squid transparent proxy with single Ethernet interface (port)
squid transparent proxy with single Ethernet interface (port)
#1: yum install squid
#2 vim /etc/squid/squid.conf
http_port 192.168.1.98:3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl PROTOS proto HTTP FTP HTTPS
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny to_localhost
acl our_networks src 192.168.1.0/24
http_access allow our_networks
http_access allow PROTOS
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid
access_log /var/log/squid/access.log
#4: iptables routing
/sbin/iptables –table nat –append PREROUTING –in-interface eth0 -s 192.168.1.0/24 –protocol tcp –destination-port 80 –jump REDIRECT –to-port 3128
#5:# service iptables save
# chkconfig iptables on
#6 # /etc/init.d/squid restart
# chkconfig squid on
note:
i also find a firewall script for squid to work transparent, Make this script executable and run it at startup, for example within /etc/rc.local.
#!/bin/sh
# Squid server IP#SQUID_SERVER=”192.168.2.253″SQUID_SERVER=”10.0.0.1″# Interface connected to InternetINTERNET=”eth0″
# Address connected to LANLOCAL=”10.0.0.0/24″
# Squid portSQUID_PORT=”3128″
# Clean old firewalliptables -Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -t mangle -Fiptables -t mangle -X
# Enable Forwardingecho 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policyiptables -P INPUT DROPiptables -P OUTPUT ACCEPT
# Unlimited access to loop backiptables -A INPUT -i lo -j ACCEPTiptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTPiptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LANiptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADEiptables -A FORWARD -s $LOCAL -j ACCEPT
# unlimited access to LANiptables -A INPUT -s $LOCAL -j ACCEPTiptables -A OUTPUT -s $LOCAL -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxyiptables -t nat -A PREROUTING -s $LOCAL -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same systemiptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
#open everythingiptables -A INPUT -i $INTERNET -j ACCEPTiptables -A OUTPUT -o $INTERNET -j ACCEPT
# DROP everything and Log itiptables -A INPUT -j LOGiptables -A INPUT -j DROP