How to
install and configure squid transparent proxy on Linux/Centos 5.x
Interface configuration:
WAN IP : eth0 –
x.x.x.x , LAN IP : eth1 -192.168.1.1
Hardware Requirements:
Machine
configuration depends on users load. This proxy using for 0 - 250 users.
Processor
: Xeon
Ram
: 8 GB
OS
: Centos 5.8 ( you can use it Centos 5.x series )
Packages Requirements: DNS , squid , httpd (it’s
require for sarg log report)
How to install package:
#yum install bind*
caching-nameserver*
#yum
install squid*
#yum
install httpd*
Before
configuration DNS, please disable to selinux
# vi /etc/sysconfig/selinux
SELINUX=enforcing
Change to
SELINUX=disabled
Save
and exit
#init
6 (restart system)
Configure
DNS server :
#vi
/etc/hosts
127.0.0.1
localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
172.17.0.250 xbc.net server
::1 localhost6.localdomain6 localhost6
172.17.0.250 xbc.net server
#vi
/etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=xbc.net
NETWORKING_IPV6=no
HOSTNAME=xbc.net
#hostname server.xbc.net
#vi
/etc/resolv.conf
search
xbc.net
nameserver 192.168.1.1
nameserver 192.168.1.1
Make the entry in named.conf file
#vi
/etc/named.conf
options
{
directory
“/var/named”;
dump-file
“/var/named/data/cache_dump.db”;
statistics-file
“/var/named/data/named_stats.txt”;
memstatistics-file
“/var/named/data/named_mem_stats.txt”;
query-source
port 53;
};
zone
“” IN {
type
master;
file
“xbc.net.forward”;
allow-update
{ none; };
};
zone
“1.168.192.in-addr.arpa” IN {
type
master;
file
“xbc.net.reverse”;
allow-update
{ none; };
};
Create forward and
reverse zone for DNS
#cd
/var/named
#
cp localhost.zone xbc.net.reverse
#
cp named.local xbc.net.reverse
#vi
xbc.net.reverse
$TTL
86400
@
IN SOA xbc.net. root.xbc.net. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D
) ; minimum
IN
NS
xbc.net
IN
A
127.0.0.1
xbc
IN
A
192.168.1.1
#vi xbc.net.reverse
$TTL
86400
@
IN SOA xbc.net.
root.xbc.net. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS xbc.net.
1
IN PTR xbc.net.
Restart the named service
:
#service
named restart
#chkconfig
named on
#bind-chroot-admin
-d
#bind-chroot-admin
-e
#dig
xbc.net
#dig
-x 192.168.1.1
Install and configure squid transparent proxy:
#yum install squid*
#vi
/etc/squid/squid.conf
hierarchy_stoplist
cgi-bin ?
acl
QUERY urlpath_regex cgi-bin \?
no_cache
deny QUERY
cache_dir
ufs /var/spool/squid 2000 16 256
dns_nameservers
202.138.96.2 202.138.97.193 202.56.215.6 202.56.230.6
#redirect_program
/usr/bin/squidguard -c /etc/squid/squidguard.conf
auth_param
basic children 5
auth_param
basic realm Squid proxy-caching web server
auth_param
basic credentialsttl 2 hours
auth_param
basic casesensitive off
refresh_pattern
^ftp:
1440 20% 10080
refresh_pattern
^gopher: 1440
0% 1440
refresh_pattern
.
acl
all src 0.0.0.0/0.0.0.0
acl
manager proto cache_object
acl
localhost src 127.0.0.1/255.255.255.255
acl
to_localhost dst 127.0.0.0/8
acl
SSL_ports port 443 563
acl
Safe_ports port 5901
acl
Safe_ports port 8080 #webcache
acl
Safe_ports port 2323 #tomcat
acl
Safe_ports port 1023 #tomcat
acl
Safe_ports port 8180 #tomcat
acl
Safe_ports port 80 # http
acl
Safe_ports port 20 # ftp
acl
Safe_ports port 21 # ftp
acl
Safe_ports port 22 # ssh
acl
Safe_ports port 443 563 # https, snews
acl
Safe_ports port 1494 #ctx
acl
Safe_ports port 2598 #ctx
acl
Safe_ports port 563 # https, snews
acl
Safe_ports port 70 #
gopher
acl
Safe_ports port 210 # wais
acl
Safe_ports port 1025-65535 # unregistered ports
acl
Safe_ports port 280 # http-mgmt
acl
Safe_ports port 488 # gss-http
acl
Safe_ports port 591 # filemaker
acl
Safe_ports port 777 # multiling
http
acl
Safe_ports port 25 #smtp
acl
Safe_ports port 110 #smtp
acl
Safe_ports port 8443 #bax
acl
CONNECT method CONNECT
http_access
allow manager localhost
http_access
deny manager
http_access
deny !Safe_ports
http_access
deny CONNECT !SSL_ports
acl
utsav_network src 192.168.1.0/24
acl
fullaccess arp 38:60:77:60:6F:33
http_access
allow fullaccess
acl
keybaord url_regex -i proxy gambling hacking ringtones sports spyware
virusinfected warez whitelist thepiratebay orkut movie movies softonic torrent
tor-browser audlts antispyware artnudes ultrasurf cric cricket crick cricinfo
zapak nimbuzz music olimpic olimpics olympic olympics sex sexy pron songs song
cybermediadice .orkut.* /orkut .orkut .orkut* baaja
http_access
deny keybaord
acl
limitedaccess arp 20:CF:40:EA:E4:DF
http_access
allow limitedaccess
acl
ravi arp E0:69:97:AB:D6:6E
http_access
allow ravi
acl
youtube url_regex -i youtube .mp3 .mp4 .aac .flv .m4a .swf
http_access
deny youtube
http_access
allow utsav_network
http_access
allow localhost
icp_access
allow all
http_port
3128 transparent
hierarchy_stoplist
cgi-bin ?
cache_mem
1024 MB
maximum_object_size_in_memory
100 KB
minimum_object_size
0 KB
maximum_object_size
4096 KB
cache_swap_low
90
cache_swap_high
95
access_log
/var/log/squid/access.log squid
coredump_dir
/var/spool/squid
#service squid restart
#chkconfig
squid on
#squid
-z
Next step work with firewall :
flush
all rules of iptabes for transparent mode
iptables
-F
iptables
-t nat -F
iptables
-t mangle -F
now
delete this chanis bye
iptables
-X
iptables
-t nat -X
iptables
-t mangle -X
now
time to save iptables so type
service
iptables save
service
iptables restart
Now
all rules and chains will clear !
check
it by /etc/sysconfig/iptables which has all defaults rules set to accept.
now
/etc/rc.d/rc.local
and
insert line
echo
” 1 “> /proc/sys/net/ipv4/ip_forward
and
then save and close.
now
assuming that your internet interface is eth0 then type :
iptables
-t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables
-t nat -A POSTROUTING -o eth0 -j MASQUERADE
service
iptables save
service
iptables restart
#init
6 (reboot machine)
Congratulation you have
successfully configured Squid Transparent proxy ,
Note : Don’t have
require put proxy ip in client machine.
No comments:
Post a Comment