[SOLVED] SQUID transparent proxy

[Dragon7]

Im using SQUID 3.0.STABLE25 and trying to set up a transparent proxy.

If I set the XP machine to use the proxy ( 192.168.12.2:3128 ) everything works but I cant get it to work as a transparent proxy!

Inside the squid.config file the only thing I have changed is "http_port 3128" to "http_port 3128 transparent" and I run the scrip listed below after every boot.

Any ideas on what I’m doing wrong?

===Linux Box
IP: 192.168.12.2
Subnet: 255.255.255.0

===XP
IP: 192.168.12.3
Subnet: 255.255.255.0
Default Gateway: 192.168.12.2

---Linux Script
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
service squid restart

---squid.config

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /var/cache/squid

[cong06]

Well, for starts maybe pick just one "acl localnet src"?
I imagine you want the last one, so you can comment out the other two.

Other than that I don't see anything obvious. If you're still having problems and there's no more advise here, you could always post to the squid mailing list.

[Dragon7]

Well, for starts maybe pick just one "acl localnet src"?
I imagine you want the last one, so you can comment out the other two.

Other than that I don't see anything obvious. If you're still having problems and there's no more advise here, you could always post to the squid mailing list.

Thanks but sadly that didnt work.
Is there any chance you or anyone can post a working squid.config and iptables script that i can work from?

[cong06]

a working squid.conf:

Code:

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.42.43.0/255.255.255.0 # RFC1918 possible internal network
acl aptget browser -i apt-get apt-http apt-cacher apt-proxy apt-cacher-ng
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl PURGE method PURGE
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost PURGE
http_access deny PURGE all
http_access allow localnet
http_access allow localhost
http_access deny all
http_reply_access allow localnet
http_reply_access allow localhost
http_reply_access deny all
icp_access deny all
htcp_access deny all
http_port 3128 transparent
cache_peer localhost parent 3142 0 no-query proxy-only name=apt
cache_peer_access apt allow aptget
cache_peer_access apt deny all
hierarchy_stoplist cgi-bin ?
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/spool/squid3 10000 16 256
maximum_object_size 32768 KB
access_log /var/log/squid3/access.log squid
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 3
url_rewrite_access deny aptget
url_rewrite_access allow all
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320
icp_port 3130
never_direct allow aptget
dns_nameservers 208.67.222.222 208.67.220.220 8.8.8.8
coredump_dir /var/spool/squid3

It's associated script:
/etc/ppp/ip-up.d/restart-server-progs

Code:

#!/bin/bash

printing() {
   logger -t 'restart-server-progs' "$1"
}


# Run the commands in order of urgency
### Just incase ####
# Not really so important...
squid3 -k reconfigure
/etc/init.d/apt-cacher-ng restart

lan=`ifconfig -s | grep eth | awk '{print $1}'`

### IPTABLES ###
# Rebuilds IP tables...
s_port="3128"
iptables -t nat -A PREROUTING -i $lan -p tcp --dport 80 -j REDIRECT --to-port $s_port
printing "iptables has been rebuilt"


### ETH0 ###
# Restarts the eth0 connection, which allows it to share the new ppp0 connection over the eth0 connection
ifconfig $lan down
ifconfig $lan up
printing "ethernet connection has been restarted"

You should note a few things though:
1) I'm using ppp as my internet connection (mobile broadband)
2) I have 10.42.43.0 as my network, since that's the address space that Network Manager gives me
3) I reset the connection for the sake of Network Manager. Server interfaces probably don't need this
4) I have an apt-cacher-ng server installed also, that's what the "apt-get" lines are all about
5) I have squidguard installed.

[Dragon7]

Thanks for the scripts.

I got your script and config working as a proxy but I couldnt get the transparent
proxy running, same as mine. Ive tried to get the transparent proxy running on
Debian-505 and openSUSE-11.3 and no success.

What distro are you using?

[cong06]

Ubuntu 10.04, and Linux Mint 9

[Lazydog]

When you say transparent are you referring to users have know idea it is there or something else?

If you are looking at a hidden proxy that all traffic should pass then you need to setup your firewall to redirect all traffic that is not from the proxy server's IP to the proxy.

Then anyone trying to go out to the web will automatically be redirected to the proxy without having to setup the proxy in their browser.

Or is there something else you are trying to accomplish?

[cong06]

Thanks for the scripts.

I got your script and config working as a proxy but I couldnt get the transparent
proxy running, same as mine. Ive tried to get the transparent proxy running on
Debian-505 and openSUSE-11.3 and no success.

What distro are you using?

Maybe I should mention that since I use Network Manager, it does the routing of all computers to my router automatically. What do you use to set this up?
You'll have to so some kind of routing in order for the connection of your router to be shared with the other computers. (In Network manger, that's what the connection is called: "Shared to other computers")

I think that might be what Lazydog is saying.

My diagram is this:

modem (ppp, usb) <-> Ubuntu (network manager, squid) <-> switch (eth) <-> other computers

Is linux your router? or do you have a Linksys router?
If you have Linksys, then you'll probably have to have some kind of iptables thing inside the router to direct http requests to linux (except for those that come FROM your squid cache ofc)

It seems easier to me to forget the router and just use an extra PCI ethernet cable in most cases.

[Dragon7]

IT WORKS!

I set IP address of Google in the windows XP host file and now i can navigate Google, when i try to go to any other site i get the default Firefox "Server not found page".

I think squid only runs if the browser try's to connect to an IP address so a simple DNS name server should fix my problem. I was connecting through a pppoe connection so i dont have a local dns running.

Also Mint Linux looks like a good distro

thank you all very much for the help and ideas!

[Lazydog]

You are always going to need a DNS server to surf the internet unless you know the ip address you want to goto. But the question now is how do you know that squid is working and your windows machine isn't connecting directly to google bypassing squid? As you said you needed to put the ip address of google into the host file. This sounds like the xp machine is bypassing squid.