July 12, 2009 by Ivan
[HowTo] Install and Configure Squid as Transparent Proxy
Ads by Google
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
An intercepting proxy (also known as a “transparent proxy“) combines a proxy server with a gateway. Connections made by client browsers through the gateway are redirected through the proxy without client-side configuration (or often knowledge). Sothe client never realize and don’t have to configure the client machine to use the proxy, but they are using it.
Install Squid Cache Proxy
I will show you how to install Squid Web Proxy (*only for Ubuntu/Debian):
1. Open up your shell and type this command:
sudo apt-get install squid
2. Finish.
For other OS you can download the binary package here.
Configure Squid Cache Proxy as Transparent Proxy
To configure squid proxy as transparent proxy you need to edit squid.conf file in /etc/squid/squid.conf as follow:
acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localnet src 192.168.1.0/24 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_reply_access allow localnet http_reply_access deny all icp_access allow localnet icp_access deny all http_port 8080 transparent hierarchy_stoplist cgi-bin ? cache_mem 256 MB cache_dir ufs /var/spool/squid 2048 16 256 cache_mgr admin@email.com cache_effective_user squid cache_effective_group squid access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 visible_hostname yourdomain.com icp_port 3130 always_direct allow all forwarded_for off coredump_dir /var/spool/squid
The most important line is
“http_port 8080 transparent” : This line means, Squid proxy run as transparent proxy at port 8080 (by default 3128). Later you need to edit the iptables to bypass every request/response connection through this port.
Note: That setting is for Squid v2.6 or v2.7. For later version like Squid v3.1, “transparent” option is being deprecated, you need to use option “intercept” instead.
There are many things that squid can do, like limiting download speed for certain ip, denied some “time wasting” sites, denied some ports, denied download some files in certain hours, and many more case that you can name. So take your time to read their documentation guide here.
Configure Iptables
To make Squid as the transparent proxy (“man in the middle”), you need to configure the iptables. I got this script to help you:
#!/bin/sh # ------------------------------------------------------------------------------------ # See URL: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html # (c) 2006, nixCraft under GNU/GPL v2.0+ # ------------------------------------------------------------------------------------- # squid server IP SQUID_SERVER="192.168.1.1" # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client #modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP
Okay, that’s all of it. If you like it please leave me a comment.
What people search:
Article by Ivan Kristianto
Ivan Kristianto is a freelancer web developer and blogger. He started to blog since November 2007. He start this site since April 2008. With bachelor of Engineering degree background he writes articles in IT related field and share through this blog.
Tags: centos squid web proxy, faster internet, how to, linux, proxy, squid, squid transparent proxy howto, transparent proxy, web cache, web proxy
Category: Ubuntu
Please post your squid.log here.
I will try to help you.
Hi IVan,
sory for late reply. i'm able to solve my previous issue. right now, i faced new problem,
suddenly my setup for transparent proxy is not working. access.log not populated any more.prior this, i have configured my squid to transparent proxy and url_rewrite_program for URL redirection. my browser suppose to work in transparent and do a url redirection based to certain condition i created. please do advised me on how to fix this. thanks
my squid server is '202.45.139.161'
interface to internet is 'eth0'
interface to lan is '202.45.139.163'
my squid.conf setup is:
acl lan src 202.45.139.163/255.255.255.255
below is my setup for iptables:
SQUID_SERVER=”202.45.139.161″
# Interface connected to Internet
INTERNET=”eth0″
# Interface connected to LAN
LAN_IN=”202.45.139.163″
# Squid port
SQUID_PORT=”3128″
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Hi Ivan. to add for below post.
before this problem happen. i can surf on transparent mode on mozilla firefox and google chrome but cannot with Internet Explorer.the only way is i need to set IE to use proxy,then it will populating in the access.log.. why is this happen? thanks
Hi long,
Have you check the iptables rule?
Hi Ivan,
i have check the iptables rule. i using eth0 instead of etho in the iptables..seem right now my setting for transparent proxy is not working. What other thing i need to check more?
thanks
hi,
after i execute iptables. below is the result when i type iptables -L
:
target prot opt source destination
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all — anywhere anywhere
LOG all — anywhere anywhere LOG level warning
DROP all — anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all — anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere
is this the problem?
thanks
Hi long,
please describe your network topology.
Where is your client, router and modem. How the client connect to the internet.
And have you install DHCP and Bind server?
Add me to gmail chat if you want, and we can talk freely.
Hi Ivan,
my client is connected to a switch and go the server(squid).
my server(squid) is also connected to a same switch
from switch to a gateway and go to the internet.
i also have other local server that will be used for url_rewrite_program.
this local server have the same connection to the switch.
my server(squid) is running on centos.
i think my centos already equipped with DHCP and Bind. i will check further
tomorrow.
tomorrow i will add to gmail chat and we can talk more about this setup.
thanks,
long
If i have only one NIC ( eth0 ) card is it possible to make a transparent proxy server .. if so what should changes should be done in this ? can you pls help me to configure ?
Haven't try it yet. But you can set port forwarding from port 80 to squid port.
Hi Ivan,
i have changed my network topology and my transparent proxy mode works.
i realized my mistakes when i read several times your article. i followed all the steps and finally i am able to surf with transparent proxy. thanks a lot for your guide.
long
It's nice to know that you are finally get it working.
I'm happy for you.
Btw can you tell us where did you go wrong? so if someday another reader come and read this article can learn from you.
thanks. my mistakes came from the setup of my system. before this, i'm not using eth1 as the interface to the client. the client is separately from the squid's server. i fix this problem by connect the client directly to the server eth1. i restart the squid and run the iptables and it works.
Hello Ivan,
Hope you are doing well.
I am using squid Version 2.6.STABLE6 in transparent mode, My users use squid server ip 192.168.1.1 as their gateway to access internet. I have made various acl's and working well.
But now I want to disable gmail chat with gtalk messanger.although i have setup squid to block gmail chat in browser and it is also working but when user type https://gmail.com/ than it is not effective. and users are also using gtalk. Pls help me to disable gmail chat and gtalk.
Regards
Yogesh2tech@gmail.com
Hi Yogesh, i suggesst you to block gtalk port instead of block the domain.
To block Gtalk, you can set the restriction to this address:
Block access to 216.239.37.125, 72.14.253.125, 72.14.217.189 and 209.85.137.125 on ports 20, 21, 80, 443, 5222 and 5223.
Good luck!
Hi Ivan,
Can you tell me what I need to do this to achieve ?
Pls keep in mind that we are also running our own mail server with instant messaging feature running on same port 5222
Regards
Yogesh
Hello Ivan, nice article, is there any way you can teach me how to block torrent connections via Squid or Iptables? I’m using Ubuntu. Thanks.
Hi Ivan ,
Pls suggest me how to block these ip for these particular ports because I have alredy tried lot more but still not able to block the gtalk.
Pls help me!
Thanks
Yogesh
To block torrent connection maybe a little tricky since it change overtime.
My suggestion is, block all the ports, except some important ports.
Ok, noob here, I cant get the script to execute? How do I run it?
Forgot to mention I get: bash: /etc/setup.iptables: /bin/sh^M: bad interpreter : No such file or directory
Did you run it with root permission or with sudo?
Hi, thank you for replying, you are a star in the dark expansive world of Linux. Yes I did used sudo (and sudo su) in terminal and tried running it trough webmin also, get the same error. I am using Ubuntu 10.04 LTS. Double checked on on your response to make sure, still get same error: bad interpreter: no such file or dierctoy.
Please try to run iptables -L or iptables -h
is the output show or error message?
Hi, doing it manually, get a problem on the echo line… [1] 2745 1 gt: command not found [1]+ done echo1 bash /proc/sys/net/ipv4/ip_foward: Permission denied (Did sudo)
I did google and tried this gksudo gedit /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.conf.default.forwarding=1
but the line in my file looks different:
net.ipv4.ip_foward=1
will it be ok to do it this way?
Yes ip forwarding should be on. but in your case it should be on by default.
I’m really making an effort on this side for this to work, so sorry for bugging you. What I find now is that squid ‘works’. When I type an ip in the browser on my workstations (say for google) it opens the web page. But if I use http://www.xxxxx.com it doesnt. If I do it with the ip it shows up in my squid tail log, if I type the web address it doenst work and nothing happens on the log in my server. What am I missing?
Have you install Bind9 as your dns server?
install Bind9 and forward all request to your dns server that you got from your provider.
You are a genuis! Bind9 did the trick. It is not packaged with Ubuntu 10 LTS desktop. Thank you!!
Glad to know that i can help you.
Thanks