View previous topic :: View next topic |
Author |
Message |
CaptainBlood Veteran


Joined: 24 Jan 2010 Posts: 1999
|
Posted: Fri Jul 10, 2015 8:27 pm Post subject: How 2 Squid transparency proxy? |
|
|
There seems 2B2 methods:
One implying IPTABLES only via REDIRECT.
Second also implying TPROXY with MANGLE.
Asking 4 advice which 2 choose B4 spending another 2 days 2 succeed the bad way ...
Thanks 4 ur attention. |
|
Back to top |
|
 |
szatox Veteran

Joined: 27 Aug 2013 Posts: 1991
|
Posted: Fri Jul 10, 2015 9:43 pm Post subject: |
|
|
I used to do that on iptables redirecting all passing-through traffic to port 80 at local 3128 instead. That was the easy part, hard one was getting squid's config sorted. ACL rules there were a real pain. I think I evenually dropped them all and relied solely on firewall to keep outsiders away.
Oh, and squid is not transparent by default. It expects browser to actively cooperate. You will have to change some option in it's config to let it slip in. (and another if you want to remove the extra header squid puts into http requests it makes) |
|
Back to top |
|
 |
papahuhn l33t


Joined: 06 Sep 2004 Posts: 623
|
Posted: Mon Jul 13, 2015 7:04 am Post subject: |
|
|
Squid combined with tproxy is used in networks where clients have their own public IP. Squid will connect to the destination while using the original source IP on its own socket, which is not possible by default. If you want to use squid in your home network and have only one public IP, there is no point in using tproxy, as you will have to NAT the clients anyway. _________________ Death by snoo-snoo! |
|
Back to top |
|
 |
DawgG l33t


Joined: 17 Sep 2003 Posts: 841
|
Posted: Thu Jul 16, 2015 9:26 am Post subject: |
|
|
what goal are you trying to reach? how many machines (firewalls/routers) are involved?
generally, you have to direct packets destined to port 80 to the (configured) squid-port; this is ususally done with NAT on the same or some other box. then squid has to run in transparent mode and its ACLs and (maybe) parents/siblings configured.
in my case the NAT-firewall picks out the packets sent (by the clients behind the captive portal) to port 80 and SNATs them to the squid-box:3128. this is the relevant line in squid.conf:
Code: | http_port <SQUID-BOX-IP>:3128 transparent connection-auth=off |
squid then fetches the stuff either directly or (in my case) from its parent; this is configured with the ACLs/RULEs. if you don't need any fancy filtering/redirection-stuff 10-20 lines combined will do the job.
the fetched content ist then sent back to the firewall which SNATs it back to the clients.
it is important to note that squid would not run in transparent mode when iptables was not activated in the kernel; nothing has to be installed or configured, it just has to be activated:
Code: | <SQUID-BOX>~ # zgrep -i iptables /proc/config.gz
CONFIG_IP_NF_IPTABLES=y |
these are the relevant rules on the NAT-box that send the traffic to squid and back:
Code: | NAT-BOX ~ # iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- <PORTAL-BOX> anywhere tcp dpt:http to:<SQUID-BOX>:3128
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- <SQUID-BOX> anywhere tcp spt:3128 to:<NAT-BOX-IP> |
of course you can do everything on the same box, just adapt the interfaces/addresses.
GOOD LUCK! _________________ DUMM KLICKT GUT. |
|
Back to top |
|
 |
CaptainBlood Veteran


Joined: 24 Jan 2010 Posts: 1999
|
Posted: Thu Jul 16, 2015 9:54 pm Post subject: |
|
|
My aim is mainly prototyping on my laptop.
So no public ip.
There's 2 firewalls/routers involved.
Thks 4 ur attention, interest & support. |
|
Back to top |
|
 |
|