Transparent Proxy(Squid) server with one nic
2009 October 30
I was reading an interesting story about squid to save bandwidth with apt-get, more info about that can be found here(squid and debian packages).
But to make more use of the squid I had installed and only one nic, I was looking for a solution: Transparent proxy server with one nic
For more information on how to setup squid3 as transparent proxy can be found here.
After modifying the config for my purposes, which you can find below, I was all set. It’s a great solution that’s going to save me some more bandwidth
Changes to the /etc/network/interfaces:
auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 192.168.1.5 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 auto eth0:0 iface eth0:0 inet static name Ethernet alias LAN card address 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255 network 192.168.2.0
The script that makes it all possible(changed from the solution I found):
#!/bin/sh # Squid server IP SQUID_SERVER="192.168.1.5" # Interface connected to Internet INTERNET="eth0" # Address connected to LAN LOCAL="192.168.2.0/24" LOCAL2="192.168.1.0/24" # Squid port SQUID_PORT="3128" # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Enable Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE iptables -A FORWARD -s $LOCAL -j ACCEPT # unlimited access to LAN iptables -A INPUT -s $LOCAL -j ACCEPT iptables -A OUTPUT -s $LOCAL -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -s $LOCAL -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT iptables -t nat -A PREROUTING -s $LOCAL2 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT #open everything iptables -A INPUT -i $INTERNET -j ACCEPT iptables -A OUTPUT -o $INTERNET -j ACCEPT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP
2 Responses
leave one →
here you can see a brief article about transparent proxy with squid and iptables
http://www.linuxconfig.net/2009/11/14/creating-transparent-proxy-with-squid-and-iptables.html
Hi,
I am trying to install and configure transparent proxy but it doesn’t seem to work.
This is my setup:
Server #1 (Proxy Server)
eth0 IP : 10X.XXX.94.XX
eth0 IP : 10X.XXX.94.1
eth0:1 IP : 10.0.2.139
eth0:1 GW : No gateway specified
## /etc/squid/squid.conf ##
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
acl lan src 10.0.2.0/24
http_access allow localhost
http_access allow lan
cache_mem 50 MB
http_port 3128 transparent
icp_port 3130
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl localnet src 10.0.2.0/24
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow localnet
icp_access deny all
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICYs[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
##############################
## iptables rules ##
SQUID_SVR=”10.0.2.139″
SQUID_PORT=”3128″
INET_IFACE=”eth0″
INT_NET”10.0.2.0/24″
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INET_IFACE -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
iptables -A FORWARD -s $INT_NET -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -s $INT_NET -j ACCEPT
iptables -A OUTPUT -s $INT_NET -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -s $INT_NET -p tcp –dport 80 -j DNAT –to $SQUID_SVR:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INET_IFACE -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
#open everything
iptables -A INPUT -i $INET_IFACE -j ACCEPT
iptables -A OUTPUT -o $INET_IFACE -j ACCEPT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
###########################
Server #2 (Webserver)
eth0 IP : 10X.XXX.98.XXX
eth0 GW : 10X.XXX.98.1
eth0:1 IP : 10.0.2.191
eth0:1 GW : No gateway specified
## iptables rules ##
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to 10.0.2.139:3128
####################
To check if squid is been accessed, i tail /var/log/squid/access.log
Using curl httt://www.myservers.com
I get the response but there is no hit on the squid, mean that the request went out via the Server #2 gateway.
Can anyone advise if there is any other rule I need to add and on which machine?