How to configure Squid to be a transparent proxy server

Home > Search > How-to
  by

Let's take an example of a PC in your LAN that wants to go to an HTTP website being hosted on a remote server on the Internet. In the most basic configuration possible, you could connect your PC to your modem, and then request the HTTP website. When HTTP is being used, the connection would use port 80.

 

Building upon this simple configuration, a proxy server could be placed between your PC and your modem, to proxy requests to and from the Internet. In order to configure Squid to be a transparent proxy, the Squid server will need to have at least two interfaces. The interfaces will be configured to forward traffic to and from each interface, and there will also be a configuration to forward traffic from a standard port, such as 80 for HTTP to a new port, such as 3128 (the default Squid http port).

 

What you will want to do is to configure the LAN interface with a private IP address and subnet mask, but not default gateway. The WAN interface will be configured with a private IP address, subnet mask, and default gateway. For example:

Tytpe Interface IP address Prefix Gateway
WAN eth0 192.168.0.2 /24 192.168.0.1
LAN eth1 192.168.0.3 /24 n/a

 

Ensure each interface is working as expected. To test the LAN interface, bring down the WAN interface or disconnect the ethernet cable from the WAN interface. Then, ensure you are able to ping another device in your LAN, but that you are not able to ping a remote server, such as www.google.com.

~]# ping -c1 www.google.com
connect: Network is unreachable

 

Next ensure the WAN interface is working as expected. Bring down the LAN interface or disconnect the ethernet cable from the LAN interface. Then, ensure you are able to ping another device in your LAN, and that you are also able to ping a remote server, such as www.google.com.fOnce the WAN interface is configured and connected to your router, you will be able to ping remote servers, such as google.

~]# ping -c4 www.google.com
64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=1 ttl=55 time=21.9ms
64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=2 ttl=55 time=19.0ms
64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=3 ttl=55 time=18.9ms
64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=4 ttl=55 time=20.6ms

 


Forwarding

By default, Linux is not configured to forward traffic from one NIC interface to another. We need the system so that requests to the LAN interface are forwarded to the WAN interface. In this example, HTTP requests on port 80 will be forwarded from the LAN to the WAN interface, and the WAN interface will use the default Squid port 3128.

 

In the /etc/sysctl.conf file, add the following line to enable fowarding.

net.ipv4.ip_forward=1

 

Reload sysctl.

~]# sysctl -p

 

If using firewalld, configure the WAN interface (eth0 in this example) to be bound to the public zone, and configure the LAN interface (eth1 in this example) to be bound ot the internal zone.

firewall-cmd --zone=public --add-interface=eth0 --permanent
firewall-cmd --zone=internal --add-interface=eth1 --permanent

 

Allow traffic on port 3128.

firewall-cmd --zone=internal --add-port=3128/tcp --permanent 

 

Forward HTTP traffic (port 80) from your LAN interface to the WAN interface. Replace x.x.x.x with the IP address of your WAN interface.

firewall-cmd --zone=internal --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=x.x.x.x --permanent

 

Configure firewalld to use masquerading.

firewall-cmd --zone=internal --add-masquerade --permanent

 

Reload the firewalld.

firewall-cmd --reload

 

Your firewall should now have somthing similar to this.

~]# firewall-cmd --list-all --zone=internal
internal
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols: 3128/tcp
  masquerade: port=80:proto=tcp:toport=3128:toaddr=192.168.0.2
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

 

If using iptables, add the following rules. Replace x.x.x.x/xx with the IP address and prefix of the Squid proxy server.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to x.x.x.x:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I INPUT -s x.x.x.x/xx -p tcp --dport 3128 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

 


Squid.conf

In the /etc/squid/squid.conf file, configure port 3128 to intercept traffic that will be forwarded to the squid proxy server. Ensure the hostname of the Squid proxy server is visible. Replace your.hostname with the actual hostname of the Squid proxy server.

http_port 3128 intercept
visible_hostname your.hostname

 

Allow all http access.

http_access allow all

 

Restart Squid.

~]# systemctl restart squid

 


 

You can now use Wireshark to verify that traffic is being routed through your Squid proxy server.

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments