System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

configure a transparent squid - centos 5.4 64-bit

 
SOLVED
Go to solution
iinfi1
Super Advisor

configure a transparent squid - centos 5.4 64-bit

i am in the process of configuring a squid proxy on my centos 5.4 64 bit machine.
i want to configure a transparent proxy so that machines in my network do not need to set their browsers and other applications to go thru the proxy.
basic proxy configuration i am able to take care of. but it is configuring the transparent proxy is what is troubling me.
i have near-zero knowledge of iptables, which is why this is causing me trouble.
i have reached here http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch32_:_Controlling_Web_Access_with_Squid#Configuring_iptables_to_Support_the_Squid_Transparent_Proxy

wat do the iptables commands do? do they simply push traffic on port 80 to 3128? do they cache web pages or not? 100 uers accessing the same page will goto the website or the proxy?
3 REPLIES
Michal Kapalka (mikap)
Honored Contributor
Solution

Re: configure a transparent squid - centos 5.4 64-bit

Matti_Kurkela
Honored Contributor

Re: configure a transparent squid - centos 5.4 64-bit

A regular (non-transparent) Web proxy requires that the browsers etc. are configured to use the proxy. That means they will direct their outgoing connections to the proxy instead of the destination website. The clients will also *know* they're using a proxy, and this allows some proxy-specific parts of the HTTP specification to come into effect. The regular proxy server does not need any special arrangements: it's just like any other server.

A transparent proxy, on the other hand, is something that just *grabs* HTTP connections and forces them to go through the proxy.

To do that, some device that is already on the route of the outgoing connections must change the destination of the connections. This device is most commonly a firewall or a router (perhaps the default gateway of the clients?).

If the Linux system that is running the squid proxy is also the router and/or firewall for the client machines, the iptables rules can do everything that is necessary.

To understand iptables, you'll need to first study this diagram to understand how the various kinds of rules are applied as the packets pass through the system:

http://unsyntax.net/james/blog/2007/08/22/Linux-iptables-diagram

The iptables commands from the Wiki page you linked include both NAT table rules (for changing the connections' destination) and filter rules (for acting as a firewall).

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
-j REDIRECT --to-port 3128

NAT rule:
"Any traffic that comes in through eth1, uses the TCP protocol and is going to port 80 (the standard HTTP port) must be redirected to port 3128 on the local host."

This rule causes the outgoing HTTP connections to be passed to local proxy application; without this rule, the FORWARD filter table would be used to determine whether the traffic would be simply allowed to pass through or rejected.

This rule will also automatically apply an inverse transformation in the OUTPUT phase to the packets Squid sends out from port 3128 as a response to the client, so that the client will see the response as coming from whatever host it attempted to connect.


iptables -A INPUT -j ACCEPT -m state \
--state NEW,ESTABLISHED,RELATED -i eth1 -p tcp \
--dport 3128

Filter rule:
"Any traffic that comes in through eth1 _and is addressed for this machine_ and is going to port 3128 (e.g. after the application of the previous NAT rule) and does not look suspicious (=any state other than INVALID is accepted) must be accepted."


iptables -A OUTPUT -j ACCEPT -m state \
--state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \
--dport 80

Filter rule:
"Any traffic that originated from this machine and is going out through eth0 to TCP port 80 on any server and does not look suspicious, is accepted."
This covers the outgoing connections from the squid proxy itself.


iptables -A INPUT -j ACCEPT -m state \
--state ESTABLISHED,RELATED -i eth0 -p tcp \
--sport 80

Filter rule:
"Any traffic that belongs to already-established connections, and is coming in _from_ TCP port 80 through eth0, is accepted."
This rule allows squid to get the web servers' responses to the requests it makes.


iptables -A OUTPUT -j ACCEPT -m state \
--state ESTABLISHED,RELATED -o eth1 -p tcp \
--sport 80

Filter rule:
"Any traffic that belongs to already-established connections, and is going out _of this system_ through interface eth1 using source TCP port 80, is accepted."

This may seem non-sensical at first: where does the port 80 comes from?
This is actually for the responses squid outputs from port 3128 to your clients... but as the inverse transformation of the first PREROUTING rule is already applied, at this point the package looks like it is coming from port 80 of the Web server the client attempted to connect.


After these (or similar) rules have been configured, you must configure squid to act as a _transparent_ proxy in port 3128 of this system. Squid does all the caching just like in the non-transparent case: the purpose of these iptables rules is to make the Linux TCP/IP sub-system to "capture" the traffic that normally would be either rejected or simply passed through as-is.

If your squid system is *not* a router or a firewall for your clients, you don't need these iptables rules on the squid system: instead, you must configure your router/firewall to force the outgoing Web connections to end up to the squid system.

MK
MK
iinfi1
Super Advisor

Re: configure a transparent squid - centos 5.4 64-bit

thank you Michal
thank you Matti

i will check ur steps n howtos soon ...