Configuring squid in transparent mode
<yambe:breadcrumb>Squid_proxy_server_configuration|Squid</yambe:breadcrumb>
Configuring squid in transparent mode
To configure squid in transparent mode use following steps:
- yum -y install squid
- Edit /etc/squid/squid.conf and set following values appropriately
- Update "http_port 3128" to "http_port 3128 intercept"
- Append "shutdown_lifetime 1 second"
- Edit /etc/sysctl.conf and set 'net.ipv4.ip_forward=1' and also set it for current run using 'sysctl net.ipv4.ip_forward=1'
- service squid start
- chkconfig squid on
- Find out squid gid using "getent group squid". Typically 23.
- Set appropriate iptables rules using
- iptables -t nat -A POSTROUTING -j MASQUERADE
- iptables -t nat -A PREROUTING -s <proxy-ip> -p tcp -m tcp --dport 80 -j ACCEPT
- iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination <proxy-ip>:3128
- iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 3128 -j DROP
- iptables-save > /etc/sysconfig/iptables
- Test from some client. Use tail -f /var/log/squid/access.log on proxy to see if things are working. Use "tcpdump" on various nodes to debug setup, if it is not working.
Transparent proxy on same sub-net
Warning: Advanced level
If gateway for proxy is in same network as clients, then the machine might send ICMP redirect messages. To prevent this either block outgoing ICMP using iptables or disable generation of ICMP redirects using following /etc/sysctl.conf lines:
net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0
Also use sysctl command to modify existing values for send_redirects for current run.
In this case verify that all send_redirects are disabled using:
cat /proc/sys/net/ipv4/conf/*/send_redirects
If any of the values is not 0 then use:
echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects=
and also append same to '/etc/rc.d/rc.local'
Do not do any of this if proxy has two interfaces on two different networks and various clients use proxy as gateway anyway.
Steps learned from: