Skip to content

Transparent Proxy(Squid) server with one nic

2009 October 30
by Philippe Delodder

I was reading an interesting story about squid to save bandwidth with apt-get, more info about that can be found here(squid and debian packages).
But to make more use of the squid I had installed and only one nic, I was looking for a solution: Transparent proxy server with one nic

For more information on how to setup squid3 as  transparent proxy can be found here.

After modifying the config for my purposes, which you can find below, I was all set. It’s a great solution that’s going to save me some more bandwidth

Changes to the /etc/network/interfaces:

auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.5
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

auto eth0:0
iface eth0:0 inet static
name Ethernet alias LAN card
address 192.168.2.1
netmask 255.255.255.0
broadcast 192.168.2.255
network 192.168.2.0

The script that makes it all possible(changed from the solution I found):

#!/bin/sh

# Squid server IP
SQUID_SERVER="192.168.1.5"

# Interface connected to Internet
INTERNET="eth0"

# Address connected to LAN
LOCAL="192.168.2.0/24"
LOCAL2="192.168.1.0/24"
# Squid port
SQUID_PORT="3128"

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -s $LOCAL -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -s $LOCAL2 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

#open everything
iptables -A INPUT -i $INTERNET -j ACCEPT
iptables -A OUTPUT -o $INTERNET  -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
13 Responses leave one →
  1. November 15, 2009

    here you can see a brief article about transparent proxy with squid and iptables
    http://www.linuxconfig.net/2009/11/14/creating-transparent-proxy-with-squid-and-iptables.html

  2. Lawrence permalink
    June 23, 2010

    Hi,

    I am trying to install and configure transparent proxy but it doesn’t seem to work.

    This is my setup:
    Server #1 (Proxy Server)
    eth0 IP : 10X.XXX.94.XX
    eth0 IP : 10X.XXX.94.1
    eth0:1 IP : 10.0.2.139
    eth0:1 GW : No gateway specified

    ## /etc/squid/squid.conf ##
    acl all src all
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8
    acl purge method PURGE
    acl CONNECT method CONNECT

    acl lan src 10.0.2.0/24
    http_access allow localhost
    http_access allow lan
    cache_mem 50 MB
    http_port 3128 transparent
    icp_port 3130

    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl localnet src 10.0.2.0/24

    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access deny all

    icp_access allow localnet
    icp_access deny all

    hierarchy_stoplist cgi-bin ?
    access_log /var/log/squid/access.log squid

    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|?) 0 0% 0
    refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
    refresh_pattern . 0 20% 4320

    acl shoutcast rep_header X-HTTP09-First-Line ^ICYs[0-9]
    upgrade_http0.9 deny shoutcast

    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache

    extension_methods REPORT MERGE MKACTIVITY CHECKOUT

    hosts_file /etc/hosts

    coredump_dir /var/spool/squid
    ##############################

    ## iptables rules ##
    SQUID_SVR=”10.0.2.139″
    SQUID_PORT=”3128″
    INET_IFACE=”eth0″

    INT_NET”10.0.2.0/24″

    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X

    # Enable Forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT

    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    # Allow UDP, DNS and Passive FTP
    iptables -A INPUT -i $INET_IFACE -m state –state ESTABLISHED,RELATED -j ACCEPT

    # set this system as a router for Rest of LAN
    iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
    iptables -A FORWARD -s $INT_NET -j ACCEPT

    # unlimited access to LAN
    iptables -A INPUT -s $INT_NET -j ACCEPT
    iptables -A OUTPUT -s $INT_NET -j ACCEPT

    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -s $INT_NET -p tcp –dport 80 -j DNAT –to $SQUID_SVR:$SQUID_PORT

    # if it is same system
    iptables -t nat -A PREROUTING -i $INET_IFACE -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT

    #open everything
    iptables -A INPUT -i $INET_IFACE -j ACCEPT
    iptables -A OUTPUT -o $INET_IFACE -j ACCEPT

    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP
    ###########################

    Server #2 (Webserver)
    eth0 IP : 10X.XXX.98.XXX
    eth0 GW : 10X.XXX.98.1
    eth0:1 IP : 10.0.2.191
    eth0:1 GW : No gateway specified

    ## iptables rules ##
    iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to 10.0.2.139:3128
    ####################

    To check if squid is been accessed, i tail /var/log/squid/access.log

    Using curl httt://www.myservers.com
    I get the response but there is no hit on the squid, mean that the request went out via the Server #2 gateway.

