Make Transparent Proxy With Squid on Linux (Ubuntu 9.10)

On Jan 18, 2010 1 comments

To make a transparent proxy you need to redirect all port that you want to squid port. This article will guide you to make a transparent proxy server on Ubuntu 9.10. First thing you need to do are installing squid on your computer that will become a proxy server. You can install it with apt-get command, like this :

$ sudo apt-get install squid

Then you need to configure your squid. Open your squid file configuration :

$ sudo /etc/squid/squid.conf

Add this line on http_port tag (under “# Squid normally listens to port 3128") :

http_port 3128 transparent


And then make your own rules. In this example I will only use the minimal configuration. Add this line to define the network (LAN) and permit the network use the squid proxy :

acl src LAN 192.168.2.0/24
http_access allow LAN
icp_access allow LAN

Save the squid configuration file and restart the squid to make the changes take effect. You can restart squid with this command :

$ sudo service squid restart

That minimal configuration will make squid run, But not transparent yet. To make it transparent you need to configure your iptables. You need to make a iptables configuration file on your gateway, like this (assume your proxy server is on IP 192.168.2.1) :

$ sudo vi /etc/iptables.conf

then write this on that file :

*filter
:INPUT ACCEPT [4:212]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:172]
COMMIT
# Completed on Sat May 30 15:59:04 2009
# Generated by iptables-save v1.4.0 on Sat May 30 15:59:04 2009
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [1:52]
:OUTPUT ACCEPT [1:52]
[2:120] -A PREROUTING -s 192.168.2.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.1:3128
[0:0] -A PREROUTING -s 192.168.2.0/24 -p tcp -m tcp --dport 81 -j DNAT --to-destination 192.168.2.1:3128
[0:0] -A PREROUTING -s 192.168.2.0/24 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.2.1:3128
[0:0] -A PREROUTING -s 192.168.2.0/24 -p tcp -m tcp --dport 3128 -j DNAT --to-destination 192.168.2.1:3128
[0:0] -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
COMMIT

Save your iptables configuration file. and then make another file so your iptables will always load when your computer boot. Make The file :

$ sudo vi /etc/init.d/iptables

Write on that file :

#! /bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables-restore < /etc/iptables.conf

Save the file, and make it executable :

$ sudo chmod +x /etc/init.d/iptables

$ update-rc.d iptables defaults

You may need to reboot your computer to make it work. Well done, now your transparent proxy is ready to use.

1 comments:

Squidblacklist said...

Great article! Only one problem, Free Blacklists Suck!


We specialize in serving intelligent network administrators high quality blacklists for effective, targeted inline web filtering.
There is a demand for a better blacklist. And with few alternatives available, we intend to fill that gap.

It would be our pleasure to serve you,

Signed,

Benjamin E. Nichols
http://www.squidblacklist.org

Post a Comment