**Squid** is a popular open source (GPL) proxy server and web cache. It has a variety of uses, from speeding up a web server by caching repeated requests, to caching web, DNS, and other network lookups for a group of people sharing network resources.It is primarily designed to run on Unix-like systems.
This has been tested in a working environment and has proven efficent.
1. Installing squid
- yum -y install squid
- Downloaded and installed package : squid.i386 7:2.5.STABLE14-3.FC5
- Configuration File : /etc/squid/squid.conf
Resources I had:
System: AMD Sempron(tm) Processor 2600+ with 512MB RAM
Primary Ethernet Interface : eth0: IP: 64.233.187.99 (the IP is that of Google, using it as a reference)
Netmask:255.255.255.248
Secondary Enternet Interface : eth1: IP: 192.168.1.3
Netmask:255.255.255.0
Operating System: Fedora Core 5 with updated kernel 2.6.20.7
- Eth0 connected to Internet
- Eth1 connected to local LAN i.e. system act as router
Setup Method:
Step #1 : Squid configuration so that it will act as a transparent proxy
Step #2 : Iptables configuration
a) Configure system as router
b) Forward all HTTP requests to 3128 (DNAT)
Step #3: Run scripts and start squid service
Editing the Squid Configuration file to meet requirements
- vi /etc/squid/squid.conf
Lines to be uncommented/added:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl mylan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow mylan
Where,
* httpd_accel_host virtual: Squid as an httpd accelerator
* httpd_accel_port 80: 80 is port you want to act as a proxy
* httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
* httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
* acl mylan src 192.168.2.0/24: Only allow VN Network LAN computers to use squid
* http_access allow localhost : Squid access to localhost
* http_access allow vnnetwork : Squid access to VN Network
Save the Squid Configuration file. To have a quick glance at the squid configuration file without going through the configuration file, the below commands does its job pretty neat!
- grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
- sed ‘/ *#/d; /^ *$/d’ /etc/squid/squid.conf (Sed lovers can use this)
- cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
2. CONFIGURING IP TABLES
The below rules should forward all http requests (coming to port 80) to the Squid server port 3128
- iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to 192.168.1.3:3128
- iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128
But more effective and more detailed, below is a pretty neat script that I found from the Internet. I have modified the parameters according to our settings.
#!/bin/sh
# squid server IP
SQUID_SERVER=“192.168.1.3″
# Interface connected to Internet
INTERNET=“eth0″
# Interface connected to LAN
LAN_IN=“eth1″
# Squid port
SQUID_PORT=“3128″
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j
ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j
MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128
($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to
$SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j
REDIRECT
--to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
I have stored the above script in the Root's Home Directory with that name proxyset.sh. Now Save and Execute the script:
- chmod +x /root/proxyset.sh
- /root/proxyset.sh
PS: Please note to deploy a firewall. Its better to stop the "friend" than to clean the mess he makes.
Restart Squid:
- /etc/init.d/squid restart
- chkconfig squid on
Done!!! This should get the Squid server ready.
Client system configuration:
All we need to do is add the default gw address of the client machines to the Proxy Sever address, which is 192.168.1.3
- route add default gw 192.168.1.3
All access to the HTTP and HTTPS are stored in the access logs. It can be tailed using the command below.
- tail -f /var/log/squid/access.log
Everything is logged.