[HowTo] Install and Configure Squid as Transparent Proxy

Hi,

I'm configuring my iptables and squid proxy like your's. But can't be transparent, sorry for my english.

I have two ethernet karts and eth1 > internet, eth0>LAN

configured them for my network but still runing normal proxy, not transparent.
Please help, and so thanks!

Hi,

I’m configuring my iptables and squid proxy like your’s. But can’t be transparent, sorry for my english.

I have two ethernet karts and eth1 > internet, eth0>LAN

configured them for my network but still runing normal proxy, not transparent.
Please help, and so thanks!

Hi Emre, there are some point you need to configure:
1. Please be sure this line is in your squid.conf
"http_port 8080 transparent" (without quotes), that's mean you run squid on port 8080 as transparent.
2. You need to configure the iptables script:
SQUID_SERVER="192.168.1.1" => your squid's ip
INTERNET="eth0" => your ethernet that go to the internet
LAN_IN="eth1" => your ethernet that go to the your network
SQUID_PORT="3128" => the squid's port 3128 is the default squid port, for my example use 8080

Hope this help you. Cheers.
Ivan

Hi Emre, there are some point you need to configure:
1. Please be sure this line is in your squid.conf
“http_port 8080 transparent” (without quotes), that’s mean you run squid on port 8080 as transparent.
2. You need to configure the iptables script:
SQUID_SERVER=”192.168.1.1″ => your squid’s ip
INTERNET=”eth0″ => your ethernet that go to the internet
LAN_IN=”eth1″ => your ethernet that go to the your network
SQUID_PORT=”3128″ => the squid’s port 3128 is the default squid port, for my example use 8080

Hope this help you. Cheers.
Ivan

how i can install anonymous proxy….
please help me with my config….

please make complete tutorial…

or just email me…

how i can install anonymous proxy….
please help me with my config….

please make complete tutorial…

or just email me…

Hi Kevin,
To install squid as anonymous proxy,
you can do the following:
1. disable all log, edit your squid.conf to:
access_log none
cache_store_log none
2. you need to have a public ip and allow any ip you like, edit the squid.conf:
acl IPALLOW 210.83.0.0/19 (Note you can add as many ip you like here)
http_access allow IPALLOW
http_access deny all
3. Then you need to edit this line in squid.conf:
visible_hostname <your public IP>
4. restart your squid.

Hi Kevin,
To install squid as anonymous proxy,
you can do the following:
1. disable all log, edit your squid.conf to:
access_log none
cache_store_log none
2. you need to have a public ip and allow any ip you like, edit the squid.conf:
acl IPALLOW 210.83.0.0/19 (Note you can add as many ip you like here)
http_access allow IPALLOW
http_access deny all
3. Then you need to edit this line in squid.conf:
visible_hostname
4. restart your squid.

How do I connect(physical) the transparent proxy server in my network? I have a DSL modem and a LinkSys wireless router.

How do I connect(physical) the transparent proxy server in my network? I have a DSL modem and a LinkSys wireless router.

If you have a router with squid transaprent proxy installed, just point your computer gateway and dns to your router ip.

If you have a router with squid transaprent proxy installed, just point your computer gateway and dns to your router ip.

Hi all,
Can someone give me the configuration guide to make a Squid transparent proxy in Vista OS. I have tried but not succeeded.
Please guide me the Ethernet configuration(iptables script) on Vista also.

My network: DNS Modem –> [T-Proxy] –> Swtich –> Client machines

Thanks in advance,
Siva

Hi all,
Can someone give me the configuration guide to make a Squid transparent proxy in Vista OS. I have tried but not succeeded.
Please guide me the Ethernet configuration(iptables script) on Vista also.

My network: DNS Modem –> [T-Proxy] –> Swtich –> Client machines

Thanks in advance,
Siva

Hi,
Can someone give the configuration steps of Squid Transparent proxy in Vista.
I have tried, but not able to succeed. Please give the ethernet NIC (iptable similar for Win) configuration info for Vista.

Thanks in advance,
Siva

Hi,
Can someone give the configuration steps of Squid Transparent proxy in Vista.
I have tried, but not able to succeed. Please give the ethernet NIC (iptable similar for Win) configuration info for Vista.

Thanks in advance,
Siva

Hi Siva,
i haven't tried yet. But why do you want make your vista as cache server? isn't that waste to much resources?

Hi Siva,
i haven’t tried yet. But why do you want make your vista as cache server? isn’t that waste to much resources?

Thanks for the reply..! Yes you are right. I changed my plan now.
Could you please tell me, can we install Squid Transparent proxy in "CentOS" if yes, please tell me which version I should download and configure.

Note: All my clients are running Vista. Guide me in IP setting also, we've one DNS Static IP.

My Network: DNS Modem –> [T-Proxy server] –> Swtich –> Client machines

Please aid me in the Ethernet card configuration.

Thanks for the reply..! Yes you are right. I changed my plan now.
Could you please tell me, can we install Squid Transparent proxy in “CentOS” if yes, please tell me which version I should download and configure.

Note: All my clients are running Vista. Guide me in IP setting also, we’ve one DNS Static IP.

My Network: DNS Modem –> [T-Proxy server] –> Swtich –> Client machines

Please aid me in the Ethernet card configuration.

Hi Siva,
Just follow my guide in this article, it also work for CentOS.
But replace command "apt-get install squid" to "yum install squid" (without quotes). It will install squid v2.6 STABLE21.
And the rest configuration is same.
Good luck.

Hi Siva,
Just follow my guide in this article, it also work for CentOS.
But replace command “apt-get install squid” to “yum install squid” (without quotes). It will install squid v2.6 STABLE21.
And the rest configuration is same.
Good luck.

Ivan, I have done all the configuration, but my Squid access.log is not populating.

And tell me do i need to configure DHCP in my squid server?

Ivan, I have done all the configuration, but my Squid access.log is not populating.

And tell me do i need to configure DHCP in my squid server?

You don't need to configure DHCP in your squid.
Did you miss iptables config?

You don’t need to configure DHCP in your squid.
Did you miss iptables config?

Hi,

Thanks for info…

My current setup is
my two desktop machines gateway is CISCO PIX (IP 192.168.10.1) & DNS is my AD & DNS Server (192.168.10.10).. Currently I am running squid with manual proxy configuration….for squid as transparent proxy is it required to add rules on PIX firewall? to forward port 80 traffic to squid port 3128.. or is it required to change gateway of my all desktop machines to Squid proxy server IP? (192.168.10.20) please suggest…thanks in advance..

is it ok if I use eth0 & eth1 password from same subnet (e.g 192.168.10.5 & 192.168.10.6 for eth0 & eth1 respectively) for squid transparent proxy)

Hi,

Thanks for info…

My current setup is
my two desktop machines gateway is CISCO PIX (IP 192.168.10.1) & DNS is my AD & DNS Server (192.168.10.10).. Currently I am running squid with manual proxy configuration….for squid as transparent proxy is it required to add rules on PIX firewall? to forward port 80 traffic to squid port 3128.. or is it required to change gateway of my all desktop machines to Squid proxy server IP? (192.168.10.20) please suggest…thanks in advance..

is it ok if I use eth0 & eth1 password from same subnet (e.g 192.168.10.5 & 192.168.10.6 for eth0 & eth1 respectively) for squid transparent proxy)

is it ok if I use eth0 & eth1 IP Address from same the subnet (e.g 192.168.10.5 & 192.168.10.6 for eth0 & eth1 respectively) for squid transparent proxy)

is it ok if I use eth0 & eth1 IP Address from same the subnet (e.g 192.168.10.5 & 192.168.10.6 for eth0 & eth1 respectively) for squid transparent proxy)

No I ran it, but I don't know how to check it out… Can u please give me the configurations for squid as well as iptable.
I do no how to trace the issue when its not working.

My Server eth0= 192.168.1.21(From Modem) eth1= 192.168.2.31(To LAN N/W)

Guide me,no problem if i need to change the IP's also.

No I ran it, but I don’t know how to check it out… Can u please give me the configurations for squid as well as iptable.
I do no how to trace the issue when its not working.

My Server eth0= 192.168.1.21(From Modem) eth1= 192.168.2.31(To LAN N/W)

Guide me,no problem if i need to change the IP’s also.

Hi Santy,
Actually i don't understand how your network structure.
Can you tell me more clear?
And yes, to run squid as transparent proxy you need to to edit rule in iptables. i provided that in my post.
Put that in rc.local so everytime your server boot it will automatically configured.

Hi Santy,
Actually i don’t understand how your network structure.
Can you tell me more clear?
And yes, to run squid as transparent proxy you need to to edit rule in iptables. i provided that in my post.
Put that in rc.local so everytime your server boot it will automatically configured.

