July 12, 2009 by Ivan Kristianto
[HowTo] Install and Configure Squid as Transparent Proxy
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
Squid Cache Proxy Installation
1. Open up your shell and type this command:
sudo apt-get install squid
2. Finish.
For other OS you can download the binary package here.
Configure Squid Cache Proxy as Transparent Proxy
To configure squid proxy as transparent proxy you need to edit squid.conf file in /etc/squid/squid.conf as follow:
acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localnet src 192.168.1.0/24 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_reply_access allow localnet http_reply_access deny all icp_access allow localnet icp_access deny all http_port 8080 transparent hierarchy_stoplist cgi-bin ? cache_mem 256 MB cache_dir ufs /var/spool/squid 2048 16 256 cache_mgr admin@email.com cache_effective_user squid cache_effective_group squid access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 visible_hostname yourdomain.com icp_port 3130 always_direct allow all forwarded_for off coredump_dir /var/spool/squid
The most important line is
“http_port 8080 transparent” : This line means, Squid proxy run as transparent proxy at port 8080 (by default 3128). Later you need to edit the iptables to bypass every request/response connection through this port.
Note: That setting is for Squid v2.6 or v2.7. For later version like Squid v3.1, “transparent” option is being deprecated, you need to use option “intercept” instead.
There are many things that squid can do, like limiting download speed for certain ip, denied some “time wasting” sites, denied some ports, denied download some files in certain hours, and many more case that you can name. So take your time to read their documentation guide here.
Note: Squid Web Proxy installation steps above only for Ubuntu/Debian. For others it might working but need adjustment.
Iptables Configurations
To make Squid as the transparent proxy (“man in the middle”), you need to configure the iptables.
I got this script to help you:
#!/bin/sh # ------------------------------------------------------------------------------------ # See URL: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html # (c) 2006, nixCraft under GNU/GPL v2.0+ # ------------------------------------------------------------------------------------- # squid server IP SQUID_SERVER="192.168.1.1" # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client #modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP
Okay, that’s all of it. If you like it please leave me a comment.
What people search:
Other Interesting Articles:
![[HowTo] Broadcast Radio With Winamp + SHOUTcast to Ubuntu with IceCast2](http://www.ivankristianto.com/wp-content/uploads/2009/04/winamp-logo.gif){kind=logo}
[HowTo] Broadcast Radio With Winamp + SHOUTcast to Ubuntu with IceCast2![[HowTo] Radio Streaming Server in Ubuntu Using IceCast2](http://www.ivankristianto.com/wp-content/uploads/2009/04/ubuntu-logo217.gif){kind=logo}
[HowTo] Radio Streaming Server in Ubuntu Using IceCast2
Article by Ivan Kristianto
Ivan Kristianto is a profesional web developer and blogger. Very interest with free and open source software. Follow my Twitter: @ivankrisdotcom or Facebook profile IvanKristiantoBlog or Email me at ivan@ivankristianto.com
do you have dns server in your local network? if yes in your dns server (usually bind9) configure proxy.server.com to correct address of your proxy server.
- spam
- offensive
- disagree
- off topic
Likehow like to configure. i have install bind9 and configure this is cache server nothing else. i can access the sites through ip from client but can't through name.
please suggest|:
imran
shahmeer09@gmail.com
- spam
- offensive
- disagree
- off topic
Likeimran Yes it is dns problem. If you are not using squid, can you access the website with address name?
- spam
- offensive
- disagree
- off topic
Likeivankrisdotcom ivan thanks for quick reply. i just stop the squid server then check the internet on the client machine. its not going to access the sites with proxy and without proxy. when i start the squid the client access the web through proxy setting. so please suggest.
- spam
- offensive
- disagree
- off topic
LikeI am running proxy server according to your configuration. I want to know what should I do to make my host name work instead of ip adress of the server to be place in the proxy.
my server name is: proxy.server.com
Lan: IP address is 192.168.111.1
I used this IP addres (192.168.111.1 and port 3128 to connect to internet).
Now, I dont want to use the IP address. I want to use the name instead of IP address.
When I try to use the name on ther server the internet is working( proxy.server.com:3127).
But when I try to use the name on the client. It is not working. Why it is not working?
- spam
- offensive
- disagree
- off topic
LikeHi Ivan ,
I am using squid 2.6 with no iptables but I can't able to access ftp and https connection
my proxy denied 443 and 21. I have done entry in Safe port and SSL port.
- spam
- offensive
- disagree
- off topic
Likeyou need to use iptables.
- spam
- offensive
- disagree
- off topic
LikeNice article,I was trying for installing, but could not , this would guide me for installing and configuring the squid.
- spam
- offensive
- disagree
- off topic
LikeOk how about this scenario. I am using 80 as the squid http_port. So no need of redirection. And im not using iptables ( turned off ) at all for some reasons. How can I make my squid as transparent ? I need to redirect all http and https to be redirected to my squid server via ASA PIX 5510.
- spam
- offensive
- disagree
- off topic
Like@8fa8bd4e70261688e1730c7b5e663f9d:disqus You still need iptables.
- spam
- offensive
- disagree
- off topic
LikeHi above are the very good tips,
can you please suggest me that how to block the website in squid.
Regards
Jitender Saini
- spam
- offensive
- disagree
- off topic
Likehttp://www.ivankristianto.com/os/ubuntu/howtofilter-some-website-during-work-hour-with-squid/915/
- spam
- offensive
- disagree
- off topic
LikeHi i was wondering how i would go about configuring so that i can cap the amount of internet each proxy user can use, so say once a user has used 8GBs of cap, they're unable to access the internet anymore, unless their allocated amount of usage is increased
- spam
- offensive
- disagree
- off topic
Likei thinks you need is not proxy/squid. try Mikrotik instead. It's a linux with lot of router application and feature.
- spam
- offensive
- disagree
- off topic
Likehi ivan...
I was trying to configure my squid just like your configuration... but I was wondering why it is terminating automatically...
then I found out I had signal 6 error on messeges.log
Mar 22 18:16:19 localhost squid[1834]: Squid Parent: child process 1846 exited due to signal 6
then I tried to comment these:
#cache_mem 256 MB
#cache_dir ufs /var/spool/squid 2048 16 256
#cache_mgr admin@email.com
#cache_effective_user squid
#cache_effective_group squid
then it started normally... why do you think is happening? i would greatly appreciate it if you help me.. thanks...
- spam
- offensive
- disagree
- off topic
Likewhat is your squid version.
- spam
- offensive
- disagree
- off topic
Like2.7
- spam
- offensive
- disagree
- off topic
Likethank bro,, you give one solution,, and in my main light out something,, and i get to try in my server,, my squid.conf is not valid,, and i try your configuration,, it so nice,,, thanks
- spam
- offensive
- disagree
- off topic
LikeHi Ivan
I follow all steps one by one, but when I run your script i got the following error:
./iptables4squid.sh: 28: gt: not found
1
./iptables4squid.sh: 28: /proc/sys/net/ipv4/ip_forward: Permission denied
Could you give me a push please?
Regards
Christian
- spam
- offensive
- disagree
- off topic
LikeHi Chrisitan,
Since WordPress automatically change special characters it turn > to "& g t;"
Please change it back to >
- spam
- offensive
- disagree
- off topic
LikeThanks Ivan, this is very usefull script
- spam
- offensive
- disagree
- off topic
Likeit is really helpfull to me
- spam
- offensive
- disagree
- off topic
Likehi ivan.
I have setup the squid and the iptables rules.
my eth0(192.168.1.24) is connected to internet and my eth1(192.168.10.0/24) is connected to the client.
the problem is that my client cannot access the internet.
im using squid 2.7 and ubuntu server 10.10
- spam
- offensive
- disagree
- off topic
Likeplease make sure you install BIND and forward DNS to your ISP DNS.
- spam
- offensive
- disagree
- off topic
LikeAlso i have some problem with iptables..
when i restart the server all the rules is set back to default...
- spam
- offensive
- disagree
- off topic
LikeIm kinda a noob..
I have an internal dns server(192.168.1.1)
so do i still need to install bind??
thx in advance..
- spam
- offensive
- disagree
- off topic
LikeYou need to install Bind in your Router box, so when your client try to resolve the address it will forward to your ISP dns server. And yes, you need bind.
- spam
- offensive
- disagree
- off topic
Likethx this really helps..
i fix the iptables problem by adding it manually to /etc/iptables.up.rules
i didnt use the terminal...
- spam
- offensive
- disagree
- off topic
LikeHi Ivan, thanks for the tute, it worked great even in win xp. The only thing I cant find is where the iptables file is to copy the data into it. Would you know? I am looking in squid/etc but it is not there, I am assuming that it is a txt like the config file?
Thanks
- spam
- offensive
- disagree
- off topic
LikeHi Ivan, couple of days back, i followed the article and installed and configure squid 2.6 and iptables on debian lenny, it worked fine for me. But now i installed Debian Squeeze in my test environment, that has squid 2.7, i configured it in same way as mentioned in this article but i am not able to ping to any site and not able to browse on my client system. What could be the reason? do i need to make any changes to the above article to work with Debian Squeeze?
- spam
- offensive
- disagree
- off topic
LikeHave you install BIND? And dns forwarding?
- spam
- offensive
- disagree
- off topic
Likeyes, i have local DNS installed and configured and also DNS forwarding is ON.
- spam
- offensive
- disagree
- off topic
LikeHave you check the iptables rules setup? and please see squid.log if there is any error.
- spam
- offensive
- disagree
- off topic
LikeHi Ivan,
Nice Article !!!
Will it work with dansguadian?
Thanks
Boss
- spam
- offensive
- disagree
- off topic
LikeHi Boss,
to have it works with dansguardian, you need to confugre squid and iptables.
- spam
- offensive
- disagree
- off topic
LikeThanks for the update Ivan.
could you please update the configurations for both squid and iptables.
- spam
- offensive
- disagree
- off topic
LikePlease update only the iptables configuration. i configured the squid + dansguardian
Thanks in Advance!
- spam
- offensive
- disagree
- off topic
Likethen block proxy.skyinet.net so they cannot access it.
- spam
- offensive
- disagree
- off topic
LikeHi Ivan.. Im Jake and i am a newbe in unix/linux world i have setup a FreeBSD tranparent proxy/cache server and it work fine.. my question is can i use squid to filter p2p download? and how do manage to restrict Pornsites in my Network? Thanks..
- spam
- offensive
- disagree
- off topic
Liketo restrict p2p is little bit tricky. You may need to block all port except the default port (ex: 80, 21, 22, etc). But it will block passive ftp or other program port as well. So you need extra attention to what port you really need to open.
- spam
- offensive
- disagree
- off topic
LikeThanks Ivan,, 1 more thing, how can i force my client to use only my proxy server.. even if they manually configure thier browser to use proxy.skyinet.net they cannot access to web.
as of now when i block some site to my squid they cannot access the site but when they used the proxy.skyinet.net they can access my blocklist sites.. can you please help?
- spam
- offensive
- disagree
- off topic
LikeIvan,
Here is my setup. DSLRouter>--<eth0.DebianLenny.eth1>--<WirelessNetgear>--<LaptopViaWireless>
i got squid and iptables to work. i see lthe access logs in squid. That part is cool. I assigned eth1 192.168.13.1 and Netgear WAN 192.168.13.2 connected to eth1 with direct cable. LAN (wireless) on netgear is 192.168.16.1 and disctributes 192.168.16.100 to my laptop connected via wireless. i only see the squid access.log file with router ip 192.168.13.2 and not the laptop ip 192.168.16.100. how to fix that ? Thanks in advance for your help. or do i need to re-arrange my network or some squid changes are required ?
- spam
- offensive
- disagree
- off topic
Likesince you are using a router (wireless router), all connection from the router will pass to use the same IP address. You need to enable One-To-One NAT in your wireless router. So your laptop ip 192.168.16.100 will translate to 192.168.13.102. For setting in your wireless router please refer to your product manual.
- spam
- offensive
- disagree
- off topic
LikeThanks for the reply, so there are no settings on squid we can accomplish this with ?
- spam
- offensive
- disagree
- off topic
LikeAs far as i know, there is no you can do with squid. because squid will only see the incoming ip connection which is your router ip. So the only way is setting one-to-one NAT. Anyway if you have better solution please let me know.
- spam
- offensive
- disagree
- off topic
LikeI am also having the permission denied error when I'm trying to execute the script. I saw you wrote to some guy to change the ">" to > without the quotes...uh where is that?
- spam
- offensive
- disagree
- off topic
Liketo give execute permission to script type this: chmod +x iptables.sh and then run it with ./iptables.sh
- spam
- offensive
- disagree
- off topic
Likeyes I did that and I still get the permission denied...
- spam
- offensive
- disagree
- off topic
Likecan you paste what is the result of this command?
ls -l iptables.sh
- spam
- offensive
- disagree
- off topic
LikeHi Ivan
I didnt check the bind and dns forwarding let me try
Thanks
Nassar
- spam
- offensive
- disagree
- off topic
Like