Tag Archive for transparent

squid transparent proxy with single Ethernet interface (port)

squid-transparent

 squid transparent proxy with single Ethernet interface (port)

#1: yum install squid

 

#2 vim /etc/squid/squid.conf

http_port 192.168.1.98:3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl PROTOS proto HTTP FTP HTTPS
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny to_localhost
acl our_networks src 192.168.1.0/24
http_access allow our_networks
http_access allow PROTOS
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid
access_log /var/log/squid/access.log

 

#4: iptables routing

 

/sbin/iptables –table nat –append PREROUTING –in-interface eth0 -s 192.168.1.0/24 –protocol tcp –destination-port 80 –jump REDIRECT –to-port 3128

 

#5:# service iptables save
# chkconfig iptables on

#6 # /etc/init.d/squid restart
# chkconfig squid on

 

 

note:

 

i also find a firewall script for squid to work transparent, Make this script executable and run it at startup, for example within /etc/rc.local.

 

#!/bin/sh
# Squid server IP#SQUID_SERVER=”192.168.2.253″SQUID_SERVER=”10.0.0.1″# Interface connected to InternetINTERNET=”eth0″
# Address connected to LANLOCAL=”10.0.0.0/24″
# Squid portSQUID_PORT=”3128″
# Clean old firewalliptables -Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -t mangle -Fiptables -t mangle -X
# Enable Forwardingecho 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policyiptables -P INPUT DROPiptables -P OUTPUT ACCEPT
# Unlimited access to loop backiptables -A INPUT -i lo -j ACCEPTiptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTPiptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LANiptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADEiptables -A FORWARD -s $LOCAL -j ACCEPT
# unlimited access to LANiptables -A INPUT -s $LOCAL -j ACCEPTiptables -A OUTPUT -s $LOCAL -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxyiptables -t nat -A PREROUTING -s $LOCAL -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same systemiptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
#open everythingiptables -A INPUT -i $INTERNET -j ACCEPTiptables -A OUTPUT -o $INTERNET  -j ACCEPT
# DROP everything and Log itiptables -A INPUT -j LOGiptables -A INPUT -j DROP

Squid https transparent proxy setup with SSL certificate

Squid https transparent proxy setup with SSL certificate

Let’s understand first how squid proxy works in transparent mode. While setting up squid as a transparent proxy we can forward the entire request coming from port 80 to squid server’s port i.e. 3128 by default. When we talk about port 80 it means http protocol. What if we request for Gmail who uses https protocol and this protocol by default send request to port 443 of squid’s port, and we iptable firewall rules to forward traffic from port 80 to port 3128 and we forget about port 443 which is used by https protocol and squid is http proxy server. Now many folks may think it’s easy and forward all traffic coming from port 443 to squid port 3128.  No it won’t work.  Because https connection establishes a secure connection over the network and for that it uses certificate and public key private key pairs. And first of all I thanks God for RSA and DSA algorithm as it is not so easy to decrypt data which is encrypted by use of this algorithm. Squid proxy is a middle man who changes packets header and route traffic to internet world. So what we have to do is to create certificate and public key private key pair for internal network which can be used by squid client and squid server and later squid server can route your traffic to internet world. To yield faster results it is better to sign certificate from CA. self signed certificates are little bit slowing the connection. As in a transparent mode encryption and decryption done twice so it may yields result slow so I advised you to keep patience.

Steps are:

  1. iptables  -t nat -A PREROUTING -i eth0  -p tcp –dport 80 -j REDIRECT –to-port 3128
  2. iptables  -t nat -A PREROUTING -i eth0  -p tcp –dport 80 -j REDIRECT –to-port 3128
  3. iptables  -t nat -A PREROUTING  -i eth0 -p tcp –dport  443 -j REDIRECT –to-port 3130
  4. iptables  -t nat -A PREROUTING  -i eth0 -p tcp –dport  443 -j REDIRECT –to-port 3130

Certificate and public key private key generation.

  1. openssl genrsa -des3 -out server.key 1024
  2. openssl req -new –key -out server.csr
  3. openssl req -new -key server.key -out server.cs

Steps to remove passphrase

  1. cp server.key server.key.old
  2. openssl rsa -in server.key.old -out server.key

Create server certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Now make some changes to squid.conf file

  1. http_port 3128 transparent
  2. https_port 3130 transparent cert=/”path to server.crt” key=/”path to server.key”.

 

Another easy way to create certificates and public key private key pair is using genkey utility. In order to use that you have crypto-utils package install on your machine.

Steps are:

  1. #yum -y install crypto-utils
  2. genkey -days 365 squidserver.hostname.com
  3. Hit next.
  4. Select number of bits for data encryption. Default is 1024. This command will generate random bits.
  5. Generate the certificate.
  6. I will suggest you to never used passphrase for key, because if u assigns passphrase to key then along with public key we need to share passphrase.
  7. Certificate and key are stored at /etc/pki/tls/certs/ and /etc/pki/tls/private/
  8. In squid.conf make necessary change like this

http_port 3128 transparent

https_port 3130 transparent cert=/etc/pki/tls/certs/squidserver.hostname.com.crt key=/etc/pki/tls/private/squidserver.hostname.com.key.