Tag Archive for single port

squid transparent proxy with single Ethernet interface (port)


 squid transparent proxy with single Ethernet interface (port)

#1: yum install squid


#2 vim /etc/squid/squid.conf

http_port transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443 563
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny to_localhost
acl our_networks src
http_access allow our_networks
http_access allow PROTOS
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid
access_log /var/log/squid/access.log


#4: iptables routing


/sbin/iptables –table nat –append PREROUTING –in-interface eth0 -s –protocol tcp –destination-port 80 –jump REDIRECT –to-port 3128


#5:# service iptables save
# chkconfig iptables on

#6 # /etc/init.d/squid restart
# chkconfig squid on





i also find a firewall script for squid to work transparent, Make this script executable and run it at startup, for example within /etc/rc.local.


# Squid server IP#SQUID_SERVER=”″SQUID_SERVER=”″# Interface connected to InternetINTERNET=”eth0″
# Address connected to LANLOCAL=”″
# Squid portSQUID_PORT=”3128″
# Clean old firewalliptables -Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -t mangle -Fiptables -t mangle -X
# Enable Forwardingecho 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policyiptables -P INPUT DROPiptables -P OUTPUT ACCEPT
# Unlimited access to loop backiptables -A INPUT -i lo -j ACCEPTiptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTPiptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LANiptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADEiptables -A FORWARD -s $LOCAL -j ACCEPT
# unlimited access to LANiptables -A INPUT -s $LOCAL -j ACCEPTiptables -A OUTPUT -s $LOCAL -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxyiptables -t nat -A PREROUTING -s $LOCAL -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same systemiptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
#open everythingiptables -A INPUT -i $INTERNET -j ACCEPTiptables -A OUTPUT -o $INTERNET  -j ACCEPT
# DROP everything and Log itiptables -A INPUT -j LOGiptables -A INPUT -j DROP