Hi Siva,
in the squid.conf please change
acl localnet src 192.168.1.0/24
To
acl localnet src 192.168.2.0/24

and in iptables config change to:
SQUID_SERVER="192.168.1.21"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="8080"

Restart squid and run the script.
Please point all of your client computer gateway to 192.168.2.31

Cheers

Hi Siva,
in the squid.conf please change
acl localnet src 192.168.1.0/24
To
acl localnet src 192.168.2.0/24

and in iptables config change to:
SQUID_SERVER=”192.168.1.21″
# Interface connected to Internet
INTERNET=”eth0″
# Interface connected to LAN
LAN_IN=”eth1″
# Squid port
SQUID_PORT=”8080″

Restart squid and run the script.
Please point all of your client computer gateway to 192.168.2.31

Cheers

Thanks a lot….!! I did as u said, now its working perfectly. [Cheers]

Ivan, Presently I don't have control over the client machines. (Like customer own PC) Can i achive this gateway setup through DHCP..? If yes, please guide in the DHCP configuration.

Thanks again..!!

Thanks a lot….!! I did as u said, now its working perfectly. [Cheers]

Ivan, Presently I don’t have control over the client machines. (Like customer own PC) Can i achive this gateway setup through DHCP..? If yes, please guide in the DHCP configuration.

Thanks again..!!

Yes, you should use DHCP instead. Later i will make an article how to install a DHCP server.

Yes, you should use DHCP instead. Later i will make an article how to install a DHCP server.

Ivan, Please help me in this if you can. I have done with all even in reporting through SARG apps. Issue is, I could only view client host IP address in my report. Is there any possiblities to see the client host name instead of IP address in SARG report?

Like changing the Squid access.log format instead of IP address remote HOST NAME..!

Thanks in advance…!!

Ivan, Please help me in this if you can. I have done with all even in reporting through SARG apps. Issue is, I could only view client host IP address in my report. Is there any possiblities to see the client host name instead of IP address in SARG report?

Like changing the Squid access.log format instead of IP address remote HOST NAME..!

Thanks in advance…!!

I'm sorry Siva, i don't use SARG apps. So i don't know about it.
But i'm using my own report, by see continuous log from the squid. I publish the article on my blog at http://www.ivankristianto.com/2009/07/tips-show-squid-log-continuously-squid-web-proxy/
Hope you like it.
Thanks.

I’m sorry Siva, i don’t use SARG apps. So i don’t know about it.
But i’m using my own report, by see continuous log from the squid. I publish the article on my blog at http://www.ivankristianto.com/2009/07/tips-show-squid-log-continuously-squid-web-proxy/
Hope you like it.
Thanks.

hi dear i m using centos 5.3 &2.6 squid i m using so can u help me for transparent squid i got yahoo problem with this so help me for proper work plz mail me on this id whois_thebest2001@yahoo.com
plz help

hi dear i m using centos 5.3 &2.6 squid i m using so can u help me for transparent squid i got yahoo problem with this so help me for proper work plz mail me on this id whois_thebest2001@yahoo.com
plz help

Hi Ashar,
What is the problem?
Please follow my guide step by step. It will work.
I'm using CentOS 5.1 with Squid 2.6. And it running for 2 years now.
Cheers.

Hi Ashar,
What is the problem?
Please follow my guide step by step. It will work.
I’m using CentOS 5.1 with Squid 2.6. And it running for 2 years now.
Cheers.

Is it possible to implement transparent proxy for https? I know it is not allowed because it will be a 'man-in-the-middle attack'. Any options to allow https accesses through transparent proxy? Any help will be appreciated.

Thanks a lot in advance.
-RB

Is it possible to implement transparent proxy for https? I know it is not allowed because it will be a ‘man-in-the-middle attack’. Any options to allow https accesses through transparent proxy? Any help will be appreciated.

Thanks a lot in advance.
-RB

i save file in iptable.sh
Then i run :

root@cembeliq-laptop:/home/cembeliq/Documents# ./iptable.sh
1
./iptable.sh: 28: gt: not found
./iptable.sh: 28: /proc/sys/net/ipv4/ip_forward: Permission denied

Any solution for this?

i save file in iptable.sh
Then i run :

root@cembeliq-laptop:/home/cembeliq/Documents# ./iptable.sh
1
./iptable.sh: 28: gt: not found
./iptable.sh: 28: /proc/sys/net/ipv4/ip_forward: Permission denied

Any solution for this?

Hi cembelig,
Please change ">" to ">" without quotes.
and save.
it will run now.
Thanks

Hi cembelig,
Please change “>” to “>” without quotes.
and save.
it will run now.
Thanks

yeah.. i finally got it

thank Mr. Ivan..

yeah.. i finally got it

thank Mr. Ivan..

Mr. ivan i have 2 lines adsl and how to add the second line in your script? LAN is Eth0, modem 1 = Eth1,modem 2= Eth2 please send to my email. thx

best regards
andre

nseshop@gmail.com

Mr. ivan i have 2 lines adsl and how to add the second line in your script? LAN is Eth0, modem 1 = Eth1,modem 2= Eth2 please send to my email. thx

best regards
andre

nseshop@gmail.com

Hi Andre,
why do you need 2 modem?
i don't know how to set the script to provide your architecture.
If anyone know that, please share it with us here.
thanks.

Hi Andre,
why do you need 2 modem?
i don’t know how to set the script to provide your architecture.
If anyone know that, please share it with us here.
thanks.

which path i save the iptables files and how to run this file

which path i save the iptables files and how to run this file

you can save and run it frm /opt or /home/user folder.
give run permission with chmod +x to the file.
and you can run it by ./iptables.sh
Cheers.

you can save and run it frm /opt or /home/user folder.
give run permission with chmod +x to the file.
and you can run it by ./iptables.sh
Cheers.

Thank you verymuch for this wonderful script !
I always have problem with iptables, but this script that's fine? THHX

Thank you verymuch for this wonderful script !
I always have problem with iptables, but this script that's fine? THHX

It's nice to hear i can help you out…

It's nice to hear i can help you out…

Hi Everyone,

My Problem is little bit confusing.I m using redhat5.2 and set up transparent proxy.My problem is that i am not able to get http access, but suprisingly i can acess https://example.com:7071 etc even can access ftp server.
Can Anybody tell me the problem ?

Here is My Iptables command

# squid server IP
SQUID_SERVER="203.153.41.76"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="8080"

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

and if I do lan sttings(browser sttings than i can access the http sites)

Thanks In Advance
Yogesh
yogesh2tech@gmail.com

Hi Everyone,

My Problem is little bit confusing.I m using redhat5.2 and set up transparent proxy.My problem is that i am not able to get http access, but suprisingly i can acess https://example.com:7071 etc even can access ftp server.
Can Anybody tell me the problem ?

Here is My Iptables command

# squid server IP
SQUID_SERVER="203.153.41.76"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="8080"

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

and if I do lan sttings(browser sttings than i can access the http sites)

Thanks In Advance
Yogesh
yogesh2tech@gmail.com

Hi Yogesh,
Your iptables seems fine with me.
How about your squid config?
Please check your squid config around this code:

acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_port 8080 transparent

Hi Yogesh,
Your iptables seems fine with me.
How about your squid config?
Please check your squid config around this code:

acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_port 8080 transparent

Hi Ivan
Thanks for a quick reply….

My squid version is squid-2.6.STABLE-5.el5 and Squid configuration is this

http_port 192.168.1.10:8080 transparent

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl lan src 192.168.1.0/24

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow lan
http_access deny all

***************************
Thanks & Regards
Yogesh

Hi Ivan
Thanks for a quick reply….

My squid version is squid-2.6.STABLE-5.el5 and Squid configuration is this

http_port 192.168.1.10:8080 transparent

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl lan src 192.168.1.0/24

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow lan
http_access deny all

***************************
Thanks & Regards
Yogesh

Hi Yogesh,
Your squid server ip is 203.153.41.76
but in your squid conf you made: http_port 192.168.1.10:8080 transparent
Please change it to:
http_port 8080 transparent
and change in your ipables script:
SQUID_SERVER="192.168.1.10"

Please let me know if it is works.

Hi Yogesh,
Your squid server ip is 203.153.41.76
but in your squid conf you made: http_port 192.168.1.10:8080 transparent
Please change it to:
http_port 8080 transparent
and change in your ipables script:
SQUID_SERVER="192.168.1.10"

Please let me know if it is works.

Dear Ivan,

203.153.41.76 is the connected to Internet, and 192.168.1.10 is the local network IP.

Please forgive if i am wrong anywhere……

Dear Ivan,

203.153.41.76 is the connected to Internet, and 192.168.1.10 is the local network IP.

Please forgive if i am wrong anywhere……

Yes Yogesh,
you should bypass all Lan connection to squid port before connect to internet.

Yes Yogesh,
you should bypass all Lan connection to squid port before connect to internet.

Thanks IVAN,

I got my problem solved…..

Thanks Again

Thanks IVAN,

I got my problem solved…..

Thanks Again

You are welcome Yogesh.
Glad to hear that
Good luck.

You are welcome Yogesh.
Glad to hear that
Good luck.

Hi Ivan,

thanks for the helpful article.

i have apply all the setup for the transparent proxy,but suddenly my access.log is empty. i cannot track either my client browser is using the proxy or not. hope u can help me.
one more, i save the iptables.sh in the same folder with the squid.conf. it is ok?

thanks

Hi Ivan,

thanks for the helpful article.

i have apply all the setup for the transparent proxy,but suddenly my access.log is empty. i cannot track either my client browser is using the proxy or not. hope u can help me.
one more, i save the iptables.sh in the same folder with the squid.conf. it is ok?

thanks

hi long, yes you can save iptable.sh anywhere as long as you have execute permission.
Please check your network config, squid config and iptables config carefully.
And check if squid is running.
Thanks

hi long, yes you can save iptable.sh anywhere as long as you have execute permission.
Please check your network config, squid config and iptables config carefully.
And check if squid is running.
Thanks

thanks for the fast respon.

i'm able to get back my access.log with the related info.
i want to ask u about iptables. i need to flush my iptables before my browser can surf internet. why? if not, i cannot surf the internet.

thanks

thanks for the fast respon.

i'm able to get back my access.log with the related info.
i want to ask u about iptables. i need to flush my iptables before my browser can surf internet. why? if not, i cannot surf the internet.

thanks

@long:
You need to run the iptables.sh on boot.
so it will automatically load when boot process.

@long:
You need to run the iptables.sh on boot.
so it will automatically load when boot process.

Ivan,

how can i make it run on boot?
sorry.i'm a newbie to unix.

thanks

Ivan,

how can i make it run on boot?
sorry.i'm a newbie to unix.

thanks

@long,
Please refer to my blogpost
http://www.ivankristianto.com/os/ubuntu/howto-run-script-on-boot-process-in-ubuntu/1171/

@long,
Please refer to my blogpost
http://www.ivankristianto.com/os/ubuntu/howto-run-script-on-boot-process-in-ubuntu/1171/

thanks ivan for your helpful article.

thanks ivan for your helpful article.

Hi Ivan,

i have a new problem now..suddenly i cannot stop my squid.
if my enter 'service squid restart' it will pop up
stopping squid:…………………………………..
starting squid: [failed]

Hi Ivan,

i have a new problem now..suddenly i cannot stop my squid.
if my enter 'service squid restart' it will pop up
stopping squid:…………………………………..
starting squid: [failed]

Please post your squid.log here.
I will try to help you.

Please post your squid.log here.
I will try to help you.

Hi IVan,

sory for late reply. i'm able to solve my previous issue. right now, i faced new problem,
suddenly my setup for transparent proxy is not working. access.log not populated any more.prior this, i have configured my squid to transparent proxy and url_rewrite_program for URL redirection. my browser suppose to work in transparent and do a url redirection based to certain condition i created. please do advised me on how to fix this. thanks

my squid server is '202.45.139.161'
interface to internet is 'eth0'
interface to lan is '202.45.139.163'

my squid.conf setup is:

acl lan src 202.45.139.163/255.255.255.255

below is my setup for iptables:

SQUID_SERVER=”202.45.139.161″
# Interface connected to Internet
INTERNET=”eth0″
# Interface connected to LAN
LAN_IN=”202.45.139.163″
# Squid port
SQUID_PORT=”3128″

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Hi Ivan. to add for below post.

before this problem happen. i can surf on transparent mode on mozilla firefox and google chrome but cannot with Internet Explorer.the only way is i need to set IE to use proxy,then it will populating in the access.log.. why is this happen? thanks

Hi long,
Have you check the iptables rule?

Hi Ivan,

i have check the iptables rule. i using eth0 instead of etho in the iptables..seem right now my setting for transparent proxy is not working. What other thing i need to check more?

thanks

hi,

after i execute iptables. below is the result when i type iptables -L
:
target prot opt source destination
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all — anywhere anywhere
LOG all — anywhere anywhere LOG level warning
DROP all — anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all — anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere

is this the problem?

thanks

Hi long,
please describe your network topology.
Where is your client, router and modem. How the client connect to the internet.
And have you install DHCP and Bind server?
Add me to gmail chat if you want, and we can talk freely.

