Transparent Proxy(Squid) server with one nic

2009 October 30
by Philippe Delodder

I was reading an interesting story about squid to save bandwidth with apt-get, more info about that can be found here(squid and debian packages).
But to make more use of the squid I had installed and only one nic, I was looking for a solution: Transparent proxy server with one nic

For more information on how to setup squid3 asĀ  transparent proxy can be found here.

After modifying the config for my purposes, which you can find below, I was all set. It’s a great solution that’s going to save me some more bandwidth

Changes to the /etc/network/interfaces:

auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.5
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

auto eth0:0
iface eth0:0 inet static
name Ethernet alias LAN card
address 192.168.2.1
netmask 255.255.255.0
broadcast 192.168.2.255
network 192.168.2.0

The script that makes it all possible(changed from the solution I found):

#!/bin/sh

# Squid server IP
SQUID_SERVER="192.168.1.5"

# Interface connected to Internet
INTERNET="eth0"

# Address connected to LAN
LOCAL="192.168.2.0/24"
LOCAL2="192.168.1.0/24"
# Squid port
SQUID_PORT="3128"

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -s $LOCAL -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -s $LOCAL2 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

#open everything
iptables -A INPUT -i $INTERNET -j ACCEPT
iptables -A OUTPUT -o $INTERNET  -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
One Response leave one →
  1. November 15, 2009

    here you can see a brief article about transparent proxy with squid and iptables
    http://www.linuxconfig.net/2009/11/14/creating-transparent-proxy-with-squid-and-iptables.html

Leave a Reply

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS

Bad Behavior has blocked 361 access attempts in the last 7 days.