Jump to content

Squid Transparent

Jackd

By Jackd
in *nix

 Share

Recommended Posts

Jackd

Jackd

Posted
Posted

Right ive got squid setup as a transparent proxy its working fine proxying http requests, but as for https (and all other stuff) ive added a iptables rule

iptables -t nat -A POSTROUTING -j MASQURADE

which according to webmin should masqurade all but this isnt working i still cant access https pages through the proxy.

 

Thanks

Jack D

ChrisH

ChrisH

Posted
Posted
It reads fine if you read it more than once ;) . Look up shorewall its a bit easier to configure your firewall with it so you have a better idea of whats going on.
dhicks

dhicks

Posted
Posted

It took me a fair bit of swearing and muttering to get HTTPS working with our transparent proxy setup, so I've included our squid setup script below for anyone who might find it useful (or for anyone out there who actually knows what they're doing with this kind of thing, in which case some pointers on how to do it properly would be much appreciated).

 

Note that the below doesn't proxy HTTPS, it simply makes sure that HTTPS is routed past the transparent proxy. The comments are there for my own benifit, as I was trying to remember what I was doing for the next time I needed to edit the file.

 

 

 

#!/bin/sh

 

# A script to set up iptables to set up Squid.

# This involves first setting up IPTables rules to handle transparent

# proxying and port forwading, then starting up the Squid process.

 

# First, flush any previous IPTables rules.

iptables -t filter --flush

iptables -t nat --flush

 

# Make sure that IP forwarding is enabled. I /think/ this is needed to get

# the FORWARD rules below working. No, I don't know why either...

echo "1" > /proc/sys/net/ipv4/ip_forward

 

# Forward established and related connections - i.e. if an HTTPS connection

# has been initiated from inside the firewall, then traffic coming the other

# way in reply to it is okay. This is /stateful/ packet filtering, seemingly.

iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

 

# Forward any traffic to port 443 (HTTPS). Add further ports below here as

# needed. You might also need to add specific websites here - some websites

# that use cookie-based authetication for user accounts don't handle being

# cached/filtered very well, so simply add them (or their IP address) in

# here. Bear in mind that this misses out the filtering for that specific

# website, so make sure that the whole website is okay before you set this.

iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT

 

# Deal with data from forwarded ports, i.e. shove it through NAT so it knows

# where it's going.

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.5

 

# The following line basically tells the machine to forward all incoming TCP

# traffic not already caught by the above lines to port 3128, where squid

# is listening. Squid has been compiled to support transparent proxying.

# Squid isn't set to filter/proxy/cache anything else, so any other traffic

# you want to allow through will have to be forwaded via the rules above.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

 

# Run Squid. This script keeps an eye on the squid process and

# attempts to restart it if it conks out for some reason.

/usr/local/squid/bin/RunCache&

 

 

 

--

David Hicks

Jackd

Jackd

Posted
  • Author
Posted
It took me a fair bit of swearing and muttering to get HTTPS working with our transparent proxy setup, so I've included our squid setup script below for anyone who might find it useful (or for anyone out there who actually knows what they're doing with this kind of thing, in which case some pointers on how to do it properly would be much appreciated).

 

Note that the below doesn't proxy HTTPS, it simply makes sure that HTTPS is routed past the transparent proxy. The comments are there for my own benifit, as I was trying to remember what I was doing for the next time I needed to edit the file.

SCRIPT HERE

 

 

 

--

David Hicks

 

Is eth0 the local interface and eth1 the internet iface?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


  • 47 When would you like EduGeek EDIT 2025 to be held?

    1. 1. Select a time period you can attend


      • I can make it in June\July
      • I can make it in August\Sept
      • Other time period. Comment below
      • Either time
×
×
  • Create New...