Advantages of setting up Squid as Transparent Proxy include the fact that you don't need to configure all the machines on your LAN to connect to Squid manually. All the traffic would be redirected to the Squid Listening Port automatically and your Ubuntu Box would act like a Router.
Follow these steps to set up a Transparent Proxy Server with Squid3 on Ubuntu 11.10 (Oneiric Ocelot)
1. Install Ubuntu Oneiric Ocelot Server or Desktop on your computer.
2. Change your network interfaces from DHCP to Static
nano /etc/network/interfaces |
Delete all the text and paste this text in your interfaces file:
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.0.12 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.3 auto eth1 iface eth1 inet static address 192.168.2.1 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255 |
Where 192.168.0.12 is the IP address of your WAN interface and 192.168.2.1 is the IP address of your LAN interface.
nano /etc/resolv.conf |
Paste this text in the file that opens up:
nameserver 127.0.0.1 |
suggests that one is running a local, caching-only name server.
3. Install squid3:
sudo apt-get install squid3 |
4. Make a backup of your squid.conf for future reference. Squid.conf has nearly all the options listed and it is recommended to go through that file to know more about squid options.
cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original |
Configure squid3.
nano /etc/squid3/squid.conf |
Remove all the text and paste this text in your squid.conf file:
http_port 3128 transparent acl LAN src 192.168.2.0/24 acl localnet src 127.0.0.1/255.255.255.255 # Limited file download < 250 MB reply_body_max_size 250 MB http_access allow LAN http_access allow localnet # No cache anything no_cache deny all |
Where 192.168.2.0/24 is the range of your LAN interface. The last line in that file is defining a cache directory for squid3 to use. Here, the first number denotes the size of cache in MB, 20 GB in this case.
Save and close this file.
6. Restart squid3:
/etc/init.d/squid3 restart |
7. Edit /etc/sysctl.conf:
nano /etc/sysctl.conf |
In this file, uncomment the lines that enable packet forwarding for IPv4 and IPv6:
net.ipv4.ip_forward=1 |
Save and close this file.
8. Define IPTABLE rules for port forwarding.
nano /etc/fw.proxy |
Paste this text in the file that opens up:
#!/bin/sh # squid server IP SQUID_SERVER="192.168.2.1" # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client #modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT iptables -I INPUT -p tcp -m tcp --dport 53 --syn -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 82 --syn -j ACCEPT # Algo string iptables -I FORWARD -m string --algo bm --string "BitTorrent" -j DROP iptables -I FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP iptables -I FORWARD -m string --algo bm --string "peer_id=" -j DROP iptables -I FORWARD -m string --algo bm --string ".torrent" -j DROP iptables -I FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP iptables -I FORWARD -m string --algo bm --string "torrent" -j DROP iptables -I FORWARD -m string --algo bm --string "announce" -j DROP iptables -I FORWARD -m string --algo bm --string "tracker." -j DROP iptables -I FORWARD -m string --algo bm --string "info_hash" -j DROP iptables -I FORWARD -m string --algo bm --string "/default.ida?" -j DROP #codered virus iptables -I FORWARD -m string --algo bm --string ".exe?/c+dir" -j DROP #nimda virus iptables -I FORWARD -m string --algo bm --string ".exe?/c_tftp" -j DROP #nimda virus # bittorrent key iptables -I FORWARD -m string --string "peer_id" --algo kmp --to 65535 -j DROP iptables -I FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP iptables -I FORWARD -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP iptables -I FORWARD -m string --string "bittorrent-announce" --algo kmp --to 65535 -j DROP iptables -I FORWARD -m string --string "announce.php?passkey=" --algo kmp --to 65535 -j DROP # DHT keyword iptables -I FORWARD -m string --string "info_hash" --algo kmp --to 65535 -j DROP iptables -I FORWARD -m string --string "get_peers" --algo kmp --to 65535 -j DROP iptables -I FORWARD -m string --string "announce" --algo kmp --to 65535 -j DROP iptables -I FORWARD -m string --string "announce_peers" --algo kmp --to 65535 -j DROP iptables -I INPUT -s 0.0.0.0/0 -m string --string "info_hash" --algo bm -j DROP iptables -I INPUT -s 0.0.0.0/0 -m string --string "announce" --algo bm -j DROP iptables -I INPUT -s 0.0.0.0/0 -m string --string "torrent" --algo bm -j DROP iptables -I INPUT -s 0.0.0.0/0 -m string --string "sumotracker" --algo bm -j DROP iptables -I INPUT -p tcp -m tcp --dport 22222 --dst $SQUID_SERVER -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 22222 --dst 192.168.0.12 -j ACCEPT iptables -A INPUT -j LOG --log-level info --log-prefix "INPUT " iptables -A OUTPUT -j LOG --log-level info --log-prefix "OUTPUT " iptables -A FORWARD -j LOG --log-level info --log-prefix "FORWARD " # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP |
Save and close this file.
Change Mode
chmode +x /etc/fw.proxy |
9. Edit /etc/rc.local:
nano /etc/rc.local |
Paste this text at the end of the file that opens up but before "exit 0":
/etc/fw.proxy |
Save and close this file.
10. Reboot your server.
If you don't want to go to each machine on your Network and configure it for a Static IP, you can use dhcp3-server to assign Dynamic IPs to all the computers on your LAN and make them forward all there internet traffic to your squid box.
11. Install dhcp3-server:
apt-get install dhcp3-server |
12. Edit /etc/default/dhcp3-server:
nano /etc/default/isc-dhcp-server |
Type eth1 in between the quotes in this line:
INTERFACES="" |
Save and close this file.
13. Make a backup of your original /etc/dhcp/dhcpd.conf:
cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.original |
14. Edit /etc/dhcp/dhcpd.conf:
nano /etc/dhcp/dhcpd.conf |
Delete all the text and paste this text in the file that opens up
ddns-update-style none; log-facility local7; subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.100 192.168.2.200; option domain-name-servers 192.168.2.1; option routers 192.168.2.1; option broadcast-address 192.168.2.255; default-lease-time 600; max-lease-time 7200; } |
We are using True (ISP in Thailand) DNS in this example. You can use your own DNS Server if you've configured one on your network.
Save and close this file.
Make sure all the cables on your network are plugged in and the devices are powered on.
15. Start dhcp3-server:
service dhcp3-server start |
16. Reboot your server.
17. Install Bind9 if you didn't install it
apt-get install bind9 dnsutils |
Install dnsutils for dig command.
Edit conf file for Caching
nano /etc/bind/named.conf.options |
Delete all the text and paste this text in the file that opens up:
options { directory "/var/cache/bind"; forwarders { 203.144.207.29; 203.144.207.49; }; auth-nxdomain no; allow-query { any; }; }; |
ถ้ามี card lan 1 ใบเซ็ตอัพอย่างไรครับ ขอบคุณครับ
ตอบลบhttp://manajung.blogspot.com/2009/11/transparent-squid-proxy-server-with-1.html เคยทำแบบนี้ครับ
ลบ