Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 14
Im using SQUID 3.0.STABLE25 and trying to set up a transparent proxy. If I set the XP machine to use the proxy ( 192.168.12.2:3128 ) everything works but I cant ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2010
    Posts
    15

    [SOLVED] SQUID transparent proxy


    Im using SQUID 3.0.STABLE25 and trying to set up a transparent proxy.

    If I set the XP machine to use the proxy ( 192.168.12.2:3128 ) everything works but I cant get it to work as a transparent proxy!

    Inside the squid.config file the only thing I have changed is "http_port 3128" to "http_port 3128 transparent" and I run the scrip listed below after every boot.

    Any ideas on what Iím doing wrong?

    ===Linux Box
    IP: 192.168.12.2
    Subnet: 255.255.255.0

    ===XP
    IP: 192.168.12.3
    Subnet: 255.255.255.0
    Default Gateway: 192.168.12.2

    ---Linux Script
    #!/bin/bash
    echo "1" > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    service squid restart

    ---squid.config

    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
    acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localnet
    http_access allow localhost
    http_access deny all
    icp_access allow localnet
    icp_access deny all
    htcp_access allow localnet
    htcp_access deny all
    http_port 3128 transparent
    hierarchy_stoplist cgi-bin ?
    access_log /var/log/squid/access.log squid
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320
    icp_port 3130
    coredump_dir /var/cache/squid

  2. #2
    Just Joined!
    Join Date
    Dec 2007
    Posts
    16
    Well, for starts maybe pick just one "acl localnet src"?
    I imagine you want the last one, so you can comment out the other two.

    Other than that I don't see anything obvious. If you're still having problems and there's no more advise here, you could always post to the squid mailing list.

  3. #3
    Just Joined!
    Join Date
    Sep 2010
    Posts
    15
    Quote Originally Posted by cong06 View Post
    Well, for starts maybe pick just one "acl localnet src"?
    I imagine you want the last one, so you can comment out the other two.

    Other than that I don't see anything obvious. If you're still having problems and there's no more advise here, you could always post to the squid mailing list.
    Thanks but sadly that didnt work.
    Is there any chance you or anyone can post a working squid.config and iptables script that i can work from?

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Dec 2007
    Posts
    16
    a working squid.conf:
    Code:
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8
    acl localnet src 10.42.43.0/255.255.255.0 # RFC1918 possible internal network
    acl aptget browser -i apt-get apt-http apt-cacher apt-proxy apt-cacher-ng
    acl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl CONNECT method CONNECT
    acl PURGE method PURGE
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost PURGE
    http_access deny PURGE all
    http_access allow localnet
    http_access allow localhost
    http_access deny all
    http_reply_access allow localnet
    http_reply_access allow localhost
    http_reply_access deny all
    icp_access deny all
    htcp_access deny all
    http_port 3128 transparent
    cache_peer localhost parent 3142 0 no-query proxy-only name=apt
    cache_peer_access apt allow aptget
    cache_peer_access apt deny all
    hierarchy_stoplist cgi-bin ?
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    cache_dir ufs /var/spool/squid3 10000 16 256
    maximum_object_size 32768 KB
    access_log /var/log/squid3/access.log squid
    url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
    url_rewrite_children 3
    url_rewrite_access deny aptget
    url_rewrite_access allow all
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern (cgi-bin|\?)    0       0%      0
    refresh_pattern .               0       20%     4320
    icp_port 3130
    never_direct allow aptget
    dns_nameservers 208.67.222.222 208.67.220.220 8.8.8.8
    coredump_dir /var/spool/squid3
    It's associated script:
    /etc/ppp/ip-up.d/restart-server-progs
    Code:
    #!/bin/bash
    
    printing() {
       logger -t 'restart-server-progs' "$1"
    }
    
    
    # Run the commands in order of urgency
    ### Just incase ####
    # Not really so important...
    squid3 -k reconfigure
    /etc/init.d/apt-cacher-ng restart
    
    lan=`ifconfig -s | grep eth | awk '{print $1}'`
    
    ### IPTABLES ###
    # Rebuilds IP tables...
    s_port="3128"
    iptables -t nat -A PREROUTING -i $lan -p tcp --dport 80 -j REDIRECT --to-port $s_port
    printing "iptables has been rebuilt"
    
    
    ### ETH0 ###
    # Restarts the eth0 connection, which allows it to share the new ppp0 connection over the eth0 connection
    ifconfig $lan down
    ifconfig $lan up
    printing "ethernet connection has been restarted"
    You should note a few things though:
    1) I'm using ppp as my internet connection (mobile broadband)
    2) I have 10.42.43.0 as my network, since that's the address space that Network Manager gives me
    3) I reset the connection for the sake of Network Manager. Server interfaces probably don't need this
    4) I have an apt-cacher-ng server installed also, that's what the "apt-get" lines are all about
    5) I have squidguard installed.

  6. #5
    Just Joined!
    Join Date
    Sep 2010
    Posts
    15
    Thanks for the scripts.

    I got your script and config working as a proxy but I couldnt get the transparent
    proxy running, same as mine. Ive tried to get the transparent proxy running on
    Debian-505 and openSUSE-11.3 and no success.

    What distro are you using?

  7. #6
    Just Joined!
    Join Date
    Dec 2007
    Posts
    16
    Ubuntu 10.04, and Linux Mint 9

  8. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    When you say transparent are you referring to users have know idea it is there or something else?

    If you are looking at a hidden proxy that all traffic should pass then you need to setup your firewall to redirect all traffic that is not from the proxy server's IP to the proxy.

    Then anyone trying to go out to the web will automatically be redirected to the proxy without having to setup the proxy in their browser.

    Or is there something else you are trying to accomplish?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  9. #8
    Just Joined!
    Join Date
    Dec 2007
    Posts
    16
    Quote Originally Posted by Dragon7 View Post
    Thanks for the scripts.

    I got your script and config working as a proxy but I couldnt get the transparent
    proxy running, same as mine. Ive tried to get the transparent proxy running on
    Debian-505 and openSUSE-11.3 and no success.

    What distro are you using?
    Maybe I should mention that since I use Network Manager, it does the routing of all computers to my router automatically. What do you use to set this up?
    You'll have to so some kind of routing in order for the connection of your router to be shared with the other computers. (In Network manger, that's what the connection is called: "Shared to other computers")

    I think that might be what Lazydog is saying.

    My diagram is this:

    modem (ppp, usb) <-> Ubuntu (network manager, squid) <-> switch (eth) <-> other computers

    Is linux your router? or do you have a Linksys router?
    If you have Linksys, then you'll probably have to have some kind of iptables thing inside the router to direct http requests to linux (except for those that come FROM your squid cache ofc)

    It seems easier to me to forget the router and just use an extra PCI ethernet cable in most cases.

  10. #9
    Just Joined!
    Join Date
    Sep 2010
    Posts
    15

    Smile

    IT WORKS!

    I set IP address of Google in the windows XP host file and now i can navigate Google, when i try to go to any other site i get the default Firefox "Server not found page".

    I think squid only runs if the browser try's to connect to an IP address so a simple DNS name server should fix my problem. I was connecting through a pppoe connection so i dont have a local dns running.

    Also Mint Linux looks like a good distro

    thank you all very much for the help and ideas!
    Last edited by Dragon7; 01-08-2011 at 01:50 PM. Reason: Solution found

  11. #10
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    You are always going to need a DNS server to surf the internet unless you know the ip address you want to goto. But the question now is how do you know that squid is working and your windows machine isn't connecting directly to google bypassing squid? As you said you needed to put the ip address of google into the host file. This sounds like the xp machine is bypassing squid.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •