Transparent Squid3 Proxy Setup

You probably don’t really need a caching proxy on your home network but hey, why the hell not. You can pull some decent stats out of it over time. Most popular sites, biggest net users etc. etc. I have to admit to loving stats…. and graphs. I’m not sure of the appeal, I just like to see them. One of my all encompassing projects is to setup a sensor network around the house reporting into a MYSQL  back-end with a PHP front end serving up the graph love. But I digress! Lets setup Squid3!

This is what we need:
Spare PC
2 Network ports
Spare time



The great thing about making the Proxy transparent is there is no need to configure any browser settings! You simply send all your network traffic over the interface bridge on your proxy box and then magic kicks in! First thing we should do is get get Linux. Steep learning curve. Frustrating as hell when it doesn’t work but perseverance pays off and you will be a better person in the end. For this particular build I used Ubuntu 12.04. Once you have the image you can burn it to disk or whack it on a key. Who the hell burns DVD’s these days? Do your self a good one and chuck it on a key. There are some really great apps that can build a bootable key for you and they are free. You just point them at the ISO and away you go. I’m going to skip over the pretty standard stuff like installing Ubuntu but if you need help drop a comment and I’ll see what I can do.

So you are now looking at your new Ubuntu Desktop, Mmmm Juicy! Press the windows key and type it terminal…. now click the terminal icon. Bam! This is where we live. Make a shortcut for it on the desktop or wherever you like and fire it up.

Lets get the new install up to date

sudo apt-get update
sudo apt-get upgrade

Now lets install the stuff we will need

sudo apt-get install squid3 bridge-utils ebtables

Now we will setup Squid

sudo nano /etc/squid3/squid.conf

Change/add the appropriate lines to the below

http_port 3128 transparent
acl localnet src <strong></strong>/24
acl localhost src
http_access allow localnet
http_access allow localhost
cache_dir ufs /var/spool/squid3 5000 16 256

Please take note of the bolded IP address. Change this to suit your home network setup. Say your computer IP is… You would update the above to Press Ctrl-X, answer yes to keep changes and press enter to overwrite the current file. Now we will restart squid….

sudo /etc/init.d/squid3 restart

Now we can configure the network to pass all the data from one ethernet card to the other while redirecting port 80 (http) to port 3128(Proxy) before sending on to the interwebs.

sudo ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
sudo iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128

We also need to enable traffic to be passed through for both IPv4 and IPv6 on your proxy PC by uncommenting the following lines in sysctl.conf.

sudo nano /etc/sysctl.conf
(remove the # to uncomment these lines)

Now to the NIC configs!

sudo nano /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth1
iface eth1 inet static
auto br0
iface br0 inet static
bridge-ports eth0 eth1

Save the file and either reboot the system or just the services with:

sudo /etc/init.d/networking restart
sudo service squid3 restart

This is a good time to make sure you disconnect the cable between your router and switch. As in the top diagram you should have Router –> br01 eth1 –> Switch

Jump on the net from another pc and browse some pictures of cats. Bounce back to your proxy terminal and….

sudo tail /var/log/squid3/access.log -f

This is the live Proxy log of everything hitting your proxy. Sweet huh? Its interesting just to watch what actually goes out of your network. You may feel your eyes drawn to the screen for awhile just to watch. Maybe that’s just me though 🙂 That wasn’t so hard! All going well you’re seeing some impressive shit. All not going well you are cursing and wondering what the hell to do now. I had such problems so lets go over them. Due to me deciding to re-organize my network IPs my proxy box didnt get a DNS server to use.

sudo nano /etc/resolv.conf
nameserver <strong></strong>(Your router or DNS server)
nameserver google open DNS server)

That fixed DNS.

The other problem I had was having 2 gateways set in /etc/network/interfaces. One for each NIC. This caused two default IP routes and basically screwed me and the network for hours! You will see a rtnetlink error when trying to bring up the network interfaces if you are having much the same thing.

As I hopefully remembered to mention at the start of this post, You dont need to actually change anything on your local computers to have the traffic flow through your proxy. Wireless devices however are a little harder to deal with. The simple way is to just enter the proxy details manually on these devices. Those details being the IP of your proxy bridge interface( and the port (3128).




Posted in Linux, Networking | Tagged , , , , , , , , , , , | 6 Comments