Sunday, 29 September 2013

Step by Step Install and configure transparent squid proxy on linux/Centos

How to install and configure squid transparent proxy on Linux/Centos 5.x

Interface configuration:

WAN IP :  eth0 – x.x.x.x   ,  LAN IP : eth1 -

Hardware Requirements:

Machine configuration depends on users load. This proxy using for 0 - 250 users.

Processor : Xeon

Ram : 8 GB

OS : Centos 5.8 ( you can use it Centos 5.x series )

Packages Requirements: DNS , squid , httpd  (it’s require for sarg log report)

How to install package:

#yum install bind*  caching-nameserver*

#yum install squid*

#yum install httpd*

Before configuration DNS, please disable to selinux

# vi /etc/sysconfig/selinux


Change to


Save and exit

#init 6 (restart system)

Configure DNS server : 

#vi /etc/hosts localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6  server

#vi /etc/sysconfig/network



#vi /etc/resolv.conf


Make the entry in named.conf file

#vi  /etc/named.conf

options {

directory “/var/named”;

dump-file “/var/named/data/cache_dump.db”;

statistics-file “/var/named/data/named_stats.txt”;

memstatistics-file “/var/named/data/named_mem_stats.txt”;

query-source port 53;


zone “” IN {

type master;

file “”;

allow-update { none; };


zone “” IN {

type master;

file “”;

allow-update { none; };


Create forward and reverse zone for DNS

#cd /var/named

# cp

# cp named.local


$TTL       86400

@                            IN SOA (

                                                       42            ; serial (d. adams)

                                                      3H             ; refresh

                                                      15M           ; retry

                                                      1W            ; expiry

                                                     1D )           ; minimum

                        IN NS                   

                                IN A                          

xbc                         IN A             


$TTL       86400

@       IN      SOA  (

                                      1997022700 ; Serial

                                      28800      ; Refresh

                                      14400      ; Retry

                                      3600000    ; Expire

                                      86400 )    ; Minimum

        IN      NS

1       IN     PTR

Restart the named service :

#service named restart

#chkconfig named on

#bind-chroot-admin -d

#bind-chroot-admin -e


#dig  -x

Install and configure squid transparent proxy:

#yum install squid*

#vi /etc/squid/squid.conf

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_dir ufs /var/spool/squid 2000 16 256


#redirect_program /usr/bin/squidguard -c /etc/squid/squidguard.conf

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern . 

acl all src

acl manager proto cache_object

acl localhost src

acl to_localhost dst

acl SSL_ports port 443 563

acl Safe_ports port 5901

acl Safe_ports port 8080         #webcache

acl Safe_ports port 2323         #tomcat

acl Safe_ports port 1023         #tomcat

acl Safe_ports port 8180         #tomcat

acl Safe_ports port 80          # http

acl Safe_ports port 20          # ftp

acl Safe_ports port 21          # ftp

acl Safe_ports port 22          # ssh

acl Safe_ports port 443 563   # https, snews

acl Safe_ports port 1494   #ctx

acl Safe_ports port 2598   #ctx

acl Safe_ports port 563    # https, snews

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl Safe_ports port 25          #smtp

acl Safe_ports port 110         #smtp

acl Safe_ports port 8443        #bax


http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

acl utsav_network src

acl  fullaccess  arp 38:60:77:60:6F:33

http_access allow fullaccess

acl  keybaord url_regex -i proxy gambling hacking ringtones sports spyware virusinfected warez whitelist thepiratebay orkut movie movies softonic torrent tor-browser audlts antispyware artnudes ultrasurf cric cricket crick cricinfo zapak nimbuzz music olimpic olimpics olympic olympics sex sexy pron songs song cybermediadice .orkut.* /orkut .orkut .orkut* baaja

http_access deny keybaord

acl limitedaccess  arp 20:CF:40:EA:E4:DF

http_access allow limitedaccess

acl ravi arp E0:69:97:AB:D6:6E

http_access allow ravi

acl youtube url_regex -i youtube .mp3 .mp4 .aac .flv .m4a .swf

http_access deny youtube

http_access allow utsav_network

http_access allow localhost

icp_access allow all

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

cache_mem 1024 MB

maximum_object_size_in_memory 100 KB

minimum_object_size 0 KB

maximum_object_size 4096 KB

cache_swap_low 90

cache_swap_high 95

access_log /var/log/squid/access.log squid

coredump_dir /var/spool/squid

#service squid restart

#chkconfig squid on

#squid -z

Next step work with firewall :

flush all rules of iptabes for transparent mode

iptables -F

iptables -t nat -F

iptables -t mangle -F

now delete this chanis bye

iptables -X

iptables -t nat -X

iptables -t mangle -X

now time to save iptables so type

service iptables save

service iptables restart

Now all rules and chains will clear !

check it by /etc/sysconfig/iptables which has all defaults rules set to accept.

now /etc/rc.d/rc.local

and insert line

echo ” 1 “> /proc/sys/net/ipv4/ip_forward

and then save and close.

now assuming that your internet interface is eth0 then type :

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

service iptables save

service iptables restart

#init 6  (reboot machine)

Congratulation you have successfully configured Squid Transparent proxy ,

Note : Don’t have require put proxy ip in client machine.

No comments:

Post a Comment

Install XRDP in Centos 7

rpm -Uvh yum update yum groupinstall "GNOME Desktop" ...