Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 11-17-2009, 08:57 PM   #1
LQ Newbie
Registered: Nov 2009
Posts: 6

Rep: Reputation: 0
Unhappy Transparent Proxy (squid + Dansguardian) with one NIC


I would like to seek anyone suggestions regarding my issue here.
I have setup transparent proxy (squid + dansguardian) into one server with only one NIC card. I dont want to use 2 NICs for the reason I dont want my proxy box to be placed between LAN and firewall/router.

I,m attaching it with my core switch Cisco and forcing my clients to use the proxy as the gateway.

here is my network:

| | |
| | |
lan01 lan02 proxy

I,m using below iptables command to allow my proxy to be transparent to my clients:


# Squid server IP

# Interface connected to Internet

# Address connected to LAN

# Squid port

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables -A FORWARD -s $LOCAL -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -s $LOCAL -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -s $LOCAL2 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

#open everything
iptables -A INPUT -i $INTERNET -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

# Result: my transparent proxy (squid) is working fine and when I tail -F access.log it resulting all my clients ip address LOCAL1 and LOCAL2 is accessing the web. like below:

# Access.log
1258534990.658 1498 TCP_MISS/200 514 GET - DIRECT/ image/gif
1258534991.878 2726 TCP_MISS/200 42718 GET - DIRECT/ text/javascript
1258534992.383 1810 TCP_MISS/200 2357 POST - DIRECT/ text/javascript
1258534995.380 3384 TCP_MISS/200 7218 GET - DIRECT/ text/javascript
1258534995.846 3463 TCP_MISS/200 2370 POST - DIRECT/ text/javascript
1258534997.560 6305 TCP_MISS/200 971 GET - DIRECT/ text/html
1258535000.056 4210 TCP_MISS/200 2368 POST - DIRECT/ text/javascript
1258535000.791 3229 TCP_MISS/200 710 POST - DIRECT/ text/plain
1258535001.137 14008 TCP_MISS/200 6646 GET http://www-gm-opensocial.googleuserc...ets/js/rpc.js? - DIRECT/ text/java

However with the above iptables config my dansguardian is not working anyway. I know when i try to access the blocking page its still allowing. And I coming up with new iptables config like below to tackle this problem. First I flush and reset the Linux Firewall.

# New iptables to let dansguardian working
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 8080

iptables -A INPUT -m tcp -p tcp -s ! --dport 3128 -j DROP

# Result: Now dansguardian is working and blocking everything I want. But problem arise when I check tail -F access.log it showing like below:

1258378079.875 9 TCP_HIT/200 843 GET - NONE/- text/javascript
1258378079.884 7 TCP_HIT/200 847 GET - NONE/- image/png
1258378080.302 438 TCP_MISS/200 38892 GET - DIRECT/ image/gif
1258378080.609 805 TCP_MISS/200 519 GET;grp=[group];misc=1258349346500 - DIRECT/ application/x-javascript
1258378081.091 376 TCP_MISS/200 3043 GET - DIRECT/ text/javascript
1258378081.681 417 TCP_MISS/200 38806 GET - DIRECT/ image/gif

That seems my squid (access.log) is not logging any clients ip address LOCAL1 and LOCAL2 but only logging localhost ip That seems not right to me. This will bring me to another issue where I cannot apply my ACL delay Pools based on my defined LAN. I want to make my transparent proxy (squid and dansguardian) working with one NIC as explained earlier

Its seems to long to explain my problem here and I believe iptables is the issue and really appreciate anyone who can help me to solve this problem.

Old 11-18-2009, 12:27 AM   #2
Senior Member
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: pclinuxos slackware64 tails kali
Posts: 3,376
Blog Entries: 33

Rep: Reputation: 217Reputation: 217Reputation: 217
Hi, I didn't think it was possible to setup squid with only one nic, but....

I found this page and after reading, I feel it may be of use to you.

A web site I have found useful in the past....

Regards Glenn
Old 11-18-2009, 01:01 AM   #3
Senior Member
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,275

Rep: Reputation: 148Reputation: 148
Refer the following link
Old 11-18-2009, 01:59 AM   #4
LQ Newbie
Registered: Nov 2009
Posts: 6

Original Poster
Rep: Reputation: 0

Thanks all for your suggestions. Let me brief a bit my server.

SQUID : 2.6 stable 6 (run on port 3128)
DANSGUARDIAN: 2.8.0 (run on port 8080)

FYI squid and dansguardian sit on the same server with the ip address I believe my dansguardian config and squid config is correct.

Initially in the post I,m able to setup transparent proxy (squid) by using iptables below for my LAN's: this was reffered to the link as I use it before.

iptables -t nat -A PREROUTING -s $LOCAL -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -s $LOCAL2 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

Result : my var/log/access.log showing as what it suppose to be. All clients IP address is logged. Now I know my transparent proxy is working and I can do all the ACL Delay pools in my squid.conf.

In order to makes my dansguardian run and logs all the clients IP address then I need to use below iptables only:

iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT --to-port 8080

Result: My var/log/dansguardian/access.log is logging all CLient IP address as what it suppose to. Thats was great and my dansguardian is blocking what is suppose to.

There is no issue with both scenarios but I would like to mix squid and dansguardian config where both access.log's can have their log respectively together by using the correct iptables command.

I,m have try many possibilities making these iptables for a week to reflect my requirement in order to makes my squid and dansguardian works best. Unfortunately it still not works.

I,m looking anyone who has idea on how to make these http request 80 will be redirect to both squidbox:3128 and dansguardian:8080 so that both will copy all Ip clients request in access.log.

Old 04-28-2010, 09:42 AM   #5
LQ Newbie
Registered: Apr 2010
Posts: 1

Rep: Reputation: 0
Hi it is very possible to setup squid with only one nic. I have the following setup:
Both squid and the users are on the same subnet and they have the router as gateway. It's running quite nice.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Transparent squid with dansguardian , parmeshwary2k Linux - Networking 29 05-04-2010 01:35 PM
setting up dansguardian as a transparent proxy for hosts dcordina Ubuntu 3 03-02-2009 09:57 AM
IPTABLES, SQUID, DANSGUARDIAN and Transparent Proxy metallica1973 Linux - Networking 18 09-03-2007 08:17 PM
FC4 - How to setup Transparent Proxy with Dansguardian RTX Networks Linux - Networking 1 09-12-2006 01:49 AM
squid (Transparent proxy) & Dansguardian metallica1973 Linux - Security 8 12-15-2005 08:52 PM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 04:41 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration