LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-24-2007, 04:05 AM   #1
shobhit
Member
 
Registered: Sep 2003
Location: kolkata
Distribution: Fedora 7
Posts: 60

Rep: Reputation: 15
Using squid as the default proxy server.


Hi,

I have a squid server (squid-2.6.STABLE16) running on Fedora 7 standalone box.
Squid is up and running and I can set Firefox to use proxy server 127.0.0.1 and port 3128 to access the net through squid.
I can also set Firefox not to use any proxy which case it directly connects to the net without going through squid.

My problem is that I want all traffic to go through squid, irrespective whether i set the proxy or not.

Searching the net revealed that it is a two step process
1. to set squid to run as a transparent server, and
2. use iptable to redirect all 80. 8080 traffic to 3128.

In version 2.6 it appears we just need to add transparent to http_port line
which I have done.
And I am redirecting traffic by setting the following iptable rules

Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Here's my squid.conf
Code:
[sho /usr/local/squid/etc]$ cat squid.conf | grep -v ^# | grep -v ^$
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.1.0/24 192.168.2.0/24
http_access allow our_networks
acl localnet src 192.168.1.3/24
http_access allow  localnet
icp_access  allow  localnet
http_access allow  localhost
icp_access allow all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_dir ufs /usr/local/squid/var/cache 100 16 256
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mgr sho@localhost.localdomain
cache_effective_user squid
cache_effective_group squid
coredump_dir /usr/local/squid/var/cache
I'd appreciate any help to fix this.
Thanks.

Last edited by shobhit; 09-24-2007 at 04:15 AM.
 
Old 09-24-2007, 04:09 AM   #2
shobhit
Member
 
Registered: Sep 2003
Location: kolkata
Distribution: Fedora 7
Posts: 60

Original Poster
Rep: Reputation: 15
iptables -L does not show the two lines above that I have entered and Linux accepted without any errors.

Is that ok? Or, do I need to do that some other way.
I am using iptables v1.3.8 on Fedora 7.

Code:
[root@localhost rc.d]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
[root@localhost rc.d]# iptables --version
iptables v1.3.8
I'd appreciate any help to fix this. :-)

Thanks.
 
Old 09-24-2007, 06:35 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Getting Squid to work transparently on localhost is a little tricky compared to how simple it is to get it to work transparently on a LAN. I tried to figure it out once but got impatient and just dropped it. I ended-up using an iptables rule to make sure any outgoing HTTP/HTTPS traffic was generated by the Squid user. So if my parents would disable the proxy setting in Firefox, they wouldn't be able to access the WWW. They are forced to use Squid, just not transparently. So I'll be monitoring this thread in the hopes that I too can learn the proper way to do a transparent setup on localhost.
 
Old 10-04-2007, 12:03 AM   #4
yongitz
Member
 
Registered: Nov 2005
Location: Davao City, Philippines
Distribution: RHEL, CentOS, Ubuntu, Mint
Posts: 139

Rep: Reputation: 20
Quote:
Originally Posted by shobhit View Post
iptables -L does not show the two lines above that I have entered and Linux accepted without any errors.
you can't really see the output of the command above with your command.. change it to
Code:
iptables -t nat -L
 
Old 10-04-2007, 04:09 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Thanks for bumping this. I decided to give the whole "transparent proxy on localhost" thing another shot and I got it working. It was basically just a matter of adding a couple rules to the OUTPUT chain of the nat table. I also had to tweak a Squid ACL, as the source IP turns up as the IP of the NIC, not localhost. Anyhow, here's the rules:
Code:
iptables -t nat -A OUTPUT -p TCP --dport 80 \
-m owner --uid-owner squid -j ACCEPT

iptables -t nat -A OUTPUT -p TCP --dport 80 \
-j REDIRECT --to-ports 3128
The first rule just makes sure that if the packet was generated by Squid nothing should be done to it (otherwise we'll end-up in an infinite loop). The second rule redirects any other matching packets. That said, considering that transparent redirection is only good for HTTP, I won't be doing this on my box. It would be kinda pointless, as I'd have to specify the HTTPS proxy in Firefox anyway. I'll just stick with my old iptables rules that do nothing but make sure the outgoing packets come from Squid. So basically I'm just posting this in case it helps you.

Last edited by win32sux; 10-04-2007 at 04:19 AM.
 
Old 10-04-2007, 10:49 PM   #6
shobhit
Member
 
Registered: Sep 2003
Location: kolkata
Distribution: Fedora 7
Posts: 60

Original Poster
Rep: Reputation: 15
iptables -t nat -L does the trick alright.

Also the iptable rules mentioned by win32sux above give me an access denied error as compared to page not found without the rules. So I guess the rules must be doing something right... :-)
Please tell me more about.
Code:
I also had to tweak a Squid ACL, as the source IP turns up as the IP of the NIC, not localhost.
 
Old 10-05-2007, 04:00 AM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by shobhit View Post
iptables -t nat -L does the trick alright.

Also the iptable rules mentioned by win32sux above give me an access denied error as compared to page not found without the rules. So I guess the rules must be doing something right... :-)
Please tell me more about.
Look at your Squid's access log when you get the error. You'll see what the request looks like, and then you can determine what needs to be changed in the ACLs. For me the only thing that had changed was that instead of a 127.0.0.1 (localhost) the requests now had my NIC's source IP.

Last edited by win32sux; 10-05-2007 at 04:01 AM.
 
Old 10-05-2007, 12:17 PM   #8
shobhit
Member
 
Registered: Sep 2003
Location: kolkata
Distribution: Fedora 7
Posts: 60

Original Poster
Rep: Reputation: 15
Access log says instead of localhost (127.0.0.1) the request is now coming from my external ip address, that is dynamically given by my ISP whenever I connect to the net. I am using PPPoE. So I guess that is then end of transparent connection through squid for me... Or is there still hope?
 
Old 10-07-2007, 06:55 AM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by shobhit View Post
Access log says instead of localhost (127.0.0.1) the request is now coming from my external ip address, that is dynamically given by my ISP whenever I connect to the net. I am using PPPoE. So I guess that is then end of transparent connection through squid for me... Or is there still hope?
I would think there is hope. I'm sure this has been worked-around before. My guess is that with the proper iptables rules you might be able to get the requests to look like they are from 127.0.0.1, but I haven't had time to tinker with that. One rather nasty workaround I can think of is to install a dynamic DNS update client on your box (such as those offered by DynDNS.com, NoIP.com, etc), so that their is always a domain name assigned to your IP. That way, you can just ACL the domain name. But like I said, it's a nasty workaround IMHO.

That said, I'd like to ask you two questions: 1) Considering that you will still have to manually specify the proxy for HTTPS regardless, are you still willing to do this localhost transparent proxy thing? 2) What is the main objective you wish to accomplish by doing this localhost transparent proxy thing?

Last edited by win32sux; 10-07-2007 at 06:56 AM.
 
Old 10-07-2007, 10:00 AM   #10
shobhit
Member
 
Registered: Sep 2003
Location: kolkata
Distribution: Fedora 7
Posts: 60

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
I would think there is hope. I'm sure this has been worked-around before. My guess is that with the proper iptables rules you might be able to get the requests to look like they are from 127.0.0.1, but I haven't had time to tinker with that. One rather nasty workaround I can think of is to install a dynamic DNS update client on your box (such as those offered by DynDNS.com, NoIP.com, etc), so that their is always a domain name assigned to your IP. That way, you can just ACL the domain name. But like I said, it's a nasty workaround IMHO.

That said, I'd like to ask you two questions: 1) Considering that you will still have to manually specify the proxy for HTTPS regardless, are you still willing to do this localhost transparent proxy thing? 2) What is the main objective you wish to accomplish by doing this localhost transparent proxy thing?
I guess it now worth installing dynamic DNS etc...
Secondly, I changed my rental plan from the month of October from an unlimited one to a limited one, therefore, I now manually connect to the net when required, instead of connecting automatically whenever I switch on the machine. This means I have to manually start squid also when I connect.
So having a manual step in between kind of beats the whole point of transparency.

I am trying to use squid as a cache, so that I appear to have a faster connection and also save some bandwidth cost.
I am trying to make it transparent because I learned on the net that I can. I thought well lets give it a try, and also I will learn something new. Transparent proxy is not my main objective, proxy is, and I have achieved that, thanks to everyone who took the time to reply to this thread
 
Old 11-23-2007, 10:37 PM   #11
michal017
Member
 
Registered: Jan 2004
Location: EU
Distribution: Debian
Posts: 87

Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
I also had to tweak a Squid ACL, as the source IP turns up as the IP of the NIC, not localhost.
I have the exact same problem.. I'm wondering why no 'squid as transparent proxy' tutorial mentions this..
 
Old 11-23-2007, 11:36 PM   #12
michal017
Member
 
Registered: Jan 2004
Location: EU
Distribution: Debian
Posts: 87

Rep: Reputation: 15
what I did (as a workaround) is I put this to squid.conf:
acl localnet1 src 10.0.0.0/24
acl localnet2 src 192.168.0.0/16
http_access allow localnet1
http_access allow localnet2
 
Old 11-24-2007, 03:57 AM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by michal017 View Post
what I did (as a workaround) is I put this to squid.conf:
acl localnet1 src 10.0.0.0/24
acl localnet2 src 192.168.0.0/16
http_access allow localnet1
http_access allow localnet2
That doesn't really help someone with a dynamic public IP, though. Yes, for those of us behind a router it's a no-brainer, but for those who are directly connected to the Internet it's a different story.

EDIT: I'm thinking that since this is on an individual PC, one could simply allow everything (in Squid). In other words, have something like "http_access allow Safe_ports all" in there. It sucks, I know, but one would simply be more reliant on the local firewall to handle the network access aspect of security, and one would never have to worry about the IP changing, etc. With the proper INPUT rules, nobody from the outside would be able to connect to Squid.

Last edited by win32sux; 11-24-2007 at 04:49 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
squid proxy server configuration & distribution of internet without proxy gaurav_gupta082 Linux From Scratch 2 07-31-2010 12:25 PM
Sending a default web page to the connected computers through squid proxy jomy Linux - Networking 1 09-07-2007 10:39 AM
squid(proxy server) pankajkarde Linux - Server 1 03-13-2007 04:51 PM
Squid Proxy server help win2Linux Linux - Server 3 09-03-2006 10:53 AM
squid proxy server msound Linux - Networking 4 06-01-2005 12:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration