Transparent Proxy

Discussion regarding the installation and configuration of Linux distributions.
Post Reply
Siraj Ahmed
Lance Naik
Posts: 25
Joined: Thu Dec 08, 2005 10:22 pm
Location: New Karachi
Contact:

Transparent Proxy

Post by Siraj Ahmed »

Assalam o Alykum
machine = Fedoran 6, squid 2.6 stable 4
internet line = DSL from PTCL through Lan Modem 192.168.1.1

eth0 = ip = 192.168.1.3 connected with PTCL modem
sm = 255.255.255.0
defaul gw = 192.168.1.1


eth1 = ip = 192.168.10.10 connected LAN users
sm = 255.255.255.0

clients PCs per
browsing ho rahi hai explorer mai ip deney key baad
yahoo aur mns messenger bhi connect ho raha hai ip key saath

mai chahata ho browsing aur messenger withou ip key connect ho yani Transparent
pls koi hall batain

Siraj Ahemd 0300 - 9217465
ather_36
Naik
Posts: 97
Joined: Thu Jul 31, 2003 11:38 am
Location: karachi
Contact:

Post by ather_36 »

U have to compile squid with squid source code.Download the squid from www.squid-cache.org and do the following steps:
1) save the squid file in /tmp
2) Run tar -zxvf squid-2.5.STABLE14.tar.gz
3) cd squid-2.5.STABLE14
4) ./configure --enable-linux-netfilter
5) make all
6) make install
7) iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to 8080

Specfily the incoming interface after "-i" If ur incoming interface is eth1 copy and paste the command if it is eth0 then change it to eth0 after -i.
You also need to change the start and stop script.So here is the startup/stop script.U just need to copy the script from here and create a file in ur linux machine "touch squid" and copy this file to the following path /etc/rc.d/init.d .... It will ask for overrite/replace u just press "y"....



#!/bin/bash
# squid This shell script takes care of starting and stopping
# Squid Internet Object Cache
#
# chkconfig: - 90 25
# description: Squid - Internet Object Cache. Internet object caching is \
# a way to store requested Internet objects (i.e., data available \
# via the HTTP, FTP, and gopher protocols) on a system closer to the \
# requesting site than to the source. Web browsers can then use the \
# local Squid cache as a proxy HTTP server, reducing access time as \
# well as bandwidth consumption.
# pidfile: /var/run/squid.pid
# config: /etc/squid/squid.conf

PATH=/usr/local/squid/sbin:/usr/bin:/sbin:/bin:/usr/sbin
export PATH

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# check if the squid conf file is present
[ -f /usr/local/squid/etc/squid.conf ] || exit 0

if [ -f /etc/sysconfig/squid ]; then
. /etc/sysconfig/squid
fi

# don't raise an error if the config file is incomplete
# set defaults instead:
SQUID_OPTS=${SQUID_OPTS:-"-D"}
SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}
SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}

# determine the name of the squid binary
[ -f /usr/local/squid/sbin/squid ] && SQUID=/usr/local/squid/sbin/squid
[ -z "$SQUID" ] && exit 0

prog="$SQUID"

# determine which one is the cache_swap directory
CACHE_SWAP=`sed -e 's/#.*//g' /usr/local/squid/etc/squid.conf | \
grep cache_dir | awk '{ print $3 }'`
[ -z "$CACHE_SWAP" ] && CACHE_SWAP=/usr/local/squid/var/cache

RETVAL=0

start() {
for adir in $CACHE_SWAP; do
if [ ! -d $adir/00 ]; then
echo -n "init_cache_dir $adir... "
$SQUID -z -F -D >> /usr/local/squid/var/logs/squid.out 2>&1
fi
done
echo -n $"Starting $prog: "
$SQUID $SQUID_OPTS >> /usr/local/squid/var/logs/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
timeout=0;
while : ; do
[ ! -f /usr/local/squid/var/logs/squid.pid ] || break
if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then
RETVAL=1
break
fi
sleep 1 && echo -n "."
timeout=$((timeout+1))
done
fi
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/squid
[ $RETVAL -eq 0 ] && echo_success
[ $RETVAL -ne 0 ] && echo_failure
echo
return $RETVAL
}

stop() {
echo -n $"Stopping $prog: "
$SQUID -k check >> /usr/local/squid/var/logs/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
$SQUID -k shutdown &
rm -f /var/lock/subsys/squid
timeout=0
while : ; do
[ -f /var/run/squid.pid ] || break
if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then
echo
return 1
fi
sleep 2 && echo -n "."
timeout=$((timeout+2))
done
echo_success
echo
else
echo_failure
echo
fi
return $RETVAL
}

reload() {
$SQUID $SQUID_OPTS -k reconfigure
}

restart() {
stop
start
}

condrestart() {
[ -e /var/lock/subsys/squid ] && restart || :
}

rhstatus() {
status $SQUID && $SQUID -k check
}

probe() {
return 0
}

case "$1" in
start)
start
;;

stop)
stop
;;

reload)
reload
;;

restart)
restart
;;

condrestart)
condrestart
;;

status)
rhstatus
;;

probe)
exit 0
;;

*)
echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}"
exit 1
esac

exit $?


