+ Post New Thread
Results 1 to 2 of 2
*nix Thread, Squid Transparent Proxying in Technical; been bumbling about with this for a few days, (1st serious attempt at setting this sort of thing up so ...
  1. #1

    Join Date
    Sep 2010
    Posts
    609
    Thank Post
    26
    Thanked 69 Times in 64 Posts
    Rep Power
    21

    Squid Transparent Proxying

    been bumbling about with this for a few days, (1st serious attempt at setting this sort of thing up so might be slight overawed)
    i have managed to setup a squid proxy which works fine if the browser is pointed at it directly but for the small LAN i need to provide internet for i dont want the users having to enter proxy information.
    i had originally tried using a smoothwall express installation for this but had issues with HTTPS sites/traffic not being allowed (if the proxy was added to the browser the problem disappeared even with https being allowed to pass through the smoothwall firewall.
    so i was thinking that a pure squid install would give me more flexibility, but its not working transparently i have it running squid 3.1 on centos 6.5 so im guessing something is wrong with my firewall setup on the centos install

    below is my squid.conf and IPTABLES (the iptables was generated from a script i found in a squid proxy guide..)

    IPTABLES
    Code:
    # Generated by iptables-save v1.4.7 on Wed May  7 10:12:02 2014
    *mangle
    :PREROUTING ACCEPT [265:23495]
    :INPUT ACCEPT [229:21595]
    :FORWARD ACCEPT [1:66]
    :OUTPUT ACCEPT [51:4904]
    :POSTROUTING ACCEPT [52:4970]
    COMMIT
    # Completed on Wed May  7 10:12:02 2014
    # Generated by iptables-save v1.4.7 on Wed May  7 10:12:02 2014
    *nat
    :PREROUTING ACCEPT [191:17945]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Wed May  7 10:12:02 2014
    # Generated by iptables-save v1.4.7 on Wed May  7 10:12:02 2014
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i eth1 -j ACCEPT
    -A INPUT -j LOG
    -A INPUT -j DROP
    -A FORWARD -i eth1 -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -o eth1 -j ACCEPT
    COMMIT
    # Completed on Wed May  7 10:12:02 2014
    Squid.conf
    Code:
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost
    
    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #
    
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow localhost
    
    # And finally deny all other access to this proxy
    http_access deny all
    
    # Squid normally listens to port 3128
    http_port 3128 intercept
    
    # We recommend you to use at least the following line.
    hierarchy_stoplist cgi-bin ?
    
    # Uncomment and adjust the following to add a disk cache directory.
    cache_dir ufs /var/spool/squid 5000 16 256
    cache_mem 512 MB
    
    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid
    
    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320
    
    visible_hostname doorstop
    #fireall options
    cache_peer 172.x.x.x parent 3128 0 no-query default
    never_direct allow all
    We are sat behind an LEA controlled firewall so the next question would be do i need to have ports opened for https traffic to be passed to the upstream proxy?

    help ang suggestions greatly recieved as they is alot of conflicting info on the internet

  2. #2
    exa_mark's Avatar
    Join Date
    May 2012
    Location
    Bingley
    Posts
    18
    Thank Post
    5
    Thanked 2 Times in 2 Posts
    Rep Power
    5
    Hi,

    Don't know if this will be of any use to you, but we have a configuration document here http://www.exa.net.uk/supportdocumen...quidadicap.pdf for how to configure it for use with our filtering service, but many of the principals are the same regardless and we have an opensource project called ExaProxy, which you can get to the site here https://code.google.com/p/exaproxy/ as well as links to various community and proxygroup information. Hope it helps.

SHARE:
+ Post New Thread

Similar Threads

  1. Squid Transparent Proxy
    By nmann in forum Windows 7
    Replies: 2
    Last Post: 6th February 2014, 11:49 AM
  2. Squid Transparent Proxy Issues
    By robjcrowston in forum Internet Related/Filtering/Firewall
    Replies: 17
    Last Post: 14th November 2012, 10:29 AM
  3. [Ubuntu] squid transparent proxy cache questions
    By RabbieBurns in forum *nix
    Replies: 13
    Last Post: 19th October 2012, 11:53 AM
  4. Squid transparent proxying
    By MK-2 in forum *nix
    Replies: 46
    Last Post: 4th June 2008, 11:26 AM
  5. Squid Transparent Proxy.
    By Jackd in forum Network and Classroom Management
    Replies: 2
    Last Post: 25th July 2007, 06:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •