Results 1 to 4 of 4

Thread: Anybody setup a Transparent Squid server?

Hybrid View

  1. #1
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default Anybody setup a Transparent Squid server?

    Alright. I'm coming here in the hopes of some help. I've read numerous squid tutorials and read a ton of articles. I still can't get the damn thing to work.
    I think I have a problem with my networking.

    Installed squid 2.6 on my Ubuntu box (I know).
    Eth0 is connected to internet (technically anyway) 192.168.1.33
    Eth2 is connected to Lan 192.168.5.1
    |
    |
    |
    Client machine is 192.168.5.10/255.255.255.0/192.168.1.33(gateway).

    I can go on the internet on the ubuntu box. I can't on my 192.168.5.10 box. If i put in proxy options in firefox or IE on my 192.168.5.10 box, it comes up as access denied, please contact your cache server administrator.
    But, everything is suppose to be transparent. I dont want to have to configure settings in any browser. Has anyone gotten this to work? I think it might be due to iptables? This is the script I am using.

    http://www.cyberciti.biz/tips/linux-...uid-howto.html

    Should I try BT for this? Or redhat? Commands on Ubuntu are all a bit different I suppose. Any help would be great. I've been pulling out my hair for a few days. thanks guys.
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by spankdidly View Post
    Alright. I'm coming here in the hopes of some help. I've read numerous squid tutorials and read a ton of articles. I still can't get the damn thing to work.
    I think I have a problem with my networking.

    Installed squid 2.6 on my Ubuntu box (I know).
    Eth0 is connected to internet (technically anyway) 192.168.1.33
    Eth2 is connected to Lan 192.168.5.1
    |
    |
    |
    Client machine is 192.168.5.10/255.255.255.0/192.168.1.33(gateway).

    I can go on the internet on the ubuntu box. I can't on my 192.168.5.10 box. If i put in proxy options in firefox or IE on my 192.168.5.10 box, it comes up as access denied, please contact your cache server administrator.
    But, everything is suppose to be transparent. I dont want to have to configure settings in any browser. Has anyone gotten this to work? I think it might be due to iptables? This is the script I am using.

    http://www.cyberciti.biz/tips/linux-...uid-howto.html

    Should I try BT for this? Or redhat? Commands on Ubuntu are all a bit different I suppose. Any help would be great. I've been pulling out my hair for a few days. thanks guys.
    I think you're using the wrong gateway for your 192.168.5.X network. Your gateway should be the LAN IP of your SquidBox, which is 192.168.5.1

    Try that, see if it works.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    Alright. I got it working if I use the Proxy option under firefox or IE. But I can't get it to work transparently. I feel like it's something simple. I just can't figure it out. this is the iptable script at startup
    # squid server IP
    SQUID_SERVER="192.168.1.39"
    # Interface connected to Internet
    INTERNET="eth0"
    # Interface connected to LAN
    LAN_IN="eth2"
    # Squid port
    SQUID_PORT="3128"

    # DO NOT MODIFY BELOW
    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    # Load IPTABLES modules for NAT and IP conntrack support
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    # For win xp ftp client
    #modprobe ip_nat_ftp
    echo 1 > /proc/sys/net/ipv4/ip_forward
    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # Allow UDP, DNS and Passive FTP
    iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
    # set this system as a router for Rest of LAN
    iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
    iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
    # unlimited access to LAN
    iptables -A INPUT -i $LAN_IN -j ACCEPT
    iptables -A OUTPUT -o $LAN_IN -j ACCEPT
    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
    # if it is same system
    iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP

    +++++++++++++++++++++++++++++++++++++++++++++++
    This is the squid.conf
    http_port 192.168.1.39:3128 transparent
    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    cache deny QUERY
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    access_log /var/log/squid/access.log squid
    cache_log /var/log/squid/cache.log
    cache_dir ufs /var/spool/squid 500 16 256
    hosts_file /etc/hosts
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443 563 # https, snews
    acl SSL_ports port 873 # rsync
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 631 # cups
    acl Safe_ports port 873 # rsync
    acl Safe_ports port 901 # SWAT
    acl purge method PURGE
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    #http_access allow localhost
    acl lan src 192.168.1.0/24 192.168.5.0/24
    http_access allow localhost
    http_access allow lan
    http_reply_access allow all
    icp_access allow all
    visible_hostname proxy
    always_direct allow all
    http_access deny all
    coredump_dir /var/spool/squid
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

  4. #4
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    eth0 has gotten it's address from dhcp from a router
    192.168.1.39
    255.255.255.0
    192.168.1.1

    eth2 is manually configured for
    192.168.5.1
    255.255.255.0
    I'm confused about the gateway though.

    The client is
    192.168.5.25
    255.255.255.0
    192.168.5.1

    if I set the Proxy options for 192.168.1.39:3128, it works great. I dont want to have to set the options in each browser though. Damn, Ubuntu sucks ass. It's alright for games though. Ah, wth am I doing wrong? Would the gateway of eth2 be 192.168.1.39? I read in one of the numerous articles the gateway does not need to be set.
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •