Setting up ubuntu 10.04 (Lucid) server with squid 3 as a Transparent Proxy

Sponsored Link
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.
Thanks to Jayson for this guide

Complete Steps in Setting up UBUNTU Server 10 with SQUID 3 as a Transparent Proxy.

Step 1. Install the Ubuntu Server 10, include LAMP if you want

Step 2. Change the network interfaces from dhcp to static

sudo nano /etc/network/interfaces

auto eth0
iface eth0 inet static

post-up iptables-restore < /etc/iptables.up.rules

auto eth1
iface eth1 inet static

Step 3. Install Web Admin (webmin) (Optional)

dpkg –install webmin_1.510-2_all.deb
sudo apt-get -f install

https://localhost-IP ADDRES:10000

*Note Make sure you give permission to the IPTABLES ruleset to for you to access webmin over the net.

Step 4. Install ClamAV and ClamAV-freshclam

sudo apt-get install clamav clamav-freshclam

Step 5. The first step is to install squid 3

sudo apt-get install squid3

edit the squid 3 configuration file in your favorite editor

sudo nano /etc/squid3/squid.conf

and set the transparency and the allowed hosts

http_port 3128 transparent
acl our_networks src
acl localnet src
http_access allow our_networks
http_access allow localnet

where is the IP range of local network. Probably you need to adjust the swap size

cache_dir ufs /var/spool/squid3 7000 16 256

here the first number denotes the size of cache in megabytes. Save you changes and restart the squid proxy by

sudo /etc/init.d/squid3 restart

Step 6. Edit the /etc/sysctl.conf

sudo nano /etc/sysctl.conf

Uncomment the line that enable packet forwarding for IPv4 and IPv6

Net.ipv4.ip_forward = 1
Net.ipv6.conf.all.forwarding = 1

Step 7. Edit the IPTABLE ruleset of NAT and FILTER

sudo nano /etc/iptables.up.rules


-A PREROUTING –i eth1 –p tcp –m tcp –dport 80 –j DNAT –to-destination
-A PREROUTING –i eth1 –p tcp –m tcp –dport 80 –j REDIRECT –to-ports 3128


-A INPUT –i lo –j ACCEPT
-A INPUT –m state –i eth0 –state REALATED,ESTABLISHED –j ACCEPT
-A INPUT –p tcp –m tcp –dport 22 –j ACCEPT # permit ssh using putty
-A INPUT –p tcp –m tcp –dport 10000 –j ACCEPT # permit webmin access
-A FORWARD –i eth1 –j ACCEPT
-A OUTPUT –o eth1 –j ACCEPT
-A FOWARD –o eth1 –j ACCEPT
-A FORWARD –s –o eth0 –j ACCEPT
-A FORWARD –d –m state –state ESTABLISHED,REALTED –I eth0 –j ACCEPT

STEP 8. Edit rc.local

sudo nano /etc/rc.local

iptables -t nat -A POSTROUTING -s –o eth0 -j MASQUERADE

Step 9. reboot the server

Step 10. Configure the workstation for static IP Address making the LAN IP of the Ubuntu box as the gateway. Make sure that the IP Address of the work station is within the network you setup.

Sponsored Link

You may also like...

17 Responses

  1. Webmin does not gel with debian / ubuntu and may break your system. This is also told by ubottu if you trigger her in the official ubuntu support channel. Ebox is to be used instead. Please don’t advise users how to break their systems. Thanks

  2. lildigiman says:

    Webmin works just fine for me on ubuntu 9.04 through 10.04 (others untested). I wouldn’t be so quick to say it will “break” your system. Besides, this guide isn’t for new linux users anyway.

  3. EricP says:

    Webmin works just fine, It does not break anything.
    I have it running on Ubuntu servers, from 8.x to the latest as well as Suse ENT running Google Earth ent.

    Webmin is rock solid.

  4. joe says:

    That looks like a bunch of work to me.

    You can set this up in Mandriva from the control center in about 5 clicks of the mouse.

    Another Ubuntu FAIL.

  5. EricP says:

    The link is very old, things have change since 2006.
    Now it is part of the Ubuntu wiki.

    Try this other one

    This other one is the reason for stopping support on version 7.04

  6. roemer2201 says:

    Could someone give me a more detailed description what each of the iptables lines does?

  7. Djoh says:

    It would be really “transparent: if you use bridge-utils and don’t give an IP to the ports, instead give an IP to br0 (so you have eth0 and eth1 acting as a switch – br0 is used to access the server through ssh, or even for a web server).

    It would avoid creating a new network ( in your case). Just insert the ubuntu machine between your router and your network – and voila !

  8. SiPHoN805 says:

    Thanks, works great.

  9. sumardi says:

    after installing squid3 and restar got the messages like this

    2010/11/15 12:42:08| WARNING: Netmasks are deprecated. Please use CIDR masks instead.
    2010/11/15 12:42:08| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.
    2010/11/15 12:42:08| WARNING: For now we will assume you meant to write /32
    [ OK
    anyone can help me thanks

  10. roemer2201 says:

    Look at these lines in your config:

    acl our_networks src
    acl localnet src

    Check if you really used the CIDR Syntax. (

  11. padezaw says:

    I have Ubuntu 10.04 with
    firestarter and dhcp working on my

    ADSL modem- switch-(my network 10.2.0/24) home network.

    then I wanted to run squid so I uninstalled firestarter and dhcp cause read that squid and firestarter won’t mix

    so I installed squid and was told I needed bind9 with squid but I had all sorts of errors with squid but bind9 seems to be running at least I can lookup IP address from ubuntu.

    I came across this page and so I uninstalled squid and installed squid3.

    after following your instructions I can receive the squid error page saying the requested URL could not be retrieved access denied. so this is closer then I have ever been and I think the firewall may be the problem.

    Please help.

  12. padezaw says:

    I forgot to add that I did not install webadmin and clam.

    another thing is my is assigned by my router


  13. turd says:

    with your configuration, guess wut

    The requested URL could not be retrieved

    The following error was encountered while trying to retrieve the URL:

    Access Denied.

    Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

    Your cache administrator is webmaster.

    888888 db 88 88 88 88 88″”Yb 888888
    88__ dPYb 88 88 88 88 88__dP 88__
    88″” dP__Yb 88 88 .o Y8 8P 88″Yb 88″”
    88 dP””””Yb 88 88ood8 `YbodP’ 88 Yb 888888

  14. The syntax is not correct here and COMMIT is also missing at the end of each portion.


    -A PREROUTING –i eth1 –p tcp –m tcp –dport 80 –j DNAT –to-destination
    -A PREROUTING –i eth1 –p tcp –m tcp –dport 80 –j REDIRECT –to-ports 3128

    It needs to look like this.


    -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j DNAT –to-destination
    -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128

    The characters ‘–’ are un-recognized by iptables. It should be ‘-‘ instead.

    Same goes for the ‘filter’ part also.

  15. So the page is auto-formatting 2 ‘-‘ ‘-‘ as ‘–‘. The same happened to my comment as well. Can’t that be corrected.

  16. tom winter says:

    i see clamav is installed, but is it integrated with squid config in any way – or does web traffic go through the proxy without virus check?

  17. Keith says:

    Can anyone help me, I have a very unique need for special Squid config.
    I am setting up a Linux (Ubuntu) with Squid (a proxy server).
    Basically we want to run 10K proxies on one linux box, only a handful would ever be in use at any one time so the throughput is not an issue.
    Basically each “proxy” would be bound to the same IP but on a different port of that IP. Each port would redirect to (transparent proxy) one of our outbound IP addresses. So essentially you could change the IP address of your machine by simply changing the port of your proxy settings in your browser.
    Proxy1 redirects to
    Proxy1 redirects to
    Proxy1 redirects to
    Proxy1 redirects to
    Proxy1 redirects to
    And so on
    xxx just there to hide real IP space

Leave a Reply

Your email address will not be published. Required fields are marked *