Setup a transparent proxy with Squid in three easy steps

[dfads params=’groups=-1′]

Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.

My Setup:

i) System: MSI Core 2 DUO CPU system with 4 GB RAM .
ii) Eth0: IP:192.168.0.2
iii) Eth1: IP: 192.168.1.1 (192.168.1.0/24 network (around 50 windows XP systems))
iv) OS: Red Hat Enterprise Linux 5.1 (Following instruction should work with Debian and all other Linux distros)

Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.

Server Configuration

  • Step #1 : Squid configuration so that it will act as a transparent proxy
  • Step #2 : Iptables configuration
    • a) Configure system as router
    • b) Forward all http requests to 3128 (DNAT)
  • Step #3: Run scripts and start squid service

First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf

Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.0.2 192.168.1.0/24
http_access allow localhost
http_access allow lan

Where,

  • httpd_accel_host virtual: Squid as an httpd accelerator
  • httpd_accel_port 80: 80 is port you want to act as a proxy
  • httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
  • httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
  • acl lan src 192.168.0.2 192.168.1.0/24: Access control list, only allow LAN computers to use squid
  • http_access allow localhost: Squid access to LAN and localhost ACL only
  • http_access allow lan: — same as above —

Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

OR, try out sed (thanks to kotnik for small sed trick)
# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'

Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin ?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid

Iptables configuration

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128 (Download the fw.proxy shell script):
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.0.2"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on

Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on

Desktop / Client computer configuration

Point all desktop clients to your eth1 IP address (192.168.1.2) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.

How do I test my squid proxy is working correctly?

See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log

Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.

Problems and solutions

(a) Windows XP FTP Client

All Desktop client FTP session request ended with an error:
Illegal PORT command.

I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp

Please note that modprobe command is already added to a shell script (above).

(b) Port 443 redirection

I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, “Long answer: SSL is specifically designed to prevent “man in the middle” attacks, and setting up squid in such a way would be the same as such a “man in the middle” attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL“.

Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.

(c) Squid Proxy authentication in a transparent mode

You cannot use Squid authentication with a transparently intercepting proxy.

[dfads params=’groups=-1′]

216 thoughts on “Setup a transparent proxy with Squid in three easy steps”

  1. Good blog! I definitely love how it’s easy on my eyes and the facts are well written. I am wondering how I may be notified whenever a new post has been made. I have subscribed to your rss feed which must do the trick! Have a nice day!

  2. Such a really good discussion you all have happening. I like the mix of good and correct information together with a few intellectual thoughts. It really is wonderful to be able to finally come across excellent articles where I think I could believe in the text as well as respect the individuals that publish it. With all the web waste nowadays I always value finding some real voices online. Thank you for posting and continue the good work, please!!

  3. Yes there are open source VPN clients and windows has a decent one built-in. If you need help setting this up let me know. I’ve specialized in remote secure banking and ATM for 5 years using Cisco equipment. Let me help you

  4. Hey, I just hopped over to your site via StumbleUpon. Not somthing I would normally read, but I liked your thoughts none the less. Thanks for making something worth reading.

  5. Good points…I would note that as someone who really doesn’t write on blogs much (in fact, this may be my first post), I don’t think the term “lurker” is very becoming to a non-posting reader. It’s not your fault at all, but perhaps the blogosphere could come up with a better, non-creepy name for the 90% of us that enjoy reading the content .

  6. @Markus I get your drift on where you were going there. I often think of my past and use it as a means to analyze where I am and where I want to get to. Where I struggel is balancing it all out. How do you guys balance things out?

  7. A proxy server masks your ip address and it is completly legal. It is used to get around IP bans and get into websites that have certain zone restrictions. The one my school uses is

  8. I commend your editorial article, I have a collection of your blog, I hope to be able to write more interesting articles and news, and I will continue to focus on your blog, and I hope to be editors

  9. I was just chatting with my coworker about this the other day at the resturant. Don’t know how in the world we got on the subject actually , they brought it up. I do remember eating a excellent steak salad with ranch on it. I digress…

  10. Many thanks for present very superior informations. Your word wide web is greatI am impressed by the data that you’ve on this weblog. It exhibits how effectively you realize this subject. Bookmarked this method page, will appear back again for much more. You, my friend, amazing! I found just the information I previously looked all over the place and just could not find. What a perfect site. Similar to this web-site your site is one of my new favorite.I such as this info proven and it has given me some kind of idea to have accomplishment for some cause, so maintain up the good function!

  11. This DSL-2740B wireless ADSL hub is usually an cost-effective top rated ADSL router in shape pertaining to residences along with small workplaces. Having included ADSL2/2 aiding about 24Mbps download speed, 802.11n write handheld LAN, firewall program safeguards, Quality of service (QoS) plus 4-port transition, this router presents each of the tools that a residence or maybe tiny business would need to set up a safe and sound as well as high-speed distant url to the outdoors.

  12. Total Control Marketing Review- Magnificent Doc! When i was simply just thinking that there’s plenty not right computer data for this subject matter you now entirely impacted my own impression. Many thanks a great article.

  13. Total Control Marketing Review- Good piece of writing man, I actually like the look and also the feel of this important blogging site. You write certainly well, you must be a aware guy. Will most definitely come back

  14. I should really be getting on with some work but this blog about PHP, MySQL, .NET, IIS, Networking, and Many More… » Blog Archive » Setup a transparent proxy with Squid in three easy steps is great

  15. This is getting a bit more subjective, but I much prefer the Zune Marketplace. The interface is colorful, has more flair, and some cool features like ‘Mixview’ that let you quickly see related albums, songs, or other users related to what you’re listening to. Clicking on one of those will center on that item, and another set of “neighbors” will come into view, allowing you to navigate around exploring by similar artists, songs, or users. Speaking of users, the Zune “Social” is also great fun, letting you find others with shared tastes and becoming friends with them. You then can listen to a playlist created based on an amalgamation of what all your friends are listening to, which is also enjoyable. Those concerned with privacy will be relieved to know you can prevent the public from seeing your personal listening habits if you so choose.

  16. Hello just thought i would tell you something.. This is twice now i’ve landed on your blog in the last 3 days hunting for completely unrelated things. Great Info! Keep up the good work.

  17. I am impressed with a nice wedding pic, it is quite a special moment in someone’s lifetime. Why are wedding pictures so interesting? Why not have the pic posted on the internet? This would be interesting.

  18. Hi good post, im currently studying this at college. I like your blog there’s some real helpful stuff on here. Will check back soon to see if you have posted anymore pages, thanks

  19. Ultimately, I set up the understanding I was seeking out for. We’ve got been carrying out homework on this subject, and for four days I protect getting web-sites which are supposed to have what I am hunting for, only to get disappointed making use of the absence of what I wished. I wish I could have observed your ?nternet site sooner! I had about 25% of what I applied to be in need to have of and your website has that, plus the rest of what I vital to finish my studying. We now have subscribed to this internet site proper here I like that you just will notice original article subject material that you will be ready to hardly learn elsewhere. One particular very good issue, you perhaps can get hold of nonetheless these types of information sites, make certain you go on! I can no for a longer time see the common media. It may be there a whole lot rubbish printed, I bear it no considerably a lot more easily. A certainly pleasant blog and excellent write-up. I devote days inside of the earth wide net studying blogs, about tons of many subjects. I ought to initial of all give kudos to whoever founded your internet websites and 2nd of all to you for composing what i can only describe as an publish. I honestly imagine there is a potential to writing posts or blog articles that only a couple of posses and frankly you may have it. The mixture of interesting and outstanding content material is absolutely remarkably hard to find utilizing the substantial volume of web throughout the on-line entire world.At all times retain a incredibly good give beneficial final results!

  20. Hi blogger, hope all is well. You mind sharing the name of your current theme? I would appreciate it much. Have a great afternoon. I love this theme. How hard is it to mess around with? Would you be able to shoot me an email? I would love to get it and use it on some of my sites. Thank you in advance, Marcella.

  21. To everyone the above commentors. Blogs and forums could be much better to read if You can keep Your comments small and to the point. No person likes to read large comments when the content can be conveyed using a smaller comment.

  22. Hi!, Very interest angle, we were talking about the same thing at work and found your site very stimulating. So felt compelled to com­ment a huge thank you for all your effort. Please keep up the great work your doing!

  23. Großer Pfosten! Dank für das Nehmen der Zeit, etwas zu schreiben, das wirklich wert Messwert ist. Zu häufig finde ich unbrauchbares Info und nicht etwas, das wirklich relevant ist. Dank für Ihre harte Arbeit.

  24. This is the perfect blog for anyone who wants to know about this topic. You know so much its almost hard to argue with you (not that I really would want…HaHa). You definitely put a new spin on a subject thats been written about for years. Great stuff, just great!

  25. Resources like the one you mentioned here will be very useful to me! I will post a link to this page on my blog. I am sure my visitors will find that very useful.

  26. Wow! Really great post came across it on Google. This aricle is extremely interesting. You seem to be a very experienced blogger I’m actually new to blogging and I recently made a website about online pawn shop . If your not busy I could really use some feedback on it. Thanks alot!! .

  27. Hey, I recently started reading your blog – thank you for the good work. Just wanted to let you know that it’s not showing up properly on the BlackBerry Browser (I have a Tour). Either way, I’m now subscribed to the RSS feed on my PC, so thanks!

  28. Hey, just wanted to say that as a business attorney I found your blog to be fantastic and informative. Take a look at mine and give me feedback if you would, since I’m fairly new at this.

  29. Definitely, the blog post is honestly the finest on this worthw hile field. I agree with your findings and will thirstily expect your coming up-dates. Just saying thank you is not going to just be adequate, for the incredible clarity in your article. I will instantly get your feed to keep informed of any updates. Superior work and much success in your business dealings. Best regards, ..

  30. Have you had issues with spammers? I also use Blog Engine and I have some beneficial anti-spam practices; please Email me if you might be interested in an exchange of ideas.

  31. Considerably, the publish is in reality the freshest on this notable topic. I agree with each other together with your conclusions and can thirstily seem forward to your next updates.I will instantly grab your rss feed to remain abreast of any updates.

  32. I admire the valuable information you offer in your articles. I will bookmark your blog and have my children check up here often. I am quite sure they will learn lots of new stuff here than anybody else!
    vimax scam

  33. Good blog! I genuinely love how it’s easy on my eyes and the details are well written. I am wondering how I may be notified whenever a new post has been made. I have subscribed to your rss feed which must do the trick! Have a nice day!

  34. Thank you for a pretty very clear and very helpful article. I’m certainly a violator of many of these rules. I typically locate myself conflicted when creating a weblog submit because I see personally creating more than citizens want to go through, but I sense that I be required to do the topic matter rights by completely covering it. I feel that by pursuing a few of these procedures I conclude up reducing out critical aspects to your discussion. I guess you may have to discover a balance.

  35. How would you like to get your hands on the most powerful traffic generator within the world? AND on autopilot. It does the following and much more on autopilot Article Submitter, Press Submitter, RSS, Social Bookmarker and a lot more. Its a all in 1 tool and is vital for all website owners/marketers. Its just insane… Its known as Traffic Anachy, go check them out!.

  36. Totally agree. If you care to view vinyl windows Toronto, new vinyl windows appear in various shapes and sizes and even though they are typically sturdy, there are brands that are outstanding amongst the rest. But then once more, new vinyl house windows offer much more advantage than classic wooden glass windows as they have a tendency to last longer and that they are engineered to be more long lasting than the conventional kinds of house windows.If you are looking for the very best and most durable model, then you can always attempt the Home windows. What is Vinylfantastic about this model is that they are made from durable products. In addition, the materials are engineered to generate one thing that is quite powerful and resistant to the different circumstances of climate. check more at vinyl windows Toronto

  37. There are some interesting points in time in this clause but I don’t know if I see all of them center to centre . There is some validity but I will take hold judgment until I look into it further. Good article , thanks and we want more! Added to FeedBurner too.

  38. Thank you so much for a rather very clear and beneficial submit. I am most certainly a violator of a lot of these guidelines. I quite often find me conflicted when writing a blog publish because I see me personally creating greater than individuals desire to go through, but I sense that I have got to do the subject matter proper rights by thoroughly masking it. I experience that by following a number of these procedures I end up chopping out crucial factors on the discussion. I guess you will have to come across a stability.

  39. yeah,I just thought you might want to know that your website looks out of wack when I see it on my iphone. I’m not sure if it has something to do with my phone’s browser or your website? just saying 🙂

  40. Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained!

  41. There are some interesting points in this clause but I don’t know if I see all of them heart to center . There is some validity but I will take hold judgment until I look into it further. Good clause, thanks and we want more! Added to FeedBurner likewise.

  42. Thank you for another essential article. Where else could anyone get that kind of information in such a complete way of writing? I have a presentation incoming week, and I am on the lookout for such information. qqbhxc4412
    vig rx | vimax

  43. I am really not too familiar with this subject but I do like to visit blogs for layout ideas and interesting topics. You actually expanded upon a subject that I usually don’t care much about and made it very fascinating. This is a unique blog that I will take note of. I already bookmarked it for future reference. Cheers

  44. This was a really very good post. In theory I’d like to write like this also – getting time and actual effort to make a great piece of writing… but what can I say… I procrastinate alot and by no means appear to obtain something done.

  45. hey,I just thought you might want to know that your blog looks messed up when I see it on my iphone. I’m not sure if it has something to do with my phone’s browser or your website? just saying 🙂

  46. hi, just thought you might want to know that your site is messed up when you see it on my iphone. I’m not sure if it has something to do with my phone’s browser or your website? just saying 🙂

  47. Hiya guys, I have a great way to make tons of money online blogging. I expect this is primaraly for the website admin but there are probably lots more bloggers reading this. I have made thousands using the techniques explained in the product and its only been 2 months. It basically generates content for you automatically and then on top of that posts it to free websites to gain you traffic. Check out their short video. Auto Blog Samurai

  48. When I started my blog about a month ago, I wasn’t even aware this existed, but what a lesson! I screen every comment and I’m concerned about the amount of effort this will take if the volume increases substantially. When it’s not clear, I’ve googled the comment verbatim, and it normally shows up in dozens of other blogs’ posts. As you say, they’re typically generic comments with links to (sometimes bizarrely) unrelated sites. My personal favorite example so far was a glowing appraisal of my reasoning skills, which was submitted to a post of a picture of a monkey, and linked to a site discussing the dangers of lasik eye surgery.

  49. You you could edit the page subject PHP, MySQL, .NET, IIS, Networking, and Many More… » Blog Archive » Setup a transparent proxy with Squid in three easy steps to more suited for your subject you make. I liked the the writing all the same.

  50. could have included a link here and we could have checked it out. it’s gonna be alot of little things that cause it not any one major advertisement. Anytime you write anything anywhere or whenever you get a chance you need to open your mouth about it. Once people start looking at the content and enjoying it they will start to link to it also

  51. Fed up with obtaining low numbers of useless traffic to your site? Well i want to share with you a fresh underground tactic which makes myself $900 every day on 100% AUTOPILOT. I possibly could be here all day and going into detail but why dont you simply check their site out? There is a excellent video that explains everything. So if your seriously interested in producing easy money this is the site for you. Auto Traffic Avalanche

  52. There are some interesting points in that clause but I don’t know if I see all of them center to heart. There is some validness but I will hold legal opinion until I look into it further. Good article , thanks and we want more! Added to FeedBurner besides.

  53. I loved what you’ve got performed here. The design is sophisticated, your penned information classy. Nevertheless, you might have got an edginess to what that you are furnishing the next. Unwell totally arrive back again again for very much a whole lot more in case you protect this up. Dont get rid of hope if not at the same time many men and women see your imaginative and prescient vision, know you could have attained a fan suitable the following who values what you’ve got to say along with the way you have offered yourself. Excellent on you!

  54. Simply, admirable what you have done here. it is pleasing how to look you express from the heart and also your clarity by this significant content can be easily looked. Remarkable article and also went look forward how to your future update. sory my english bad i am an arabic

  55. Thank you for this very interesting article, I really appreciate it, I had been just now wondering about this same theme. It is always so nice to find a post which I’ve been looking for without resorting to browsing the web all night, LOL!

  56. Hi, my english isnt greatest but I imagine by regulary visits of the blog it is going to be far better within the next time. You have a good wrting design that is easy to understand and can aids individuals like me to learn english. I will be now a regulary visitor of your blog.

  57. I got to tell you, u r right on. I came 2 your post from someone else’s friend and am really fascinated by this topic and reading more. Do you mind if I point to this website from my fan page?

  58. Well, the article is really the sweetest on this valuable topic. I agree with your conclusions and will eagerly look forward to your upcoming updates. Saying thanks will not just be adequate, for the great clarity in your writing. I will immediately grab your rss feed to stay abreast of any updates. Gratifying work and much success in your business endeavors!

  59. Just gonna commentabout this article, after reading whole of this it make me to have new goal about one big event, hope I can read more good news again from you so I subscribe your website.

  60. Well, I am quite interested in your site. If I were to use this website, I could earn you 200-1000 USD daily. I am willing to work on monetizing your site, on the condition that you share 50% of revenues with me. If you are interested, please send me an email. 🙂

  61. hey do you have any other posts like this one? im doing a paper for my alumni and I need a few links to put on our university website. think it will be ok if we refer to this website from the school site for reference purposes?

  62. This is such an ideal resource that you are providing and also you give it away for free. I love seeing websites that perceive the worth of providing a top quality useful resource for free. Great job!

  63. Hands down, Apple’s app store wins by a mile. It’s a huge selection of all sorts of apps vs a rather sad selection of a handful for Zune. Microsoft has plans, especially in the realm of games, but I’m not sure I’d want to bet on the future if this aspect is important to you. The iPod is a much better choice in that case.

Leave a Reply to Ashlie Madras Cancel reply

Your email address will not be published. Required fields are marked *