Also change the permission of file to chmod 755 squid. If u face and problem regarding to the file or something else just pm me.
Thanks & Regards
Athar Hussain
Siraj Ahmed
Lance Naik
Posts: 25
Joined: Thu Dec 08, 2005 10:22 pm
Location: New Karachi
Contact:

Post by Siraj Ahmed »

Transpatent proxy not working

DSL Modem (PTCL) 192.168.1.1 DHCP on
eth0 = from internet
ip from DHCP from PTCL modem ( 192.168.1.3 )

eth1= for LAN users
192.168.10.10
255.255.255.0

Squid Server ip 192.168.10.10:8080

DHCP on 192.168.11 to 192.168.70

Squid Basic Configuration

http_port 192.168.10.10:8080 transparent
http_port 80 vhost
http_port 127.0.0.1:8080 transparent
always_direct allow all

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl mynet src 192.168.10.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow mynet
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

my iptables rules

#!/bin/sh

# ------------------------------------------------------------------------------------

# See URL: http://www.cyberciti.biz/tips/linux-set ... howto.html

# (c) 2006, nixCraft under GNU/GPL v2.0+

# -------------------------------------------------------------------------------------

# squid server IP

SQUID_SERVER="192.168.10.10"

# Interface connected to Internet

INTERNET="eth0"

# Interface connected to LAN

LAN_IN="eth1"

# Squid port

SQUID_PORT="8080"


# DO NOT MODIFY BELOW

# Clean old firewall

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support

modprobe ip_conntrack

modprobe ip_conntrack_ftp

# For win xp ftp client

#modprobe ip_nat_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

# Unlimited access to loop back

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP

iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN

iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE

iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

# unlimited access to LAN

iptables -A INPUT -i $LAN_IN -j ACCEPT

iptables -A OUTPUT -o $LAN_IN -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system

iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it

iptables -A INPUT -j LOG

iptables -A INPUT -j DROP



then

service ipiptables save
chkconfig iptables on
service squid restart
chkconfig squid on
ather_36
Naik
Posts: 97
Joined: Thu Jul 31, 2003 11:38 am
Location: karachi
Contact:

Post by ather_36 »

Configure the following steps in /usr/local/squid/etc/squid.conf
http_port 8080 (Just do it)
For Transparent Proxy configure the following
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

After that run this iptables command
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to 8080

Also configure your local DNS Server for ur clients.
Thanks & Regards
Athar Hussain
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

Dear Ather,

He is using Squid 2.6 Stable 4.
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
these settings will not work in this version of squid.

Dear Siraj Ahmed,

Write like this, it wokrs for me....hope this should work for you...
http_port 8080 transparent vhost vport=80 tproxy accel
or http://www.squid-cache.org/Versions/v2/ ... _port.html

I have done few small changes in the firewall script....if your firewall does not work then try this one

Before using the firewall script change the IP Range according to your netwokr settings.

#!/bin/sh

## Defining Variables ##

# Path To IPTABLES
IPT="/sbin/iptables"

# squid server IP
SQUID_SERVER="192.168.10.10"

# Local IP Range
LOC_IP="192.168.10.10/24"

# Interface connected to Internet
INTERNET="eth0"

# Interface connected to LAN
LAN_IN="eth1"

# Loopback Interface
LOOPBACK="lo"

# Squid port
SQUID_PORT="8080"

### Flushing IPTABLES ###

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

### Setting Needed PROC Settings ###

echo 1 > /proc/sys/net/ipv4/ip_forward

### Redirecting HTTP and FTP Traffic to Squid Proxy Server. ###

$IPT -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
$IPT -t nat -A PREROUTING -i $LAN_IN -p udp --dport 80 -j REDIRECT --to-port $SQUID_PORT
#$IPT -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 21 -j REDIRECT --to-port $SQUID_PORT
#$IPT -t nat -A PREROUTING -i $LAN_IN -p udp --dport 21 -j REDIRECT --to-port $SQUID_PORT

### MASQUERADE All packets ###

$IPT -t nat -A POSTROUTING -p all -s $LOC_IP -o $INTERNET -j MASQUERADE

### No Restriction for Loopback Interface ###

$IPT -A INPUT -i $LOOPBACK -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT

## Droping Packets coming from internet claming to be from LAN_IN ##

$IPT -A INPUT -i $INTERNET -s $LOC_IP -j DROP
$IPT -A INPUT -i $INTERNET -d 127.0.0.0/8 -j DROP

## Accepting Local Network Packets ##

$IPT -A INPUT -i $LAN_IN -j ACCEPT
$IPT -A OUTPUT -o $LAN_IN -j ACCEPT

### Accepting Extablished and Related Connections ###

$IPT -I INPUT -i $LAN_IN -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $LAN_IN -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INTERNET -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

### Droping Invalid and Unknown Packets ###

$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -i $INTERNET -m state --state INVALID -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,URG URG -j DROP

Please correct me if i am wrong in this regards...
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
sarthor
Battalion Quarter Master Havaldaar
Posts: 241
Joined: Wed Dec 24, 2003 2:36 am
Location: Pukhtoonistan
Contact:

Post by sarthor »

Salam O Alykum,
using Fedora7 and ubuntu feisty 7.04 lame server,
every thing is going fine, but i am not getting cache performance,
like
i donwload the exe of paltalk, msn messenger also some games and its size was less than the size i defined there in squid the maximum size to be cached,
Can any buddy help me to point out that Where to find the problem,

Thank you All

Alwida.
Tefl E Maktab
-----------------------------
----- ----- ----- ------ ------ -------
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

post your refresh patterns.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

if you have a recent distribution, do not compile your own squid. the package in your distribution will work for almost all the usual use cases.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
sarthor
Battalion Quarter Master Havaldaar
Posts: 241
Joined: Wed Dec 24, 2003 2:36 am
Location: Pukhtoonistan
Contact:

Post by sarthor »

Salam O Alykum,
Thank you for replying
I have paste my squid.conf here http://paste.ubuntu-nl.org/46937/
and i am using ubuntu lamp server on this computer, my squid is not compiled, its the squid shipped with this distro.

Salam O Alykum
Tefl E Maktab
-----------------------------
----- ----- ----- ------ ------ -------
Post Reply