 2021

ESET gateway with Squid3 proxy and ICAP

You can set up ESET gateway either as a standalone server, or as a scanner that hangs off a Squid proxy like this:

ESET icap squid gateway diagram

Proxies allow you to cache content so you don’t have to reload it twice, make it seem like you’re coming from somewhere else, create content scanners against things like viruses so you don’t get infected, and other stuff. They’ll speed up your Internet with the cached content so it might seem faster if you go to the same page frequently.

In this case, we’re tying in an ESET gateway scanner to a Squid3 proxy using ICAP, so you can do other proxy stuff, but also scan for malware. In the examples I use example paths, usernames, and values in places, change them to what you actually have or it won’t work. For example, I’m using the 172.16.50.0/24 and 172.16.123.0/24 networks. You have roughly 100% change of that not being what you’re using, so you have to change those numbers in all places in the howto. I show this as root, however you get there. This howto is using Debian Jessie, so if you use Debian Wheezy or one of the Ubuntu variants, you might have to change little stuff, but it should work without doing much modification. First you download and install the .deb package (I just used winscp to transfer it after I clicked the email link to download it to a windows box) like:

su
apt-get install ed libc6-i386
cd /home/whateveruseryouare/Downloads/
sh ./esets.amd64.deb.bin
(accept agreement)

Now you have to edit the main config file and add the av update username and password you got with your order. NOTE: DON’T delete the leading #’s at the beginning of these lines, they’re not really used like commented lines like normal, well some are, but the ones you want to change still need the pound sign for some reason.

vi /etc/opt/esets/esets.cfg
  #av_update_username = "EAV-xxxxxxx" <- put the real one in the quotes
  #av_update_password = "xxxxxxxxx" <- put the real one in the quotes

Now import your license like:

/opt/eset/esets/sbin/esets_lic --import /home/whateveruseryouare/Downloads/nod32.lic

Now start esets_daemon like:

/etc/init.d/esets start

If you get an error like:

>: /etc/init.d/esets restart
[....] Restarting ESET Security: esets_daemonerror[21d00000]: Cannot initialize scanner: License not found
 failed!

your import didn’t work.

Now check to see if it’s running now like:

ps -A | grep esets
  8755 ?        00:00:00 esets_daemon
  8757 ?        00:00:00 esets_daemon

If you don’t see anything, it’s not running. Stop and fix that before you continue.

Now you have to configure the gateway itself, specifically which interface/IP/subnet it listens for your laptops/clients on, and enabling the gateway itself. You can run the setup script, by doing:

/opt/eset/esets/sbin/esets_setup

Now you have to define what interface the system will listen on. We pick the second network, because it’s where all your downstream laptops live:

Available ESETS installations/uninstallations:
1) HTTP
2) FTP
3) ICAP
4) quit
Your selection (1-4): 3
Select local network interface:
1) eth0 (172.16.50.50): eth0 172.16.50.50
2) eth1 (172.16.123.1): eth1 172.16.123.1
3) quit
Your selection (1-3): 2 <-- pick the one where all your LAPTOPS are on
Select ICAP install/uninstall:
1) ICAP server install: tar cf $HOME/esets_backup-20150824-095611.tar -C / 'etc/opt/eset/esets/esets.cfg' && /opt/eset/esets/sbin/esets_set --section icap 'agent_enabled = yes' && /opt/eset/esets/sbin/esets_set --section icap 'listen_addr = 172.16.123.1' && /etc/init.d/esets restart
2) quit
Your selection (1-2): 1
[ ok ] Restarting ESET Security: esets_daemon.
Available ESETS installations/uninstallations:
1) HTTP
2) FTP
3) ICAP
4) quit
Your selection (1-4): 4

To see if it’s running, and listening on the right ports do:

netstat -plunt | grep eset
tcp 0  0 172.16.123.200:1344  0.0.0.0:*  LISTEN  25047/esets_icap

If you don’t see something like that, try manually restarting it like:

/etc/init.d/esets restart
[ ok ] Restarting ESET Security: esets_daemon.

