Squid as Transparent Proxy
 

Sir

I tried to configure Squid as Transparent Proxy, but I failed

1. I am using CentOS

2. Broad band dial up connection in Centos(ADSL Setup)

3. using open dns 208.67.222.222

4. local lan ip 172.16.11.10/255.255.0.0

What I have done so far

A. add in squid.conf

1. acl all src 172.16.0.0/255.255.0.0

2. http_access allow all

3. http_port 3128 transparent

4. Service squid start

B. IPtables rule

1. iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 172.16.11.10:3128

2. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

3. iptables -I INPUT -s 172.16.0.0/255.255.0.0 -p tcp --dport 3128 -j ACCEPT

in my windows box

1. ip address 172.16.11.55/255.255.0.0

2. gateway 172.16.11.10

3. dns 208.67.222.222

That's it

but now I can not access internet, if I configure my browser and set browser proxy I can access easily.

Please help.

I'm not sure what the REDIRECT statement is for. is eth0 your inside network address? and the DNAT entry uses eth1 which is confusing to me.

a transparent proxy would mean from eth0 (inside) to eth1 (outside interface) where in PREROUTING, coming in from eth0 should be DNAT to port 3128, which you do (on eth1 that is).

can you clarify the interface configuration?

Thanks for your reply.

In my centos server there are two lan card.

1. eth0
a. Automatically obtain IP address setting with: Dialup
b. Inactive

2. eth1
a. Static IP: 172.16.11.10/255.255.0.0
b. active

Now I have a broadband connection PPP0 on eth0 (adsl setup)

I have followed http://www.broexperts.com/2013/03/sq...on-centos-6-4/

Dear All

I did not get any response yet.

Then ppp0 is the device you need to use in your iptables, as eth0 is just the carrier to facilitate ppp0. ppp0 is the actual internet connection (to be verified that ppp0 obtains a public IP address once connected, and not eth0).

A 1. why 'acl all' instead of 'acl lan' as mentioned in the tutorial? - I don't imply this is an issue though.

B 2. I still don't understand why to redirect traffic coming from Internet, with dport 80 (as stated on the tutorial, as you are not running your own web server with this configuration, but okay: it should be about connection ppp0, not eth0. I think this is on error. I think you need either the DNAT, OR the REDIRECT statement, as REDIRECT effectively is the same as DNAT to localhost (the REDIRECT should have the interface of local lan (-i eth1) instead of the internet interface, though).

B 3. I would suggest using INPUT chain, to be selective on which interface it applies. I suggest you include '-i eth1' to the statement to specify it has to come from the local network. Also, the port 3128 won't be accessed by the client, rather port 80. so open up port 80 and not 3128.

As http://www.karlrupp.net/en/computer/...t-proxy-en.gif shows, you need to open port 80 on the INPUT chain on the eht1 interface (your local lan), and not port 3128. port 3128 is not accessed through the process of 'transparent proxying'.

I assume you don't configure a proxy on the client and that you are connecting to HTTP, not HTTPS.


For more reading on the differences in DNAT and REDIRECT, you could check http://www.karlrupp.net/en/computer/nat_tutorial, which I found while looking up your issue, and getting familiar with REDIRECT at all, coz I didn't know that target yet.

Please let me know if you still are unable to get this to work.

Dear rhoekstra

Thanks for your reply.

Now you please tell the steps to configure transparent proxy, so that we need not set proxy in my browser.

Please guide me.

I think you're almost there actually..

you seem to have configured squid about right.

in iptables you have to open up port 80
then you need to redirect that traffic (internally) to squid
I haven't checked this myself, is what I found on internet combined with my expertise. What I mean is when I missed an aspect, it's because I haven't actually verified this configuration.

Please also try reading the above mentioned documentation, and this site could be valuable to read as well: http://www.tldp.org/HOWTO/TransparentProxy.html

Next to all this, consider using transparent proxy settings through the PAC standard, which about all browsers support these days, if not all..
To read about this, check http://en.m.wikipedia.org/wiki/Proxy_auto-config for a good start on the subject.
This is more flexible and incorporates automatic configuration of a browser, so a user doesn't need to know a thing, yet you can tell the browser to use the proxy. plus you can make browsers behave differently based on the url they are trying to request, may this be necessary.

Both ways should work, but I would definitely recommend going the PAC method

Once again, as you've have been told MANY TIMES..THERE ARE NOT JUST SIRS ON THIS SITE...starting every thread with "Sir" isn't too smart. And neither is bumping your own thread with "Dear All I did not get any response yet."...you've also been asked several times to not bump your own threads.

And you've been 'guided' MANY times about Squid and proxies, going back years. How much more do you need? Some of your squid questions go back to 2009...after five years, have you not gained ANY knowledge about squid? Read the documentation?
http://www.linuxquestions.org/questi...-proxy-897362/
http://www.linuxquestions.org/questi...access-886470/
http://www.linuxquestions.org/questi...outing-886210/
http://www.linuxquestions.org/questi...server-882978/
http://www.linuxquestions.org/questi...server-802497/
http://www.linuxquestions.org/questi...id-acl-759767/
http://www.linuxquestions.org/questi...how-to-717091/
http://www.linuxquestions.org/questi...-squid-714291/

Dear TB0ne

Thank for your reply. But let me tell you one thing you please stop answering me, because what ever you replied earlier that did not work for me, So please let other experts to guide me.

soumalya, you haven't gotten back whether my suggestions made any sense to you.

And just saying "did not work for me" tells us NOTHING...you don't say what you tried, what the results were, etc. You have not shown ANY EFFORT to do anything on your own, or where you got stuck. Again, saying "does not work", or "cannot connect to internet", gives ZERO DETAILS. Anything from the log files? Any client side info? What browser(s) have you tried? How to you configure them? As said to you MANY TIMES: without details, there's little anyone can help you with.

The guide you posted is VERY clear, and has step-by-step directions. If you still, after several years, can't follow step-by-step directions with examples, there's not much anyone can help you with.

AGAIN:

• You have been apparently working with squid for YEARS...have you not learned ANYTHING at this point??
• Can you not look up ANY of the thousands of easily-found how to guides on your own?
• You keep bumping your own threads, after you've been told not to MANY times
• You keep starting EVERY THREAD with "Sir"...even after being asked about THAT many times

dear rhoekstra


Please let know can I user dialup connection (adsl-start) to connetct internet or I have use direct connection for transparent proxy.

So seeing some of you above comments:

What if someone asks you about an issue with no information about it and still want you to help?
Or if you gave them lots of idea of how to fix and they again come back and say it wont work so you stop helping?

Here's what i do raise while referring to your post:

Gave the config info but no info on how did you come to conclusion thats not working ?
what did you see and where, what logs you referred ?

...and you STILL don't tell us what's not working, what symptoms, or answer ANY questions about your setup. If you're not going to provide details, then why bother posting a question? Hire someone to fix your problem, and you won't have to tell them anything.

But if you want help from the community, you're going to have to show effort of your own, and engage in the conversation.