In this
post we are going to show you how to setup transparent proxy with squid and
iptables. Main benefit of setting transparent proxy is you do not have to setup
up individual browsers to work with proxies.
My LAB Setup:
System: Sun Fire X4100 with 8 GB RAM
Eth0: IP: 192.168.1.1
Eth1: IP: 172.22.2.1
OS: Red Hat Enterprise Linux
Eth1: IP: 172.22.2.1
OS: Red Hat Enterprise Linux
Network
Interface Eth0 connected to internet and eth1 connected to intranet (LAN) i.e.
system act as router.
Step1 – Squid Server
Configuration
# vi /etc/squid/squid.conf
Add
or Modify following squid directives:
httpd_accel_host
virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl intranet src 172.22.2.1 172.22.2.254/24
http_access allow localhost
http_access allow intranet
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl intranet src 172.22.2.1 172.22.2.254/24
http_access allow localhost
http_access allow intranet
Save
and exit
Explanation:
httpd_accel_host virtual:
Squid as an httpd accelerator
httpd_accel_port 80:
80 is port you want to act as a proxy
httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as
a proxy.
httpd_accel_uses_host_header on: Header is turned on which is the hostname from the
URL.
acl intranet src 172.22.2.1
172.22.2.254/24: Access control list, only allow LAN subnet to use squid
http_access allow localhost: Squid access to localhost ACL only
http_access allow intranet: Squid access to LAN ACL only
Run the
following command (grep will remove all comments and sed will remove all empty
lines:
#
grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
Or
#
cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
Output:
hierarchy_stoplist cgi-bin ?
acl
QUERY urlpath_regex cgi-bin \?
no_cache
deny QUERY
hosts_file
/etc/hosts
refresh_pattern
^ftp: 1440 20% 10080
refresh_pattern
^gopher: 1440 0% 1440
refresh_pattern
. 0 20% 4320
acl
all src 0.0.0.0/0.0.0.0
acl
manager proto cache_object
acl
localhost src 127.0.0.1/255.255.255.255
acl
to_localhost dst 127.0.0.0/8
acl
purge method PURGE
acl
CONNECT method CONNECT
cache_mem
1024 MB
http_access
allow manager localhost
http_access
deny manager
http_access
allow purge localhost
http_access
deny purge
http_access
deny !Safe_ports
http_access
deny CONNECT !SSL_ports
acl
intranet src 172.22.2.1 172.22.2.254/24
http_access
allow localhost
http_access
allow intranet
http_access
deny all
http_reply_access
allow all
icp_access
allow all
visible_hostname
squidserver.techsupportpk.com
httpd_accel_host
virtual
httpd_accel_port
80
httpd_accel_with_proxy
on
httpd_accel_uses_host_header
on
coredump_dir
/var/spool/squid
Step2 – Iptables Setup
Add the following rules to forward all http requests (coming to port 80) to
the Squid server port 3128:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80
-j DNAT --to 192.168.1.1:3128
iptables
-t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Following
is the complete shell script. First configure Linux system as router and
forwards all http requests to port 3128:
#!/bin/sh
#
squid server IP
SQUIDSRV="192.168.1.1"
#
Interface connected to Internet
Internet="eth0"
#
Interface connected to LAN
Intranet="eth1"
#
Squid port
Port="3128"
#
DO NOT MODIFY BELOW
#
Clean old firewall
iptables
-F
iptables
-X
iptables
-t nat -F
iptables
-t nat -X
iptables
-t mangle -F
iptables
-t mangle -X
#
Load IPTABLES modules for NAT and IP conntrack support
modprobe
ip_conntrack
modprobe
ip_conntrack_ftp
#
For win xp ftp client
#modprobe
ip_nat_ftp
echo
1 > /proc/sys/net/ipv4/ip_forward
#
Setting default filter policy
iptables
-P INPUT DROP
iptables
-P OUTPUT ACCEPT
#
Unlimited access to loop back
iptables
-A INPUT -i lo -j ACCEPT
iptables
-A OUTPUT -o lo -j ACCEPT
#
Allow UDP, DNS and Passive FTP
iptables
-A INPUT -i $Internet -m state --state ESTABLISHED,RELATED -j ACCEPT
#
set this system as a router for Rest of LAN
iptables
--table nat --append POSTROUTING --out-interface $Internet -j MASQUERADE
iptables
--append FORWARD --in-interface $Intranet -j ACCEPT
#
unlimited access to LAN
iptables
-A INPUT -i $Intranet -j ACCEPT
iptables
-A OUTPUT -o $Intranet -j ACCEPT
#
DNAT port 80 request comming from LAN systems to squid 3128 ($Port) aka
transparent proxy
iptables
-t nat -A PREROUTING -i $Intranet -p tcp --dport 80 -j DNAT --to
$SQUIDSRV:$Port
#
if it is same system
iptables
-t nat -A PREROUTING -i $Internet -p tcp --dport 80 -j REDIRECT --to-port $Port
#
DROP everything and Log it
iptables
-A INPUT -j LOG
iptables
-A INPUT -j DROP
Save
shell script with any name you want. Execute script so that system will act as
a router and forward the ports:
# chmod +x /etc/iptables.rules
#
/etc/iptables.rules
#
service iptables save
#
chkconfig iptables on
Start or
Restart the squid:
# service squid restart
#
chkconfig squid on
Step3 - Desktop / Client
computer configuration
Point all desktop clients
to your eth1 IP address (172.22.2.1) as Router/Gateway (use DHCP to distribute
this information). You do not have to setup up individual browsers to work with
proxies.
Verify your squid proxy if
it is working correctly?
See access log file
/var/log/squid/access.log:
# tail -f /var/log/squid/access.log
Above
command will monitor all incoming request and log them to
/var/log/squid/access.log file. Now if somebody accessing a website through
browser, squid will log information.
If
you want to block some domain from squid, then do the following.
# vi /etc/squid/black_list
.facebook.com
.youtube.com
.twitter.com
Save and exit
# vi /etc/squid/squid.conf
acl DENYWEB “/etc/squid/black_list”
http_access deny DENYWEB
No comments: