LinuxQuestions.org - Forcing http request through Squid Proxy Server(Transparent proxying)

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Forcing http request through Squid Proxy Server(Transparent proxying) (https://www.linuxquestions.org/questions/linux-server-73/forcing-http-request-through-squid-proxy-server-transparent-proxying-730080/)

Forcing http request through Squid Proxy Server(Transparent proxying)

Am configuring a transparent proxy using iptables and squid version 2.6 stable on a CentOS 5.2 box. The following are my results:

Quote:

On confirguring proxy settings in the browsers, the desired results are achieved. However, removing them the requests timeout.

The problem is this is not the desired design, HTTP requests should be directed to squid without the need to configure the clients browsers. This is what I have done:
1) Made squid to listen on default port.

Quote:

http_port 3128 transparent

2) Configured my iptables as below:

Quote:

# Generated by iptables-save v1.3.5 on Thu May 28 15:27:35 2009
*mangle
:PREROUTING ACCEPT [14769:1931153]
:INPUT ACCEPT [14672:1900365]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6115:893955]
:POSTROUTING ACCEPT [6427:965079]
COMMIT
# Completed on Thu May 28 15:27:35 2009
# Generated by iptables-save v1.3.5 on Thu May 28 15:27:35 2009
*filter
:INPUT ACCEPT [14672:1900365]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6115:893955]
-A INPUT -s ! 192.168.0.101 -d 0.0.0.0 -i eth0 -p tcp -m tcp -j ACCEPT
-A FORWARD -s 192.168.0.0 -d ! 192.168.0.101 -i eth0 -j ACCEPT
-A OUTPUT -o ppp0 -p tcp -m tcp -j ACCEPT
COMMIT
# Completed on Thu May 28 15:27:35 2009
# Generated by iptables-save v1.3.5 on Thu May 28 15:27:35 2009
*nat
:PREROUTING ACCEPT [220:23170]
:POSTROUTING ACCEPT [116:18308]
:OUTPUT ACCEPT [116:18308]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -s 192.168.0.0 -i eth0 -j DNAT --to-destination 192.168.0.101
COMMIT
# Completed on Thu May 28 15:27:35 2009

Kindly note that the proxy server and the iptables are on the same box.

You need to configure "your network" to direct traffic to the proxy server (make your proxy server the default gateway at the edge of your network or route the traffic using your network devices)

Network configuration

Quote:

Originally Posted by chitambira (Post 3560072)

You need to configure "your network" to direct traffic to the proxy server (make your proxy server the default gateway at the edge of your network or route the traffic using your network devices)

The configuration of my network, I suppose conforms to your suggestion unless I misunderstand you. Here is an overview of the arrangement.

Clients -> Proxy server -> Cisco Router -> Internet

The problem is clients can bypass the proxy server by removing the proxy configurations on their browsers. Kindly help identify any flaws in my iptables script that would result in the failure of the server intercepting http requests.

Quote:

The problem is clients can bypass the proxy server by removing the proxy configurations on their browsers

To block this, DROP all port 80 input traffic at your iptable or add a access-list on your router to block port 80

Just to make sure, are your clients configured with default gateway pointing to the squid server?
If so, then sort yo iptables as:

Quote:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.101:3128

also was transparent proxy support enabled at your squid compiled time?

if you do not block port 80 traffic then peoples, they can simply bypass your proxy(with gateway ip)