Setting Up Squid In Gateway As A Transparent Proxy

**Squid** is a popular open source (GPL) proxy server and web cache. It has a variety of uses, from speeding up a web server by caching repeated requests, to caching web, DNS, and other network lookups for a group of people sharing network resources.It is primarily designed to run on Unix-like systems.

This has been tested in a working environment and has proven efficent.

1. Installing squid

  1. yum -y install squid
  • Downloaded and installed package : squid.i386 7:2.5.STABLE14-3.FC5
  • Configuration File : /etc/squid/squid.conf

Resources I had:

System: AMD Sempron(tm) Processor 2600+ with 512MB RAM
Primary Ethernet Interface : eth0: IP: 64.233.187.99 (the IP is that of Google, using it as a reference)
Netmask:255.255.255.248
Secondary Enternet Interface : eth1: IP: 192.168.1.3 
Netmask:255.255.255.0
Operating System: Fedora Core 5 with updated kernel 2.6.20.7
  • Eth0 connected to Internet
  • Eth1 connected to local LAN i.e. system act as router

Setup Method:

Step #1 : Squid configuration so that it will act as a transparent proxy
Step #2 : Iptables configuration
a) Configure system as router
b) Forward all HTTP requests to 3128 (DNAT)
Step #3: Run scripts and start squid service

Editing the Squid Configuration file to meet requirements

  1. vi /etc/squid/squid.conf

Lines to be uncommented/added:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl mylan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow mylan

Where,

* httpd_accel_host virtual: Squid as an httpd accelerator
* httpd_accel_port 80: 80 is port you want to act as a proxy
* httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
* httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
* acl mylan src 192.168.2.0/24: Only allow VN Network LAN computers to use squid
* http_access allow localhost : Squid access to localhost
* http_access allow vnnetwork : Squid access to VN Network

Save the Squid Configuration file. To have a quick glance at the squid configuration file without going through the configuration file, the below commands does its job pretty neat!

  1. grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
  2. sed ‘/ *#/d; /^ *$/d’ /etc/squid/squid.conf (Sed lovers can use this)
  3. cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'

2. CONFIGURING IP TABLES

The below rules should forward all http requests (coming to port 80) to the Squid server port 3128

  1. iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to 192.168.1.3:3128
  2. iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

But more effective and more detailed, below is a pretty neat script that I found from the Internet. I have modified the parameters according to our settings.

#!/bin/sh
# squid server IP

SQUID_SERVER=“192.168.1.3″

# Interface connected to Internet
INTERNET=“eth0″
# Interface connected to LAN
LAN_IN=“eth1″

# Squid port
SQUID_PORT=“3128″

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j 
ACCEPT

# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j 
MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 
($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to 
$SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j 
REDIRECT 
--to-port $SQUID_PORT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

I have stored the above script in the Root's Home Directory with that name proxyset.sh. Now Save and Execute the script:

  1. chmod +x /root/proxyset.sh
  2. /root/proxyset.sh

PS: Please note to deploy a firewall. Its better to stop the "friend" than to clean the mess he makes.

Restart Squid:

  1. /etc/init.d/squid restart
  2. chkconfig squid on

Done!!! This should get the Squid server ready.

Client system configuration:

All we need to do is add the default gw address of the client machines to the Proxy Sever address, which is 192.168.1.3

  1. route add default gw 192.168.1.3

All access to the HTTP and HTTPS are stored in the access logs. It can be tailed using the command below.

  1. tail -f /var/log/squid/access.log

Everything is logged.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.