Hi Ivan,
my client is connected to a switch and go the server(squid).
my server(squid) is also connected to a same switch
from switch to a gateway and go to the internet.
i also have other local server that will be used for url_rewrite_program.
this local server have the same connection to the switch.
my server(squid) is running on centos.
i think my centos already equipped with DHCP and Bind. i will check further
tomorrow.

tomorrow i will add to gmail chat and we can talk more about this setup.

thanks,
long

If i have only one NIC ( eth0 ) card is it possible to make a transparent proxy server .. if so what should changes should be done in this ? can you pls help me to configure ?

Haven't try it yet. But you can set port forwarding from port 80 to squid port.

Hi Ivan,

i have changed my network topology and my transparent proxy mode works.
i realized my mistakes when i read several times your article. i followed all the steps and finally i am able to surf with transparent proxy. thanks a lot for your guide.

long

It's nice to know that you are finally get it working.
I'm happy for you.
Btw can you tell us where did you go wrong? so if someday another reader come and read this article can learn from you.

thanks. my mistakes came from the setup of my system. before this, i'm not using eth1 as the interface to the client. the client is separately from the squid's server. i fix this problem by connect the client directly to the server eth1. i restart the squid and run the iptables and it works.

Hello Ivan,
Hope you are doing well.

I am using squid Version 2.6.STABLE6 in transparent mode, My users use squid server ip 192.168.1.1 as their gateway to access internet. I have made various acl's and working well.
But now I want to disable gmail chat with gtalk messanger.although i have setup squid to block gmail chat in browser and it is also working but when user type https://gmail.com/ than it is not effective. and users are also using gtalk. Pls help me to disable gmail chat and gtalk.

Regards
Yogesh2tech@gmail.com

Hi Yogesh, i suggesst you to block gtalk port instead of block the domain.
To block Gtalk, you can set the restriction to this address:
Block access to 216.239.37.125, 72.14.253.125, 72.14.217.189 and 209.85.137.125 on ports 20, 21, 80, 443, 5222 and 5223.
Good luck!

Hi Ivan,

Can you tell me what I need to do this to achieve ?

Pls keep in mind that we are also running our own mail server with instant messaging feature running on same port 5222

Regards
Yogesh

Hello Ivan, nice article, is there any way you can teach me how to block torrent connections via Squid or Iptables? I’m using Ubuntu. Thanks.

Hi Ivan ,

Pls suggest me how to block these ip for these particular ports because I have alredy tried lot more but still not able to block the gtalk.

Pls help me!

Thanks
Yogesh

To block torrent connection maybe a little tricky since it change overtime.
My suggestion is, block all the ports, except some important ports.

Ok, noob here, I cant get the script to execute? How do I run it?

Forgot to mention I get: bash: /etc/setup.iptables: /bin/sh^M: bad interpreter : No such file or directory

Did you run it with root permission or with sudo?

Hi, thank you for replying, you are a star in the dark expansive world of Linux. Yes I did used sudo (and sudo su) in terminal and tried running it trough webmin also, get the same error. I am using Ubuntu 10.04 LTS. Double checked on on your response to make sure, still get same error: bad interpreter: no such file or dierctoy.

Please try to run iptables -L or iptables -h
is the output show or error message?

Hi, doing it manually, get a problem on the echo line… [1] 2745 1 gt: command not found [1]+ done echo1 bash /proc/sys/net/ipv4/ip_foward: Permission denied (Did sudo)

I did google and tried this gksudo gedit /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.conf.default.forwarding=1

but the line in my file looks different:
net.ipv4.ip_foward=1

will it be ok to do it this way?

Yes ip forwarding should be on. but in your case it should be on by default.

I’m really making an effort on this side for this to work, so sorry for bugging you. What I find now is that squid ‘works’. When I type an ip in the browser on my workstations (say for google) it opens the web page. But if I use http://www.xxxxx.com it doesnt. If I do it with the ip it shows up in my squid tail log, if I type the web address it doenst work and nothing happens on the log in my server. What am I missing?

Have you install Bind9 as your dns server?
install Bind9 and forward all request to your dns server that you got from your provider.

You are a genuis! Bind9 did the trick. It is not packaged with Ubuntu 10 LTS desktop. Thank you!!

Glad to know that i can help you.
Thanks