Transparent Squid

**z_haseeb** · 05-08-2008

I have centOS 5 and i m using squid2.6. I want to make it transparent proxy.What should I do?so that i will not give proxy setting in browsers at all network PC's

i have defined one option(http_port 8080 transparent)...is this enough setting or i have to configure more options to make Squid transparent

**megerdin** · 05-08-2008

you need to redirect all trafic from http port tp squid box.

add this in ur firewall table

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

where eth1 is ur internel LAN.

Let us know what r u doing.

**z_haseeb** · 05-10-2008

is it necessary to use iptable if I want to make squid transparent?because at this time i dont have iptable installed

**megerdin** · 05-10-2008

Its nessesary because ur traffic may bypass from ur proxy server. Its secured best.
But if u think its very bothering u can ignore iptables.

**z_haseeb** · 05-13-2008

i put your script in /etc/rc.local
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080

but i also hv a problem:

my users are using windows2000server as a dns server
i made an acl and allowed all users and windows2000server machine and gave windows2000server as a dns server at users machine.....
when i am trying to resolve dns name from windows2000server its unable to resolve any name

var/log/squid/access.log
1210706763.212 1 192.168.0.246 TCP_DENIED/403 1378 GET Live Search - NONE/- text/html
1210706763.240 27 192.168.0.246 TCP_DENIED/403 1428 GET http://us.yimg.com/i/tb/icons//#PERSONAL_ICON - NONE/- text/html
1210706763.629 0 192.168.0.246 TCP_DENIED/403 1414 GET http://85.255.118.26/ppc/config.phpchk - NONE/- text/html
1210706763.938 0 192.168.0.246 TCP_DENIED/403 1436 GET http://us.update.toolbar.yahoo.com/slv/v4/2.html? - NONE/- text/html
1210706763.987 9 192.168.0.246 TCP_DENIED/403 1404 GET http://www.google.com/bookmarks/? - NONE/- text/html
1210706764.366 0 192.168.0.246 TCP_DENIED/403 1414 GET http://85.255.118.27/ppc/config.phpchk - NONE/- text/html
1210706764.419 1 192.168.0.246 TCP_DENIED/403 1394 GET http://mail.google.com/mail? - NONE/- text/html
1210706764.679 0 192.168.0.246 TCP_DENIED/403 1410 GET http://irprops.com/ppc/config.phpchk - NONE/- text/html
1210706765.158 0 192.168.0.246 TCP_DENIED/403 1408 GET http://ipxwan.com/ppc/config.phpchk - NONE/- text/html
1210706951.634 1956 192.168.0.246 TCP_MISS/200 20062 GET Live Search - DIRECT/88.221.26.41 text/html
1210707678.270 1367 192.168.0.246 TCP_MISS/200 20062 GET Live Search - DIRECT/88.221.26.41 text/html
1210707761.277 682 192.168.0.246 TCP_MISS/302 563 GET Google - DIRECT/66.102.9.147 text/html
1210707762.401 1123 192.168.0.246 TCP_MISS/200 6740 GET Google - DIRECT/66.102.9.104 text/html
1210707763.453 1059 192.168.0.246 TCP_MISS/200 7919 GET http://www.google.com.pk/intl/en_com...logo_plain.png - DIRECT/66.102.9.147 image/png
1210707764.045 593 192.168.0.246 TCP_MISS/200 6673 GET http://www.google.com.pk/images/nav_logo3.png - DIRECT/66.102.9.147 image/png

**megerdin** · 05-13-2008

I added a firewall scripts for you.

First download it.
Replace the .txt extension with .sh in file name.
Open it and change 4 lines.

U need to alter only line 96,97 and 149,150 as per as your requirement.

This script allow all ur http traffic to ur squid box and let them go out.
also make ur Linux PC as Internet getway.

No more access.

If it works for you ...
later u can make more change in it.

Note: you can executed this scripts manually.
better is to make executed in boot time.

Don't try to understand everything now just believe it.

Let me know anything missing.... any error in squid error log/ syslog/ /???

**megerdin** · 05-13-2008

Ops!

i didn't follow ur squid.log
make sure ur acl in squid.conf is correct

**z_haseeb** · 05-13-2008

what do you mean that my acl in squid.conf is correct???
i just made an simple acl and allowed some pc thats it....they are browsing internet very perfectly but via browser proxy......and i want to give browsing with browser proxy....

i jst made a fresh proxy and edit the squid.conf file
http_port 8080 transparent

acl allowed src 192.168.0.123
acl allowed src 192.168.0.141
acl allowed src 192.168.0.158
acl allowed src 192.168.0.157
acl allowed src 192.168.0.202
acl allowed src 192.168.0.110
acl allowed src 192.168.0.245
acl allowed src 192.168.0.246
acl allowed src 192.168.0.252
acl allowed src 192.168.0.250
acl allowed src 192.168.0.254
http_access allow allowed

visible_hostname proxy

/etc/rc.local
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080

**z_haseeb** · 05-15-2008

hay !!!!!! Any buddy is there to help me out???????????????

i also did a setting echo 1 > /proc/sys/net/ipv4/ip_forward and added it in a boot script(/etc/rc.local) but still not achiving the target

i am also sending a log may be it will helpfull

/var/log/messages
May 15 12:37:52 proxy last message repeated 3 times
May 15 12:38:57 proxy avahi-daemon[2259]: New relevant interface eth1.IPv6 for mDNS.
May 15 12:38:57 proxy avahi-daemon[2259]: Joining mDNS multicast group on interface eth1.IPv6 with address fe80::200:24ff:fec9:bd85.
May 15 12:38:57 proxy avahi-daemon[2259]: Registering new address record for fe80::200:24ff:fec9:bd85 on eth1.
May 15 12:38:59 proxy kernel: eth1: Setting full-duplex based on MII#1 link partner capability of 45e1.
May 15 12:39:16 proxy gconfd (root-2662): starting (version 2.14.0), pid 2662 user 'root'
May 15 12:39:16 proxy gconfd (root-2662): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
May 15 12:39:16 proxy gconfd (root-2662): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 1
May 15 12:39:16 proxy gconfd (root-2662): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
May 15 12:39:20 proxy hcid[1936]: Default passkey agent (:1.6, /org/bluez/applet) registered
May 15 12:39:20 proxy pcscd: winscard.c:219:SCardConnect() Reader E-Gate 0 0 Not Found
May 15 12:39:20 proxy last message repeated 4 times
May 15 12:39:24 proxy gconfd (root-2662): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 0
May 15 12:39:42 proxy avahi-daemon[2259]: New relevant interface eth1.IPv4 for mDNS.
May 15 12:39:42 proxy avahi-daemon[2259]: Joining mDNS multicast group on interface eth1.IPv4 with address 192.168.0.252.
May 15 12:39:42 proxy avahi-daemon[2259]: Registering new address record for 192.168.0.252 on eth1.
May 15 12:39:46 proxy system-config-network[2779]: -+ //etc/modprobe.conf eth0 alias 3c59x
May 15 12:39:46 proxy system-config-network[2779]: -+ //etc/modprobe.conf eth1 alias tulip
May 15 12:39:46 proxy system-config-network[2779]: chmod 0644 //etc/sysconfig/networking/devices/ifcfg-eth0
May 15 12:39:46 proxy system-config-network[2779]: chmod 0644 //etc/sysconfig/networking/devices/ifcfg-eth1

Thread Tools

Display

Transparent Squid

Posting Permissions