-   Linux - Networking (
-   -   HowTo setup a proxy for my home lan (

fedix 10-13-2007 04:07 PM

HowTo setup a proxy for my home lan
I want to setup a Linux box with squid to act as a web cache/proxy server also controling access and restrict porno etc. to my LAN pc's.

I have 3 LAN pc's, and a DSL connetion to the internet

1) Do I need to install a second NIC to my Linux box?

2) If not (which I hope), what should the IP config be?

<--  ~(inet ip) DSL Router ~
    ~          (
                      ~    squid box ~
                          ~ eth Switch ~
                          ~ 10.0.0.x  ~
                              |      |
                          LAN client  LAN client

The clients: 10.0.0 x
Def Gateway: (DSL router)
Proxy server: ?


kc8khl 10-13-2007 05:12 PM

Squid and IPTables
The easiest way to do it and not leave any loop holes is to setup a transparent proxy that forces the traffic through the squid proxy. To do this you'll need two nics in the linux box and you'll need to install iptables. You basically set up iptables to redirect all incoming traffic on port 80 to port 3128. Then all of your machines on the lan will use your squid box as their gateway.

Check out this howto:

It is easiest to have iptables and squid run on the same box, I can't seem to get the setup in section 6 to work. (Got a question posted on that below :) ) Let me know if you have any more questions about it.


(Oh yeah, and check out dansguardian for content filtering)

reachjohney 10-15-2007 03:31 AM

Basic squid proxy setup

for basic squid proxy setup, install squid, open /etc/squid.conf and edit these lines
visible_hostname <your_machine_name>
http_port 3128
2. delete this line.

http_access deny all

3. In browsers of client machines set proxy ip as the ip of the proxy machine, and set port as 3128


fedix 10-17-2007 02:36 PM

Squid Config
Thanks reachjohney!

Can I do that without installing a second NIC?

What should my clients' ipconfigs then be? Gateway? ADSL router or Proxy box?

And then obvious proxy settings in their IE settings (proxy box IP:3128).

reachjohney 10-18-2007 09:03 AM

squid proxy
nay, i donot know a setup without two nic's.

with two nic's set the external interface ip in range with the subnet of external ip.

set the internal interface (nic) ip in range within subnet of internal ip. other things work fine with defaults.

if you are planning with larger netwworks do acquianted with maximum file size in memory, maximum file size in hardisk, min file size in memory etc enttries.

fedix 11-02-2007 12:36 AM

Squid still not working :--<
Thanks for all the great help.:)

But, ny setup isn't working. Please help.:confused:

I've installed a second NIC.
eth0 is set to static DG (the DSL router's IP) and connected to one of the ports on the DSL router.
eth1 is set to static DG and connected to the router of my local LAN (range

The contents of my squid file looks like this:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

#Recommended minimum configuration:
acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl home_network src
acl BadSites dstdomain "usr/local/etc/restricted-sites.squid"
acl ncsa_users proxy_auth REQUIRED

http_access allow ncsa_users
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny BadSites
http_access allow home_network
http_access allow localhost
http_access deny all

icp_access allow all

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

visible_hostname localhost

coredump_dir /var/spool/squid
I've left a lot of the settings on default. I've followed a lot of the recommendations from an article on Linux Home networking (

My problems were:
1) I've lost internet connectivity from the squid box as well as from all the clients.
2) The squid's network config seemed as if it was losing an IP. When I ifconfiged, it showed as set above. After pinging several ips in my network, ifconfig suddenly reported eth1 as 169.254 ip (apipa address). How and/or why does eth1's static IP get changed to an APIPA address?
3) Is my default gateway correct as being the DSL router (
4) Should the proxy settings in my clients browsers be eth1 (internal) or eth0 (dsl router)?
5) Do I need to set iptables and firewall as described in above article? I don't need to use transparant proxy?
6) Where do I change the hostname of my squid box, which is now set to localhost?
7) Will someone also confirm that my squid.conf is correct. I did setup the ncsa_authorisations.

Thanks for all the help so long.

onebuck 11-02-2007 08:34 AM


First as root from the cli;


~#ifconfig -a                    #get known devices
~#route -n                      #get the route table

The above commands will show you where you are going now. The wrong way!

Looks like the server(proxy) should be connected to the DSL with eth0 and the eth1 should go to the LAN. Make sure to plug eth1 into the router LAN ports not the WAN.

You will need to enable masquerading, you can use this guide.


excerpt from IP Masquerading/Utilities/IPtables;

Under Linux kernel 2.4.x, packet mangling has considerably changed. This includes the masquerading, firewalling, and port forwarding features. This document assumes you're using modules, if you're not, disregard the code in the following script that tests for the loaded module. The following is a self contained script that enables and sets basic masquerading (assuming kernel kernel support already exists) at boot time. You may use this example, or modify existing init scripts to include the code.

You can look at the code snippet to see what you need to adapt.

Once you have the NAT working then you can modify for the proxy. A simple LQ search or GOOGLE will get you loads of howto and setup information. Use it!

lsteacke 11-02-2007 08:55 AM

Fedix are you planning on configuring the browsers on each of the PC's on the LAN to proxy to your squid box? Or are you going to set the default gateway of all your machines to your squid box and use iptables to redirect traffic to port 3128? Next what does the non dsl-router config look like? I'm assuming this is what is causing eth1 to lose the static ip.

As for setting a new hostname, you can do that any number of ways starting with editing etc/hosts.

You could also try in etc/sysconfig/network and look for

or try the hostname command
hostname [new hostname] (this is only temporary however)

Your squid config looks fine btw, I think this may be a topology configuration issue.

reachjohney 11-03-2007 12:23 AM


I scanned your configuration, and feel theres some problem. I assume You wrote DG for gateway.

I am speaking in terms of the configuration schema i am using in my 50+ lab, but alternate schemes may work better.
1. Donot put Dg for the internal lan card, eth1 put it blank
2.I think the second nics dg should be set to the ip given by your service provider. If thats the ip given to the router then it will be okay.
3. Forward traffic from external nic to internal nic using masquerading . Put the code in rc.local file, thats easy.

Apart from these configuration changes ,have a look at the squid.conf file. change the http_access deny all line to http_access deny none. change visible_hostname localhost to visible_hostname <my_system_name> where my_system_name is the name of your system.

Do let me know if it works / not works

fedix 11-03-2007 04:18 AM

Thanks everybody!

It looks as if the APIPA changes has gone. My eth0 & 1 now "stay" on its set static addresses.

onebuck :

You will need to enable masquerading, you can use this guide.
Do I need to? Can I do the same with iptables as discussed in Thats the only thing I didnt apply in my squid installation.
lsteacke :

Fedix are you planning on configuring the browsers on each of the PC's on the LAN to proxy to your squid box? Or are you going to set the default gateway of all your machines to your squid box and use iptables to redirect traffic to port 3128?
Don't know. Which is the best? The default gateway (DG) of my machines is currently set to the DSL router ( of above config). This is the one part I still don't get right.
reachjohney :

2.I think the second nics dg should be set to the ip given by your service provider.
My DSL router gets a dynamic IP when authenticating to my internet service provider. But the lan side of the DSL router is set to Can then be the DG? It worked that way before squid.

I've read the masquearading document ( but don't know which to use?
1) Must I first download and install masquerade, or is it part of the kernell?
2) Do I use "Simple IPTABLES masquerade commands" sample, or other samples?
3) I also do want to implement a firewall for security. Is the firewall of masquerading (Ipfwadm) sufficient?

Sorry of I sound stupid, :o


All times are GMT -5. The time now is 10:19 AM.