If you ever wanted to know how to setup a transparent proxy with Squid, because either you are just curious or you have more than one computer from which you want to surf the internet, and you don’t want to set the proxy manually, then this might be something for you.
I will assume that we have two networks: 172.16.0.0/24 and 172.16.1.0/24. These networks are connected to our router via eth1 and eth2 respectively, while the router itself has the IPs 172.16.0.1 and 172.16.1.1.
Setup
If you’re running Debian you have a newer or older version of Squid installed, depending on the release you chose. At the time of this writing that might be 2.5.9 for Sarge aka stable or 2.6.5 for Etch aka testing. If you don’t already know the version, check your version with dpkg -l squid.
For Squid 2.5.xx put the following into /etc/squid/squid.conf:
http_port 172.16.0.1:3128 http_port 172.16.1.1:3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on
and for Squid 2.6.xx:
http_port 172.16.0.1:3128 transparent http_port 172.16.1.1:3128 transparent always_direct allow all
The last directive was a workaround for early 2.6 versions of Squid, because of this bug. With the current version it seems that this isn’t a problem anymore, so just leave it out.
Firewall
We have to tweak the firewall, so that everybody who wants to surf the internet will go through our transparent proxy.
iptables -t nat -A PREROUTING -i eth1 -p tcp ! -d 172.16.0.0/24
--dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth2 -p tcp ! -d 172.16.1.0/24
--dport 80 -j REDIRECT --to-port 3128Access Control
At last we want to allow the users in our network to connect to our proxy. In the squid.conf there is a line saying:
http_access allow localhost
below that line you should put the following:
acl LAN src 172.16.0.0/24 172.16.1.0/24 http_access allow LAN
That’s it.
Pingback: Il blog di Gas ® » Debian 4.0 out