Transparent Proxy(Squid) server with one nic
2009 October 30
I was reading an interesting story about squid to save bandwidth with apt-get, more info about that can be found here(squid and debian packages).
But to make more use of the squid I had installed and only one nic, I was looking for a solution: Transparent proxy server with one nic
For more information on how to setup squid3 as transparent proxy can be found here.
After modifying the config for my purposes, which you can find below, I was all set. It’s a great solution that’s going to save me some more bandwidth
Changes to the /etc/network/interfaces:
auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 192.168.1.5 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 auto eth0:0 iface eth0:0 inet static name Ethernet alias LAN card address 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255 network 192.168.2.0
The script that makes it all possible(changed from the solution I found):
#!/bin/sh # Squid server IP SQUID_SERVER="192.168.1.5" # Interface connected to Internet INTERNET="eth0" # Address connected to LAN LOCAL="192.168.2.0/24" LOCAL2="192.168.1.0/24" # Squid port SQUID_PORT="3128" # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Enable Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE iptables -A FORWARD -s $LOCAL -j ACCEPT # unlimited access to LAN iptables -A INPUT -s $LOCAL -j ACCEPT iptables -A OUTPUT -s $LOCAL -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -s $LOCAL -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT iptables -t nat -A PREROUTING -s $LOCAL2 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT #open everything iptables -A INPUT -i $INTERNET -j ACCEPT iptables -A OUTPUT -o $INTERNET -j ACCEPT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP
13 Responses
leave one →
here you can see a brief article about transparent proxy with squid and iptables
http://www.linuxconfig.net/2009/11/14/creating-transparent-proxy-with-squid-and-iptables.html
Hi,
I am trying to install and configure transparent proxy but it doesn’t seem to work.
This is my setup:
Server #1 (Proxy Server)
eth0 IP : 10X.XXX.94.XX
eth0 IP : 10X.XXX.94.1
eth0:1 IP : 10.0.2.139
eth0:1 GW : No gateway specified
## /etc/squid/squid.conf ##
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
acl lan src 10.0.2.0/24
http_access allow localhost
http_access allow lan
cache_mem 50 MB
http_port 3128 transparent
icp_port 3130
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl localnet src 10.0.2.0/24
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow localnet
icp_access deny all
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICYs[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
##############################
## iptables rules ##
SQUID_SVR=”10.0.2.139″
SQUID_PORT=”3128″
INET_IFACE=”eth0″
INT_NET”10.0.2.0/24″
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INET_IFACE -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
iptables -A FORWARD -s $INT_NET -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -s $INT_NET -j ACCEPT
iptables -A OUTPUT -s $INT_NET -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -s $INT_NET -p tcp –dport 80 -j DNAT –to $SQUID_SVR:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INET_IFACE -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
#open everything
iptables -A INPUT -i $INET_IFACE -j ACCEPT
iptables -A OUTPUT -o $INET_IFACE -j ACCEPT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
###########################
Server #2 (Webserver)
eth0 IP : 10X.XXX.98.XXX
eth0 GW : 10X.XXX.98.1
eth0:1 IP : 10.0.2.191
eth0:1 GW : No gateway specified
## iptables rules ##
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to 10.0.2.139:3128
####################
To check if squid is been accessed, i tail /var/log/squid/access.log
Using curl httt://www.myservers.com
I get the response but there is no hit on the squid, mean that the request went out via the Server #2 gateway.
Can anyone advise if there is any other rule I need to add and on which machine?
Hi Philippe,
Thanks so much for this guide. What I intend to do is set up a proxy server for our small office and have all traffic route to the proxy server and I have only one NIC. I have a couple of questions.
1) With regards to your script above, in this section, why do you have two Local IPs?
# Address connected to LAN
LOCAL=”192.168.2.0/24″
LOCAL2=”192.168.1.0/24″
2) Will this set up make the proxy server the gateway whereby all traffic has to by pass the proxy server?
3) How about HTTPS? From my understanding, this only works for HTTP?
Thanks for your help!
Hi,
1) yes, I have 2 local ip’s
2) yes
3) HTTPS doens’t work over proxy so it will not use the proxy but directly the gateway.
Sorry, I have more questions as i’m new to this. How did you get 2 local IPs? Is this just arbitrary? If not, where do I find this information?
It’s on the post: Changes to the /etc/network/interfaces: this is who you define it!
Yup i know that’s where I define it, but where do I get the addresses from? right now I just have one local IP as I only have one NIC.
Where did you get these addresses from? I know one of them is the current NIC’s address, but how about the other? Or can I choose anything?
address 192.168.1.5
and
address 192.168.2.1
You can chose anything you want
Hey Philippe,
Thanks! I think I managed to get this working! BUT…..looking at the access logs, it doesn’t show the client machine’s IP address but just the network address. Is there a way to show the client’s IP address instead of only the network address? I tried customising the log format but that didn’t help. Would you by any chance know how to do this?
I am also having problems with receiving and sending emails via outlook. I’ll need to google that more to find a solution if there is any. But anyhow, do you know how to resolve this too?
Thanks heaps for your help thus far!
No problem, but the I don’t know the anwser for you questions.
I haven’t noticed this in the logs and I always use webmail…. so I don’t had those issues.
I got the solution to the IP addresses not showing! It was to do with the client netmask – i had it set to 255.255.255.0. To show the IP addresses in the access.log file, I just had to change it to 255.255.255.255. I was thinking it was something more complicated than that!
Hey im working over a VM on KVM, and have bonding (eth0,eth1) and ofcourse i have a bridge that allow my vm has a IP from a DHCP and ips over my vlan. The question here is can i choose a ip from same network or it needs to be a diferent network? in my case a vlan? cause i cant do that im restricted to this vlan and no more :S…
btw, to solve the https redirects just add the line on the iptables,
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -s $LOCAL -p tcp –dport “PORTTOFOWARD” -j DNAT –to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -s $LOCAL2 -p tcp –dport “SAME” -j DNAT –to $SQUID_SERVER:$SQUID_PORT
I solve the problem =D i just use the interfaces and not the ips on the iptables configurations, that solve every thing =D….