    Can anyone advise if there is any other rule I need to add and on which machine?

  3. S Yearsley permalink
    September 15, 2010

    Hi Philippe,

    Thanks so much for this guide. What I intend to do is set up a proxy server for our small office and have all traffic route to the proxy server and I have only one NIC. I have a couple of questions.

    1) With regards to your script above, in this section, why do you have two Local IPs?
    # Address connected to LAN
    LOCAL=”192.168.2.0/24″
    LOCAL2=”192.168.1.0/24″

    2) Will this set up make the proxy server the gateway whereby all traffic has to by pass the proxy server?

    3) How about HTTPS? From my understanding, this only works for HTTP?

    Thanks for your help!

    • September 16, 2010

      Hi,

      1) yes, I have 2 local ip’s
      2) yes
      3) HTTPS doens’t work over proxy so it will not use the proxy but directly the gateway.

      • S Yearsley permalink
        September 16, 2010

        Sorry, I have more questions as i’m new to this. How did you get 2 local IPs? Is this just arbitrary? If not, where do I find this information?

        • September 16, 2010

          It’s on the post: Changes to the /etc/network/interfaces: this is who you define it!

          • S Yearsley permalink
            September 16, 2010

            Yup i know that’s where I define it, but where do I get the addresses from? right now I just have one local IP as I only have one NIC.

            Where did you get these addresses from? I know one of them is the current NIC’s address, but how about the other? Or can I choose anything?

            address 192.168.1.5
            and
            address 192.168.2.1

          • September 16, 2010

            You can chose anything you want

  4. Suze permalink
    September 21, 2010

    Hey Philippe,

    Thanks! I think I managed to get this working! BUT…..looking at the access logs, it doesn’t show the client machine’s IP address but just the network address. Is there a way to show the client’s IP address instead of only the network address? I tried customising the log format but that didn’t help. Would you by any chance know how to do this?

    I am also having problems with receiving and sending emails via outlook. I’ll need to google that more to find a solution if there is any. But anyhow, do you know how to resolve this too?

    Thanks heaps for your help thus far!

    • September 21, 2010

      No problem, but the I don’t know the anwser for you questions.

      I haven’t noticed this in the logs and I always use webmail…. so I don’t had those issues.

    • Suze permalink
      September 21, 2010

      I got the solution to the IP addresses not showing! It was to do with the client netmask – i had it set to 255.255.255.0. To show the IP addresses in the access.log file, I just had to change it to 255.255.255.255. I was thinking it was something more complicated than that! :)

  5. November 23, 2011

    Hey im working over a VM on KVM, and have bonding (eth0,eth1) and ofcourse i have a bridge that allow my vm has a IP from a DHCP and ips over my vlan. The question here is can i choose a ip from same network or it needs to be a diferent network? in my case a vlan? cause i cant do that im restricted to this vlan and no more :S…

    btw, to solve the https redirects just add the line on the iptables,
    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -s $LOCAL -p tcp –dport “PORTTOFOWARD” -j DNAT –to $SQUID_SERVER:$SQUID_PORT
    iptables -t nat -A PREROUTING -s $LOCAL2 -p tcp –dport “SAME” -j DNAT –to $SQUID_SERVER:$SQUID_PORT

    • November 30, 2011

      I solve the problem =D i just use the interfaces and not the ips on the iptables configurations, that solve every thing =D….

Leave a Reply

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS

Bad Behavior has blocked 179 access attempts in the last 7 days.