Setting up ubuntu 10.04 (Lucid) server with squid 3 as a Transparent Proxy
Sponsored Link
Thanks to Jayson for this guide
Complete Steps in Setting up UBUNTU Server 10 with SQUID 3 as a Transparent Proxy.
Step 1. Install the Ubuntu Server 10, include LAMP if you want
Step 2. Change the network interfaces from dhcp to static
sudo nano /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.1.250
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.88
post-up iptables-restore < /etc/iptables.up.rules
auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
Step 3. Install Web Admin (webmin) (Optional)
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.510-2_all.deb
dpkg –install webmin_1.510-2_all.deb
sudo apt-get -f install
https://localhost-IP ADDRES:10000
*Note Make sure you give permission to the IPTABLES ruleset to for you to access webmin over the net.
Step 4. Install ClamAV and ClamAV-freshclam
sudo apt-get install clamav clamav-freshclam
Step 5. The first step is to install squid 3
sudo apt-get install squid3
edit the squid 3 configuration file in your favorite editor
sudo nano /etc/squid3/squid.conf
and set the transparency and the allowed hosts
http_port 3128 transparent
acl our_networks src 192.168.2.0/24
acl localnet src 127.0.0.1/255.255.255.255
http_access allow our_networks
http_access allow localnet
where 192.168.2.0/24 is the IP range of local network. Probably you need to adjust the swap size
cache_dir ufs /var/spool/squid3 7000 16 256
here the first number denotes the size of cache in megabytes. Save you changes and restart the squid proxy by
sudo /etc/init.d/squid3 restart
Step 6. Edit the /etc/sysctl.conf
sudo nano /etc/sysctl.conf
Uncomment the line that enable packet forwarding for IPv4 and IPv6
Net.ipv4.ip_forward = 1
Net.ipv6.conf.all.forwarding = 1
Step 7. Edit the IPTABLE ruleset of NAT and FILTER
sudo nano /etc/iptables.up.rules
*nat
-A PREROUTING –i eth1 –p tcp –m tcp –dport 80 –j DNAT –to-destination 192.168.2.1:3128
-A PREROUTING –i eth1 –p tcp –m tcp –dport 80 –j REDIRECT –to-ports 3128
-A POSTROUTING –s 192.168.2.0/24 –o eth0 –j MASQUERADE
*filter
-A INPUT –i lo –j ACCEPT
-A INPUT –m state –i eth0 –state REALATED,ESTABLISHED –j ACCEPT
-A INPUT eth1 –j ACCEPT
-A INPUT –p tcp –m tcp –dport 22 –j ACCEPT # permit ssh using putty
-A INPUT –p tcp –m tcp –dport 10000 –j ACCEPT # permit webmin access
-A INPUT –j LOG
-A INPUT –j DROP
-A FORWARD –i eth1 –j ACCEPT
-A OUTPUT –o lo –j ACCEPT
-A OUTPUT –o eth1 –j ACCEPT
-A FOWARD –o eth1 –j ACCEPT
-A FORWARD –s 192.168.2.0/24 –o eth0 –j ACCEPT
-A FORWARD –d 192.168.2.0/24 –m state –state ESTABLISHED,REALTED –I eth0 –j ACCEPT
STEP 8. Edit rc.local
sudo nano /etc/rc.local
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 –o eth0 -j MASQUERADE
Step 9. reboot the server
Step 10. Configure the workstation for static IP Address making the LAN IP of the Ubuntu box as the gateway. Make sure that the IP Address of the work station is within the network you setup.
Webmin does not gel with debian / ubuntu and may break your system. This is also told by ubottu if you trigger her in the official ubuntu support channel. Ebox is to be used instead. Please don’t advise users how to break their systems. Thanks
Webmin works just fine for me on ubuntu 9.04 through 10.04 (others untested). I wouldn’t be so quick to say it will “break” your system. Besides, this guide isn’t for new linux users anyway.
Webmin works just fine, It does not break anything.
I have it running on Ubuntu servers, from 8.x to the latest as well as Suse ENT running Google Earth ent.
Webmin is rock solid.
That looks like a bunch of work to me.
You can set this up in Mandriva from the control center in about 5 clicks of the mouse.
Another Ubuntu FAIL.
The link is very old, things have change since 2006.
Now it is part of the Ubuntu wiki.
Try this other one
https://wiki.ubuntu.com/webmin
This other one is the reason for stopping support on version 7.04
https://help.ubuntu.com/community/WebminWithoutARootAccount
Could someone give me a more detailed description what each of the iptables lines does?
It would be really “transparent: if you use bridge-utils and don’t give an IP to the ports, instead give an IP to br0 (so you have eth0 and eth1 acting as a switch – br0 is used to access the server through ssh, or even for a web server).
It would avoid creating a new network (192.168.2.0 in your case). Just insert the ubuntu machine between your router and your network – and voila !
Thanks, works great.
after installing squid3 and restar got the messages like this
2010/11/15 12:42:08| WARNING: Netmasks are deprecated. Please use CIDR masks instead.
2010/11/15 12:42:08| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.
2010/11/15 12:42:08| WARNING: For now we will assume you meant to write /32
[ OK
anyone can help me thanks
Look at these lines in your config:
acl our_networks src 192.168.2.0/24
acl localnet src 127.0.0.1/255.255.255.255
Check if you really used the CIDR Syntax. (http://de.wikipedia.org/wiki/Classless_Inter-Domain_Routing)
I have Ubuntu 10.04 with
firestarter and dhcp working on my
ADSL modem-10.1.1.1-ubuntu-10.2.0.1-network switch-(my network 10.2.0/24) home network.
then I wanted to run squid so I uninstalled firestarter and dhcp cause read that squid and firestarter won’t mix
so I installed squid and was told I needed bind9 with squid but I had all sorts of errors with squid but bind9 seems to be running at least I can lookup http://www.google.com IP address from ubuntu.
I came across this page and so I uninstalled squid and installed squid3.
after following your instructions I can receive the squid error page saying the requested URL could not be retrieved access denied. so this is closer then I have ever been and I think the firewall may be the problem.
Please help.
I forgot to add that I did not install webadmin and clam.
another thing is my 10.1.1.1 is assigned by my router
padezaw
with your configuration, guess wut
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: http://www.google.com/firefox?
Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
Your cache administrator is webmaster.
888888 db 88 88 88 88 88″”Yb 888888
88__ dPYb 88 88 88 88 88__dP 88__
88″” dP__Yb 88 88 .o Y8 8P 88″Yb 88″”
88 dP””””Yb 88 88ood8 `YbodP’ 88 Yb 888888
The syntax is not correct here and COMMIT is also missing at the end of each portion.
*nat
-A PREROUTING –i eth1 –p tcp –m tcp –dport 80 –j DNAT –to-destination 192.168.2.1:3128
-A PREROUTING –i eth1 –p tcp –m tcp –dport 80 –j REDIRECT –to-ports 3128
-A POSTROUTING –s 192.168.2.0/24 –o eth0 –j MASQUERADE
It needs to look like this.
*nat
-A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.2.1:3128
-A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128
-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
COMMIT
The characters ‘–’ are un-recognized by iptables. It should be ‘-‘ instead.
Same goes for the ‘filter’ part also.
So the page is auto-formatting 2 ‘-‘ ‘-‘ as ‘–‘. The same happened to my comment as well. Can’t that be corrected.
i see clamav is installed, but is it integrated with squid config in any way – or does web traffic go through the proxy without virus check?
Can anyone help me, I have a very unique need for special Squid config.
I am setting up a Linux (Ubuntu) with Squid (a proxy server).
Basically we want to run 10K proxies on one linux box, only a handful would ever be in use at any one time so the throughput is not an issue.
Basically each “proxy” would be bound to the same IP but on a different port of that IP. Each port would redirect to (transparent proxy) one of our outbound IP addresses. So essentially you could change the IP address of your machine by simply changing the port of your proxy settings in your browser.
ALA
Proxy1 192.168.0.100:10000 redirects to 208.xxx.xxx.1
Proxy1 192.168.0.100:10001 redirects to 208.xxx.xxx.2
Proxy1 192.168.0.100:10002 redirects to 208.xxx.xxx.3
Proxy1 192.168.0.100:10003 redirects to 208.xxx.xxx.4
Proxy1 192.168.0.100:10004 redirects to 208.xxx.xxx.5
And so on
xxx just there to hide real IP space