How to Setup a Transparent Proxy With Squid



In this post we are going to show you how to setup transparent proxy with squid and iptables. Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.


My LAB Setup:

System:      Sun Fire X4100 with 8 GB RAM
Eth0:           IP: 192.168.1.1
Eth1:           IP: 172.22.2.1
OS:             Red Hat Enterprise Linux

Network Interface Eth0 connected to internet and eth1 connected to intranet (LAN) i.e. system act as router.


Step1 – Squid Server Configuration

# vi /etc/squid/squid.conf

Add or Modify following squid directives:
 
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl intranet src 172.22.2.1 172.22.2.254/24
http_access allow localhost
http_access allow intranet

Save and exit


Explanation:

httpd_accel_host virtual: Squid as an httpd accelerator
httpd_accel_port 80: 80 is port you want to act as a proxy
httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
acl intranet src 172.22.2.1 172.22.2.254/24: Access control list, only allow LAN subnet to use squid
http_access allow localhost: Squid access to localhost ACL only
http_access allow intranet: Squid access to LAN ACL only


Run the following command (grep will remove all comments and sed will remove all empty lines:

# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

Or

# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
 


Output:

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl intranet src 172.22.2.1 172.22.2.254/24
http_access allow localhost
http_access allow intranet
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname squidserver.techsupportpk.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid


Step2 – Iptables Setup

Add the following rules to forward all http requests (coming to port 80) to the Squid server port 3128:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128


Following is the complete shell script. First configure Linux system as router and forwards all http requests to port 3128:


#!/bin/sh

# squid server IP
SQUIDSRV="192.168.1.1"

# Interface connected to Internet
Internet="eth0"

# Interface connected to LAN
Intranet="eth1"

# Squid port
Port="3128"

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $Internet -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $Internet -j MASQUERADE
iptables --append FORWARD --in-interface $Intranet -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -i $Intranet -j ACCEPT
iptables -A OUTPUT -o $Intranet -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($Port) aka transparent proxy
iptables -t nat -A PREROUTING -i $Intranet -p tcp --dport 80 -j DNAT --to $SQUIDSRV:$Port

# if it is same system
iptables -t nat -A PREROUTING -i $Internet -p tcp --dport 80 -j REDIRECT --to-port $Port

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP


Save shell script with any name you want. Execute script so that system will act as a router and forward the ports:

# chmod +x /etc/iptables.rules
# /etc/iptables.rules
# service iptables save
# chkconfig iptables on

Start or Restart the squid:

# service squid restart
# chkconfig squid on




Step3 - Desktop / Client computer configuration
Point all desktop clients to your eth1 IP address (172.22.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.

Verify your squid proxy if it is working correctly?

See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log

Above command will monitor all incoming request and log them to /var/log/squid/access.log file. Now if somebody accessing a website through browser, squid will log information.

If you want to block some domain from squid, then do the following.

# vi /etc/squid/black_list
.facebook.com
.youtube.com
.twitter.com

Save and exit

# vi /etc/squid/squid.conf
acl DENYWEB “/etc/squid/black_list”   
http_access deny DENYWEB 


No comments:

Powered by Blogger.