How to configure squid to be a transparent proxy - squid

This is a discussion on How to configure squid to be a transparent proxy - squid ; Hi, I have been researching this topic for some time and I'm not real sure if I'm going about this the right way. I have a Fedora 4 box running squid 2.5 and dansguardian 2.8.0.6. This is a standalone machine ...

+ Reply to Thread
Results 1 to 18 of 18

Thread: How to configure squid to be a transparent proxy

  1. How to configure squid to be a transparent proxy

    Hi,

    I have been researching this topic for some time and I'm not real sure
    if I'm going about this the right way. I have a Fedora 4 box running
    squid 2.5 and dansguardian 2.8.0.6. This is a standalone machine on a
    private network with only one network card. The gateway is a dsl
    modem/router which has DHCP enabled. I would like all http traffic
    coming from any machine on this private network to be redirected to
    this linux box without having to manually configure each Internet
    browser. Can this be done this way or do I need to set this linux box
    up as the default gateway?


  2. Re: How to configure squid to be a transparent proxy

    Dear p33gopher

    It depends on capabilities of the dsl modem/router. If it can do
    port-redirection(or translation) you just need configure the dsl
    modem/router to do it as you want, sould be the simplest way. If it
    can't do port-redirection(or translation) you need to have another box
    as the default GW of the workstations, that can do it. Your Linux box
    is a good choice for this new box.
    Then you need to enable routing(if people) and do port-redirection(or
    translation), using IPTABLES, in your Linux box to redirect specific
    traffic that passing trough to your squid, and also configure squid to
    operate in transparent mode.

    That's all in brief. But you might need some considerations in
    network configuration.

    Hope it helps.

    Best Regards


  3. Re: How to configure squid to be a transparent proxy

    The modem/router actually has Port Forwarding and Port Triggering
    capabilites. It also allows you to assign an ip as a static NAT. I'm
    not sure which one I need.


  4. Re: How to configure squid to be a transparent proxy

    Could you provide me the brand and model?


  5. Re: How to configure squid to be a transparent proxy

    I'm at work now. So, I'm not entirely sure if this is the exact model.
    Westell w327

    This link might help give you some specs.

    http://www.westell.com/content/produ.../versalink.pdf


  6. Re: How to configure squid to be a transparent proxy

    What we are looking for is, Port Nerwork Address Translation(PAT or
    PNAT). Westell Versalink w327, does not support what we want. We want
    the modem/router translate the destination/port of the HTTP traffic
    that passes trough the modem/router to be the IP address of the Linux
    Box and Port No. which Squid is listening on. What is called "Port
    Forwarding" in the manual, I think, is for Forwarding a range of WAN
    ports to an IP Address, may be suitable for monitoring.

    I brief, According to

    http://www.westell.com/content/sales/327W.pdf

    I think the modem could not do it


  7. Re: How to configure squid to be a transparent proxy

    ok, darn. I figured that... Ok. So now my question is... what and
    how do I configure this linux box to replace the dsl modem/router? II
    appologize for my ignorance. I'm fairly new to linux. Here is a
    website (one of the many I've found) that outlines how to setup squid
    as a transparent proxy.
    http://www.linuxsolved.com/forums/ftopic116.html

    Here's another for setting up a gateway/firewall
    http://yolinux.com/TUTORIALS/LinuxTu...rkGateway.html

    I've looked these over at a glace. Do they look correct to you?


  8. Re: How to configure squid to be a transparent proxy


    It seems they are OK. But in my oppinion the most reliable things
    could be found on tldp.org( HOWTOs, Guides - specially Securing and
    Optimizing Guide) coz they are official and mainained regularly.

    Anyway I guess there would be no problem to use those guides, and If
    you would let me review what configuration you will do using those
    guides.

    Best Regards
    --
    Mehdi Sarmadi


  9. Re: How to configure squid to be a transparent proxy


    It seems they are OK. But in my oppinion the most reliable things
    could be found on tldp.org( HOWTOs, Guides - specially Securing and
    Optimizing Guide) coz they are official and maintained regularly.

    Anyway I guess there would be no problem to use those guides, and If
    you would let me review what configuration you will do using those
    guides.

    Best Regards
    --
    Mehdi Sarmadi


  10. Re: How to configure squid to be a transparent proxy

    Great, thank you very much for your help. I will look over these and
    let you know. I will probably need more assitance.... Do you mind if
    I contact you via your e-mail address or continue with my questions on
    the forum?


  11. Re: How to configure squid to be a transparent proxy

    I've started to configure the linux box. This is the website I've
    started to use.
    http://www.tldp.org/HOWTO/Home-Netwo...i-HOWTO-3.html

    I will post all my configuration files if you want me too. Let me
    know...

    I think I've run into a problem though. Here is what I started with.
    The modem/router has multiple duties. This particular model acts as a
    switch and also as a wireless access point for users. Here is what my
    problem is. I have two network cards for the linux box. One for the
    internal LAN and one for the WAN. I don't have any choice but to
    connect both nics to the the modem/router because it is acting as the
    switch. How can I distinguish between the LAN interface and WAN
    interface if they are on the same switch? My thought was to use VLANs
    on this switch. So, I kept ethernet port 1 of 4 on VLAN 1 which is the
    default VLAN for all ports. Port 1 would be for the WAN network card
    in which the modem/router would be giving out DHCP addresses to the WAN
    NIC. The modem has an ip address of 192.168.5.1 and the WAN nic gets
    an ip address of 192.168.5.2. I have setup the rest of the ports on
    the switch (Ports 2-4) to be on VLAN 2. The LAN network card is
    connected to Port 2 on VLAN 2. I have one user (my workstation)
    connected to Port 3 (VLAN 2). The linux machine can access the internet
    without any problems. I have setup the linux box as a DHCP server in
    which it is using my ISP's DNS servers. My workstation is getting an
    ip address of 192.168.1.60 which is good. I am able to ping the linux
    box which has an internal ip address (on the LAN NIC) of 192.168.1.6.
    The linux box is setup as the default gateway for my machine. I am not
    able to connect to the Internet though. DNS servers are showing
    though. I am not able to ping www.yahoo.com for example. I think my
    configuration on the modem/router may be in correct. The modem/router's
    WAN port (phone line) is in a "Bridge/DHCP" configuration. Am I on the
    right track? It occurs to me that maybe the linux box isn't forwarding
    the DNS requests to the ISP DNS servers. Could this be the problem?


  12. Re: How to configure squid to be a transparent proxy

    Is the IPv4 Forwarding enabled on the Linux Box? In other words, are
    you sure that routing is enabled on the Linux Machine?


  13. Re: How to configure squid to be a transparent proxy

    I was able to get the clients to connect to the internet. And yes, I
    did double check that forwardingn was enabled. I'm now working on
    trying to get the transparent proxy configured for squid. I'm not sure
    if I have iptables and squid is configured correctly. I have been able
    to get dansguardian to work by configuring my machine to pint to the
    linux box (192.168.1.6 port 8080). This works fine, however, as you
    know I want to configure squid as a transparent proxy. I have one
    question. I installed squid when I first installed Fedora. Do you
    happen to know if the install of squid at that time enables the
    "--enable-linux-netfilter" by default? I'm been under the assumption
    that this feature was enabled. I've seen a couple sites referring to
    this feature and thought maybe that's been my problem all along. Here
    is one site I've been looking at
    http://www.linuxsolved.com/forums/ftopic116.html. I haven't had time
    to research the iptables syntax yet. I'm seen so many different
    iptables entries used with squid as a transparent proxy that I'm
    getting really confused. I have been using the defaults on squid and
    dansguardian. I haven't changed any ports. So, squid is listening on
    3128 and dansguardian is listening on port 8080. Do you know what the
    correct iptables entry would be in my case? eth0=WAN Interface
    eth1=Internal Network (LAN) Are there any log files that would be
    beneficial to look at?

    I have also put these entries into squid.conf

    httpd_accel_host vertual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on


  14. Re: How to configure squid to be a transparent proxy

    The httpd_accel_host vertual entry is incorrect. The website I copied
    this from missed spelled the word and I didn't notice until I look at
    my last post. The actual entry I have in the squid.conf file is
    "httpd_accel_host_virtual"


  15. Re: How to configure squid to be a transparent proxy

    Nice Job!

    I assume you are using Fedora Core X.

    If you are using pre-compiled squid that is bringed with Fedora Core,
    it has the capability of transparent proxying.

    # These are enough for squid to get transparency enabled and working
    httpd_accel_host vertual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on

    and for iptables
    # You just need this to make it work
    # Variables
    EXT_IF=eth0
    INT_IF=eth1
    EXT_IP=something
    INT_IP=192.168.1.6
    SQUID_PORT=3128
    INT_LAN=192.168.1.0/24
    OUT=! $INT_LAN
    # The only thing that makes it
    $IPT -t nat -A PREROUTING -i $INT_IF --destination $OUT -p tcp --dport
    80 -j DNAT --to-destination $INT_IP:$SQUID_PORT

    Note: I did not provide the complete firewall code that you need for
    your Linux host, that just redirects a direct web request to your
    machine and squid port. You may need more care about that script such
    as initialization; clearing the chains etc.

    Be sure that iptables service is automated for networked runlevels,
    >chkconfig --levels 345 iptables on


    Save you firewall conf for next run, if you set it well as you want it.
    >service iptables save


    Hope this helps.
    Real good reference would be:
    SQUID Frequently Asked Questions
    http://info.ccone.at/INFO/Squid/

    Best Regards

    ---
    Mehdi Sarmadi


  16. Re: How to configure squid to be a transparent proxy

    Forgot to introduce this one:
    http://www.tldp.org/HOWTO/TransparentProxy.html


  17. Re: How to configure squid to be a transparent proxy

    great! I really do appreciate your patience and help on this. I
    will keep you updated.


  18. Re: How to configure squid to be a transparent proxy

    Welcome b33gopher.
    My Pleasure


+ Reply to Thread