Now you have to enable IP forwarding like:

echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/sysctl.conf
  net.ipv4.ip_forward=1 (uncomment)

Now we set up Squid3 proxy with C-ICAP to send traffic to our ESET gateway we got running.

Squid3 / C-ICAP proxy setup

apt-get install squid3 c-icap

First we set up Squid3 basic stuff, like what networks to listen to, and how to send stuff to C-ICAP so it can go ask the ESET gateway if it’s malicious.

cp /etc/squid3/squid.conf /etc/squid3/squid.conf.orig
vi /etc/squid3/squid.conf
  acl localnet src 172.16.123.0/24 <- uncomment this, and change to match yours
  http_access allow localnet <- uncomment
  http_port 172.16.123.1:3128 <--- set the port/IP to what you want, 3128 is default

You might want to uncomment other features, but for now restart squid and see if it’s running:

ps -e | grep squid3
  6549 ?        00:00:00 squid3
  6552 ?        00:00:00 squid3

If you don’t see these running, stop and fix stuff before enabling icap. If you see these, continue to edit squid.conf to enable icap like:

vi /etc/squid3/squid.conf
  icap_enable on <-- uncomment and change to 'on'
  icap_send_client_ip on
  icap_send_client_username on
  icap_client_username_header X-Client-Username <-- uncomment

you’ll just have to add these next lines near the end of the icap section:

vi /etc/squid3/squid.conf
  icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/av_scan
  icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/av_scan
  adaptation_access service_req allow all
  adaptation_access service_resp allow all

Okay, now we have to configure c-icap:

vi /etc/service/c-icap
  # Should c-icap daemon run automatically on startup? (default: no)
  START=yes  <-- change to yes
vi /etc/c-icap/c-icap.conf
  ServiceAlias av_scan esets_icap <-- add this line

Now restart c-icap

/etc/init.d/c-icap restart
[ ok ] Restarting c-icap (via systemctl): c-icap.service.

Now restart squid3

/etc/init.d/squid restart
[....] Restarting squid3 (via systemctl): squid3.service
. ok

Okay, now go to a laptop that’s on the 172.16.123.0/24 somewhere and see if you can get to the Internet by opening up a browser and going to a NON-SSL webpage that you haven’t visited recently (so it won’t be cached). If you can, it’s working. If not, fix it before proceeding, because your traffic is busted, and not routing through the your new gateway.

Okay, so now I’m assuming you want the rest of the non-port-80 traffic to just go out to the Internet, IF THIS IS THE CASE, go back to your gateway server and just add:

iptables -t nat -A POSTROUTING -s 172.16.123.0/24 -o eth0 -j MASQUERADE

Now check your firewall rules and see if they are sane, they should look something like:

iptables -L -vt nat
  Chain PREROUTING (policy ACCEPT 7 packets, 595 bytes)
   pkts bytes target   prot opt in    out  source    destination         
    2   120 REDIRECT   tcp  --  eth1  any  anywhere  anywhere    tcp dpt:http redir ports 3128        
...
  Chain POSTROUTING (policy ACCEPT 16 packets, 1107 bytes)
   pkts bytes target     prot opt in   out   source             destination         
    3   211 MASQUERADE  all  --  any  eth0   172.16.123.0/24    anywhere

If those two lines (at least) aren’t in there, stop and fix it. If they are, save them so they come up after reboot like:

iptables-save > /etc/iptables.up.rules
vi /etc/network/if-up.d/iptables
  #!/bin/sh
  iptables-restore < /etc/iptables.up.rules

Now we update to the latest malware definitions:

/opt/eset/esets/sbin/esets_update -u EAV-xxxxxx -p xxxxxxx
  Virus signature database has been updated successfully.
  Installed virus signature database version 10xxxx (xxxxxx)