Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How 2 Squid transparency proxy?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
CaptainBlood
l33t
l33t


Joined: 24 Jan 2010
Posts: 996

PostPosted: Fri Jul 10, 2015 8:27 pm    Post subject: How 2 Squid transparency proxy? Reply with quote

There seems 2B2 methods:
One implying IPTABLES only via REDIRECT.
Second also implying TPROXY with MANGLE.

Asking 4 advice which 2 choose B4 spending another 2 days 2 succeed the bad way ... :lol:

Thanks 4 ur attention.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Fri Jul 10, 2015 9:43 pm    Post subject: Reply with quote

I used to do that on iptables redirecting all passing-through traffic to port 80 at local 3128 instead. That was the easy part, hard one was getting squid's config sorted. ACL rules there were a real pain. I think I evenually dropped them all and relied solely on firewall to keep outsiders away.

Oh, and squid is not transparent by default. It expects browser to actively cooperate. You will have to change some option in it's config to let it slip in. (and another if you want to remove the extra header squid puts into http requests it makes)
Back to top
View user's profile Send private message
papahuhn
l33t
l33t


Joined: 06 Sep 2004
Posts: 623

PostPosted: Mon Jul 13, 2015 7:04 am    Post subject: Reply with quote

Squid combined with tproxy is used in networks where clients have their own public IP. Squid will connect to the destination while using the original source IP on its own socket, which is not possible by default. If you want to use squid in your home network and have only one public IP, there is no point in using tproxy, as you will have to NAT the clients anyway.
_________________
Death by snoo-snoo!
Back to top
View user's profile Send private message
DawgG
l33t
l33t


Joined: 17 Sep 2003
Posts: 808

PostPosted: Thu Jul 16, 2015 9:26 am    Post subject: Reply with quote

what goal are you trying to reach? how many machines (firewalls/routers) are involved?

generally, you have to direct packets destined to port 80 to the (configured) squid-port; this is ususally done with NAT on the same or some other box. then squid has to run in transparent mode and its ACLs and (maybe) parents/siblings configured.

in my case the NAT-firewall picks out the packets sent (by the clients behind the captive portal) to port 80 and SNATs them to the squid-box:3128. this is the relevant line in squid.conf:
Code:
http_port <SQUID-BOX-IP>:3128 transparent connection-auth=off

squid then fetches the stuff either directly or (in my case) from its parent; this is configured with the ACLs/RULEs. if you don't need any fancy filtering/redirection-stuff 10-20 lines combined will do the job.
the fetched content ist then sent back to the firewall which SNATs it back to the clients.

it is important to note that squid would not run in transparent mode when iptables was not activated in the kernel; nothing has to be installed or configured, it just has to be activated:
Code:
<SQUID-BOX>~ # zgrep -i iptables /proc/config.gz
CONFIG_IP_NF_IPTABLES=y


these are the relevant rules on the NAT-box that send the traffic to squid and back:
Code:
NAT-BOX ~ # iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  <PORTAL-BOX>  anywhere             tcp dpt:http to:<SQUID-BOX>:3128

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       tcp  --  <SQUID-BOX>     anywhere             tcp spt:3128 to:<NAT-BOX-IP>


of course you can do everything on the same box, just adapt the interfaces/addresses.

GOOD LUCK!
_________________
DUMM KLICKT GUT.
Back to top
View user's profile Send private message
CaptainBlood
l33t
l33t


Joined: 24 Jan 2010
Posts: 996

PostPosted: Thu Jul 16, 2015 9:54 pm    Post subject: Reply with quote

My aim is mainly prototyping on my laptop.
So no public ip.
There's 2 firewalls/routers involved.

Thks 4 ur attention, interest & support.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum