Difference between revisions of "Configuring squid in transparent mode"

From Notes_Wiki
(Created page with "<yambe:breadcrumb>Squid_proxy_server_configuration|Squid</yambe:breadcrumb> =Configuring squid in transparent mode= To configure squid in transparent mode use following steps...")
 
m
Line 9: Line 9:
# Edit /etc/sysctl.conf and set '<tt>net.ipv4.ip_forward=1</tt>' and also set it for current run using '<tt>sysctl net.ipv4.ip_forward=1</tt>'
# Edit /etc/sysctl.conf and set '<tt>net.ipv4.ip_forward=1</tt>' and also set it for current run using '<tt>sysctl net.ipv4.ip_forward=1</tt>'
# service squid start
# service squid start
# chkconfig squid on
# Find out squid gid using "getent group squid".  Typically 23.
# Find out squid gid using "getent group squid".  Typically 23.
# Set appropriate iptables rules using
# Set appropriate iptables rules using

Revision as of 18:41, 30 November 2014

<yambe:breadcrumb>Squid_proxy_server_configuration|Squid</yambe:breadcrumb>

Configuring squid in transparent mode

To configure squid in transparent mode use following steps:

  1. yum -y install squid
  2. Edit /etc/squid/squid.conf and set following values appropriately
    1. Update "http_port 3128" to "http_port 3128 intercept"
    2. Append "shutdown_lifetime 1 second"
  3. Edit /etc/sysctl.conf and set 'net.ipv4.ip_forward=1' and also set it for current run using 'sysctl net.ipv4.ip_forward=1'
  4. service squid start
  5. chkconfig squid on
  6. Find out squid gid using "getent group squid". Typically 23.
  7. Set appropriate iptables rules using
    iptables -t nat -A POSTROUTING -j MASQUERADE
    iptables -t nat -A PREROUTING -s <proxy-ip> -p tcp -m tcp --dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination <proxy-ip>:3128
    iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 3128 -j DROP
    iptables-save > /etc/sysconfig/iptables
  8. Test from some client. Use tail -f /var/log/squid/access.log on proxy to see if things are working. Use "tcpdump" on various nodes to debug setup, if it is not working.


Transparent proxy on same sub-net

Warning: Advanced level

If gateway for proxy is in same network as clients, then the machine might send ICMP redirect messages. To prevent this either block outgoing ICMP using iptables or disable generation of ICMP redirects using following /etc/sysctl.conf lines:

     net.ipv4.conf.all.send_redirects=0  
     net.ipv4.conf.default.send_redirects=0 

Also use sysctl command to modify existing values for send_redirects for current run.

In this case verify that all send_redirects are disabled using:

cat /proc/sys/net/ipv4/conf/*/send_redirects

If any of the values is not 0 then use:

echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects=

and also append same to '/etc/rc.d/rc.local'

Do not do any of this if proxy has two interfaces on two different networks and various clients use proxy as gateway anyway.


Steps learned from: