| Author |
How to configure squid to be a transparent proxy
|
|
| b33gopher 2006-04-30, 1:14 am |
| Hi,
I have been researching this topic for some time and I'm not real sure
if I'm going about this the right way. I have a Fedora 4 box running
squid 2.5 and dansguardian 2.8.0.6. This is a standalone machine on a
private network with only one network card. The gateway is a dsl
modem/router which has DHCP enabled. I would like all http traffic
coming from any machine on this private network to be redirected to
this linux box without having to manually configure each Internet
browser. Can this be done this way or do I need to set this linux box
up as the default gateway?
| |
| Mehdi Sarmadi 2006-04-30, 7:13 am |
| Dear p33gopher
It depends on capabilities of the dsl modem/router. If it can do
port-redirection(or translation) you just need configure the dsl
modem/router to do it as you want, sould be the simplest way. If it
can't do port-redirection(or translation) you need to have another box
as the default GW of the workstations, that can do it. Your Linux box
is a good choice for this new box.
Then you need to enable routing(if people) and do port-redirection(or
translation), using IPTABLES, in your Linux box to redirect specific
traffic that passing trough to your squid, and also configure squid to
operate in transparent mode.
That's all in brief. But you might need some considerations in
network configuration.
Hope it helps.
Best Regards
| |
| b33gopher 2006-04-30, 1:14 pm |
| The modem/router actually has Port Forwarding and Port Triggering
capabilites. It also allows you to assign an ip as a static NAT. I'm
not sure which one I need.
| |
| Mehdi Sarmadi 2006-05-01, 7:14 am |
| Could you provide me the brand and model?
| |
|
|
| Mehdi Sarmadi 2006-05-02, 1:14 am |
| What we are looking for is, Port Nerwork Address Translation(PAT or
PNAT). Westell Versalink w327, does not support what we want. We want
the modem/router translate the destination/port of the HTTP traffic
that passes trough the modem/router to be the IP address of the Linux
Box and Port No. which Squid is listening on. What is called "Port
Forwarding" in the manual, I think, is for Forwarding a range of WAN
ports to an IP Address, may be suitable for monitoring.
I brief, According to
http://www.westell.com/content/sales/327W.pdf
I think the modem could not do it
| |
| b33gopher 2006-05-02, 7:14 pm |
| ok, darn. I figured that...  Ok. So now my question is... what and
how do I configure this linux box to replace the dsl modem/router? II
appologize for my ignorance. I'm fairly new to linux. Here is a
website (one of the many I've found) that outlines how to setup squid
as a transparent proxy.
http://www.linuxsolved.com/forums/ftopic116.html
Here's another for setting up a gateway/firewall
http://yolinux.com/TUTORIALS/LinuxT...orkGateway.html
I've looked these over at a glace. Do they look correct to you?
| |
| Mehdi Sarmadi 2006-05-03, 1:13 am |
|
It seems they are OK. But in my oppinion the most reliable things
could be found on tldp.org( HOWTOs, Guides - specially Securing and
Optimizing Guide) coz they are official and mainained regularly.
Anyway I guess there would be no problem to use those guides, and If
you would let me review what configuration you will do using those
guides.
Best Regards
--
Mehdi Sarmadi
| |
| Mehdi Sarmadi 2006-05-03, 1:13 am |
|
It seems they are OK. But in my oppinion the most reliable things
could be found on tldp.org( HOWTOs, Guides - specially Securing and
Optimizing Guide) coz they are official and maintained regularly.
Anyway I guess there would be no problem to use those guides, and If
you would let me review what configuration you will do using those
guides.
Best Regards
--
Mehdi Sarmadi
| |
| b33gopher 2006-05-03, 7:13 am |
| Great, thank you very much for your help. I will look over these and
let you know. I will probably need more assitance.... Do you mind if
I contact you via your e-mail address or continue with my questions on
the forum? 
| |
| b33gopher 2006-05-05, 1:13 pm |
| I've started to configure the linux box. This is the website I've
started to use.
http://www.tldp.org/HOWTO/Home-Netw...ni-HOWTO-3.html
I will post all my configuration files if you want me too. Let me
know...
I think I've run into a problem though. Here is what I started with.
The modem/router has multiple duties. This particular model acts as a
switch and also as a wireless access point for users. Here is what my
problem is. I have two network cards for the linux box. One for the
internal LAN and one for the WAN. I don't have any choice but to
connect both nics to the the modem/router because it is acting as the
switch. How can I distinguish between the LAN interface and WAN
interface if they are on the same switch? My thought was to use VLANs
on this switch. So, I kept ethernet port 1 of 4 on VLAN 1 which is the
default VLAN for all ports. Port 1 would be for the WAN network card
in which the modem/router would be giving out DHCP addresses to the WAN
NIC. The modem has an ip address of 192.168.5.1 and the WAN nic gets
an ip address of 192.168.5.2. I have setup the rest of the ports on
the switch (Ports 2-4) to be on VLAN 2. The LAN network card is
connected to Port 2 on VLAN 2. I have one user (my workstation)
connected to Port 3 (VLAN 2). The linux machine can access the internet
without any problems. I have setup the linux box as a DHCP server in
which it is using my ISP's DNS servers. My workstation is getting an
ip address of 192.168.1.60 which is good. I am able to ping the linux
box which has an internal ip address (on the LAN NIC) of 192.168.1.6.
The linux box is setup as the default gateway for my machine. I am not
able to connect to the Internet though. DNS servers are showing
though. I am not able to ping www.yahoo.com for example. I think my
configuration on the modem/router may be in correct. The modem/router's
WAN port (phone line) is in a "Bridge/DHCP" configuration. Am I on the
right track? It occurs to me that maybe the linux box isn't forwarding
the DNS requests to the ISP DNS servers. Could this be the problem?
| |
| Mehdi Sarmadi 2006-05-07, 1:13 am |
| Is the IPv4 Forwarding enabled on the Linux Box? In other words, are
you sure that routing is enabled on the Linux Machine?
| |
| b33gopher 2006-05-08, 1:13 pm |
| I was able to get the clients to connect to the internet. And yes, I
did double check that forwardingn was enabled. I'm now working on
trying to get the transparent proxy configured for squid. I'm not sure
if I have iptables and squid is configured correctly. I have been able
to get dansguardian to work by configuring my machine to pint to the
linux box (192.168.1.6 port 8080). This works fine, however, as you
know I want to configure squid as a transparent proxy. I have one
question. I installed squid when I first installed Fedora. Do you
happen to know if the install of squid at that time enables the
"--enable-linux-netfilter" by default? I'm been under the assumption
that this feature was enabled. I've seen a couple sites referring to
this feature and thought maybe that's been my problem all along. Here
is one site I've been looking at
http://www.linuxsolved.com/forums/ftopic116.html. I haven't had time
to research the iptables syntax yet. I'm seen so many different
iptables entries used with squid as a transparent proxy that I'm
getting really confused. I have been using the defaults on squid and
dansguardian. I haven't changed any ports. So, squid is listening on
3128 and dansguardian is listening on port 8080. Do you know what the
correct iptables entry would be in my case? eth0=WAN Interface
eth1=Internal Network (LAN) Are there any log files that would be
beneficial to look at?
I have also put these entries into squid.conf
httpd_accel_host vertual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
| |
| b33gopher 2006-05-10, 1:13 pm |
| The httpd_accel_host vertual entry is incorrect. The website I copied
this from missed spelled the word and I didn't notice until I look at
my last post. The actual entry I have in the squid.conf file is
"httpd_accel_host_virtual"
| |
| Mehdi Sarmadi 2006-05-12, 1:12 pm |
| Nice Job!
I assume you are using Fedora Core X.
If you are using pre-compiled squid that is bringed with Fedora Core,
it has the capability of transparent proxying.
# These are enough for squid to get transparency enabled and working
httpd_accel_host vertual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
and for iptables
# You just need this to make it work
# Variables
EXT_IF=eth0
INT_IF=eth1
EXT_IP=something
INT_IP=192.168.1.6
SQUID_PORT=3128
INT_LAN=192.168.1.0/24
OUT=! $INT_LAN
# The only thing that makes it
$IPT -t nat -A PREROUTING -i $INT_IF --destination $OUT -p tcp --dport
80 -j DNAT --to-destination $INT_IP:$SQUID_PORT
Note: I did not provide the complete firewall code that you need for
your Linux host, that just redirects a direct web request to your
machine and squid port. You may need more care about that script such
as initialization; clearing the chains etc.
Be sure that iptables service is automated for networked runlevels,
>chkconfig --levels 345 iptables on
Save you firewall conf for next run, if you set it well as you want it.
>service iptables save
Hope this helps.
Real good reference would be:
SQUID Frequently Asked Questions
http://info.ccone.at/INFO/Squid/
Best Regards
---
Mehdi Sarmadi
| |
|
|
| b33gopher 2006-05-13, 1:12 pm |
| great! I really do appreciate your patience and help on this. I
will keep you updated.
| |
| Mehdi Sarmadi 2006-05-14, 7:12 am |
| Welcome b33gopher.
My Pleasure
| |
| ^Evil^one 2006-06-01, 3:32 am |
| its virtual not vertual.. thats y it wont work... setting up like this things.. u need to be careful writing syntax.. important thing is the spelling |
|
|
|