Proxy+AV+IP Blocking

Install squid, havp, clamav, ipblock and their dependencies:

aptitude install squid havp clamav ipblock
- or -
pacman -Ss squid havp clamav ipblock

NOTE: not all distros have ipblock in their software repositories/databases if this is your case find an alternative or compile from source.

configure squid to your preferences BUT ensure you add the following:

cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default

configure havp as follows:
/etc/havap/havp.conf

USER havp
GROUP havp
DAEMON true
PIDFILE /var/run/havp/havp.pid
SERVERNUMBER 20 # please adjust itself
MAXSERVERS 100 # please adjust ifself
ACCESSLOG /var/log/havp/access.log
ERRORLOG /var/log/havp/havp.log
USESYSLOG false
SYSLOGNAME havp
SYSLOGFACILITY daemon
SYSLOGLEVEL info
LOG_OKS true
LOGLEVEL 1
SCANTEMPFILE /var/spool/havp/havp-XXXXXX
TEMPDIR /var/tmp
DBRELOAD 60
TRANSPARENT false
FORWARDED_IP true
PORT 8080
BIND_ADDRESS 127.0.0.1
TEMPLATEPATH /etc/havp/templates/en
ENABLECLAMLIB true
CLAMDBDIR /var/lib/clamav
ENABLECLAMD false
ENABLEFPROT false
ENABLEAVG false
ENABLEAVESERVER false
ENABLESOPHIE false
ENABLETROPHIE false
ENABLENOD32 false
ENABLEAVAST false
ENABLEARCAVIR false
ENABLEDRWEB false

now at this point consider making a tmpsfs of 512-1024Mb for /var/tmp and setup /tmp as a sym link, Some distro’s do this by default and others have /dev/shm setup as a ramdrive but to be honest i preffer this way as you have created a fixed size for virus scanning & you know for certain that /tmp and /var/tmp will be cleared out on reboot:

$ sudo -s
# mkdir /tmp.old; chmod 777 /tmp.old
# cp -rav /tmp/* /tmp.old; rm -r /tmp
# mount -t tmpfs -o size=256M tmpfs /var/tmp/
# ln -s /var/tmp /tmp
# cp -rav /tmp.old /tmp; rm -r /tmp.old

if you want this to be a transparent setup the following iptables rules:

# iptables -t nat -A PREROUTING -j REDIRECT -p tcp -i eth0 -s 192.168.0.0/24 –dport 80 –to-ports 3128
# iptables -t nat -A POSTROUTING -j MASQUERADE -p tcp -s 192.168.0.0/24 -o eth1

update clam:

# freshclam

NOTE: you may want to have this update manually so make sure you edit /etc/clamav/freshclam.conf to run as daemon, then when you run the command above it will jump to background after initial update.
start services:

# squid -k reconfigure
# /etc/init.d/havp force-reload
# /etc/init.d/ipblock start
- or -
# /etc/init.d/squid restart
# /etc/init.d/havp restart
# /etc/init.d/ipblock restart
- or -
# service squid start; service havp start; service ipblock start

All done, all you test with eicar file download and you should see the havp access denied page indicating a virus was found