full transparent proxy

Discussion regarding the installation and configuration of Linux distributions.
Company Havaldaar Major
Posts: 177
Joined: Tue Jul 08, 2003 11:33 pm
Location: karachi ,pakistan

full transparent proxy

Postby zaki486 » Sat Sep 22, 2007 10:08 am

dear bros asalam o alaikum to u all

here is my scenario help me please

i want to configure


server as when i only connect eth cable at my client end, specify ip address and it starts to work

i just want to plug in the eth cable on client pc issue an ip address, gw and dns of my local squid server and no other workout in browsers to work without any setup even no need is for entering ip in internet explorer->lan settings->proxy settings

even yahoo and messengers work fully functional with voice chat, and webcam facility

and also all other Instant messengers irc,msn mesngr, aol, should work

in my squid 2.6, fedora core 6
i have two pci eth cards installed

here is example of my client ip address
ip 192.168.0.x
gw: squid server ip
dns: squid server ip

my dsl modem on network

my Incoming from isp connection is eth0,
its ip add is, gw dsl modem

my squid server for my LAN,
ip add is, its is eth0 gw

in squid i enabled

http_port 3128
http_port accel defaultsite=localhost.localdomain.com
http_port 3128 transparent
icp_port 3130
cache_peer parent 80 0 no-query no-netdb-exchange default
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 100 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 34096 KB
maximum_object_size_in_memory 15 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy heap GDSF
memory_replacement_policy heap LFUDA
cache_dir ufs /cache/squid 10000 32 256
access_log /cache/access.log squid
cache_log /cache/cache.log
cache_store_log /cache/store.log
log_fqdn on
ftp_user Squid@
ftp_sanitycheck off
ftp_telnet_protocol off
check_hostnames off
allow_underscore on
refresh_pattern ^ftp: 1440 20% 20080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl mynet src
acl SSL_ports port 443 563
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow mynet
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr zaki486@yahoo.com
visible_hostname localhost.localdomain
httpd_accel_no_pmtu_disc on
always_direct allow all
coredump_dir /var/spool/squid

but full transparent squid not working

squid not accepting the tags like this one http_port etc
as i saw in documentation vhost instead of httpd_* tags

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

my rc.local is

# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

# ------------------------------------------------------------------------------------
# See URL: http://www.cyberciti.biz/tips/linux-set ... howto.html
# (c) 2006, nixCraft under GNU/GPL v2.0+
# -------------------------------------------------------------------------------------
# squid server IP
# Interface connected to Internet
# Interface connected to LAN
# Squid port

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
#iptables -A INPUT -j DROP

#as yahoo, pop emails, and other open/direct port hungry programs not working so i worked out following lines from net:

iptables -t nat -A POSTROUTING -o $EXT_IF -s $LOCAL_NET -d ! $LOCAL_NET -j SNAT –to $EXT_IP
iptables -A input -j REDIRECT 3128 -p tcp -s -d 80

#$EXT_IF is your external interface ( the interface linked to the hardware router in your case )

#$LOCAL_NET is in your case

#$EXT_IP is the ip assigned to your external interface ( ? )

#Port redirection

iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p TCP --dport 8080 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p TCP --dport 1080 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p TCP --dport 21 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p TCP --dport 25 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p TCP --dport 110 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p TCP --dport 22 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p TCP --dport 23 -j REDIRECT --to-port 3128

#The above rule redirects port 80 requests, irrespective of source ip address to port 3128 (or whichever port in which squid is running in transparent mode).


iptables -t nat -A POSTROUTING -p TCP -s 0/0 --dport 21 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP -d 0/0 --dport 20 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 25 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 22 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 23 -j MASQUERADE

#The above rules are essential when we connect modem or squid is in between two different network to make TELNET, FTP, SMTP, POP, HTTPS to communicate to INTERNET.

iptables -t nat -A PREROUTING -i $INTERFACE -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $INTERFACE -p tcp --dport 8080 -j REDIRECT --to-port 3128

plz help and solve my problem


now i am confused for all firewall rules

also recommend commands and procedures for trobleshooting and locating my problems

THankX to u all
i just want solution
a full transparent proxy server where i dont want to configure anything at client end, can anyone refine these settings and make a simple solution , please help bros

if i get a solution then i will try it with dhcp so no need to go to client to configure except ipconfig/all and get their mac address to add acl to allow them internet but this will be done later on........

first a transparent server

Solutions - i want to get S0lutions from a solution

Certified Open Source Solution Provider
call me 0300-8902692

Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi


Postby LinuxFreaK » Tue Sep 25, 2007 7:41 am

Farrukh Ahmed

Return to “Installation”

Who is online

Users browsing this forum: No registered users and 1 guest