Hi All,

I am new on setting up a squid proxy server for just one computer
This is for testing and slowly expand my knowledge for a small office. My office currently has one computer which can access to computer and it connect to a router and share the internet among all others.

The structure is as follow:
one modem connect the internet to
one router at 192.168.0.100.

office computer: A is connect to the router at 192.168.0.104, which is ubuntu
All other manager computer which is window connect at 192.168.0.101 to 103.

so i set up squid in A,
and A will be using by all clerk and account personnel.

so i want to set up squid for all user in ubuntu, and all user will need to pass through proxy in order to use internet.

Currently everything seem fine if i personally configure all web broswer to use proxy at 192.168.0.104 at port 3128,

however i want to use squid transparent so whenever i add a new account in ubuntu, i don't need to configure the web broswer for them. when my staff found i use proxy they might go to change the setting back to direct connect and it defeat the purpose of me running squid.

when i configure transparent, i understand i need to set the iptables, i have no idea now even i have read the iptables article.

my squid.conf is as follow, one more question, in config, 192.168.0.0/24, what's the 24 means???

<code>

http_port 192.168.0.104:3128 transparent
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_dir ufs /var/spool/squid 100 16 256
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
log_fqdn on
ftp_user Squid@pocs.no-ip.com
hosts_file /etc/hosts
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl BAD_DOMAINS dstdom_regex -i "/etc/squid/bad_domains"
http_access deny BAD_DOMAINS
acl our_networks src 192.168.0.0/24
acl AUTHUSERS proxy_auth REQUIRED
http_access allow our_networks AUTHUSERS
acl localnet src 127.0.0.1/24
http_access allow localnet
http_access allow localhost
icp_access allow all
cache_mgr pocs10@gmail.com
visible_hostname damocles
coredump_dir /var/spool/squid
extension_methods REPORT MERGE MKACTIVITY CHECKOUT </code>

If any one can post the iptables rules for me, i would be really appreciated. ^^ thanks

Can you post the output of these commands (from the Ubuntu box)?
This is what an iptables transparent proxy rule usually looks like:But we would need the output of the commands above to determine if you need anything else.

BTW, the "/24" in 192.168.0.0/24 specifies the subnet mask.

PS: You need to use brackets in your code tags for them to work.

Hi Thanks for your reply

i got :
Chain PREROUTING (policy ACCEPT 207 packets, 29711 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 638 packets, 45254 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 638 packets, 45254 bytes)
pkts bytes target prot opt in out source destination

I got :
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

i got :

eth0 Link encap:Ethernet HWaddr 00:14:2A:E2:E9:85
inet addr:192.168.0.104 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::214:2aff:fee2:e985/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28839 errors:0 dropped:0 overruns:0 frame:0
TX packets:22573 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6419652 (6.1 MB) TX bytes:3528593 (3.3 MB)
Interrupt:16 Base address:0xa800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:45 errors:0 dropped:0 overruns:0 frame:0
TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8420 (8.2 KB) TX bytes:8420 (8.2 KB)

i got : 0

As for the iptables : i got
pocs@pocs-linux:~$ sudo iptables -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -s 192.168.0.0/24 -j REDIRECT --to-ports 3128
Bad argument `80'
Try `iptables -h' or 'iptables --help' for more information.

Thanks for your help.

The rule is failing because $LAN_IFACE is supposed to be replaced by your actual interface name. This computer only has one interface, so your best bet is probably to either configure the clients to use it as their proxy, or have the router do the transparent proxying toward it. You're not going to achieve anything by implementing this rule on this box as it is.

Hi,

Configure the client to use proxy mean....sorry i don't understand?
you mean configure the broswer to use proxy?

BTW: i hope that i don't need to configure the router because i am really not confident enough for that, as other manager computer is connected through that and i don't want to mess it up. The router i use is d-link DIR-655

Thanks

Hello

One more question, is that mean if i have two interface card then my problem can be solved easily? If it's the case, i will go and buy one cheap network card and install...

Thanks

Yes.

Then you'll need to setup a new router (the Squid box) behind it. In other words, make your Squid box a router which uses the "d-link DIR-655" as its gateway. You then have your clients use your Squid box as the gateway instead of the "d-link DIR-655". You'll need to have an ethernet switch for the clients connected to your Squid box.

Yes, since you don't want to mess with the "d-link DIR-655", you'll need to make the Squid box a router itself, and that means two network interface cards. Make sure you understand how this is all going to work (and if it is worth it) before you go out and spend money. There's TONS of tutorials on the WWW regarding how to set up a Squid transparent proxy. What I'm saying is, there's plenty of material for you to read and use as guides. You can always come back to this thread any time you hit a snag or have specific questions.