Transparent Squid3 Proxy Setup

You probably don’t really need a caching proxy on your home network but hey, why the hell not. You can pull some decent stats out of it over time. Most popular sites, biggest net users etc. etc. I have to admit to loving stats…. and graphs. I’m not sure of the appeal, I just like to see them. One of my all encompassing projects is to setup a sensor network around the house reporting into a MYSQL  back-end with a PHP front end serving up the graph love. But I digress! Lets setup Squid3!

This is what we need:
Spare PC
2 Network ports
Spare time

Home_Proxy

 

The great thing about making the Proxy transparent is there is no need to configure any browser settings! You simply send all your network traffic over the interface bridge on your proxy box and then magic kicks in! First thing we should do is get get Linux. Steep learning curve. Frustrating as hell when it doesn’t work but perseverance pays off and you will be a better person in the end. For this particular build I used Ubuntu 12.04. Once you have the image you can burn it to disk or whack it on a key. Who the hell burns DVD’s these days? Do your self a good one and chuck it on a key. There are some really great apps that can build a bootable key for you and they are free. You just point them at the ISO and away you go. I’m going to skip over the pretty standard stuff like installing Ubuntu but if you need help drop a comment and I’ll see what I can do.

So you are now looking at your new Ubuntu Desktop, Mmmm Juicy! Press the windows key and type it terminal…. now click the terminal icon. Bam! This is where we live. Make a shortcut for it on the desktop or wherever you like and fire it up.

Lets get the new install up to date

sudo apt-get update
sudo apt-get upgrade

Now lets install the stuff we will need

sudo apt-get install squid3 bridge-utils ebtables

Now we will setup Squid

sudo nano /etc/squid3/squid.conf

Change/add the appropriate lines to the below

http_port 3128 transparent
acl localnet src <strong>192.168.0.0</strong>/24
acl localhost src 127.0.0.1/255.255.255.255
http_access allow localnet
http_access allow localhost
cache_dir ufs /var/spool/squid3 5000 16 256

Please take note of the bolded IP address. Change this to suit your home network setup. Say your computer IP is 172.16.0.10… You would update the above to 172.16.0.0/24. Press Ctrl-X, answer yes to keep changes and press enter to overwrite the current file. Now we will restart squid….

sudo /etc/init.d/squid3 restart

Now we can configure the network to pass all the data from one ethernet card to the other while redirecting port 80 (http) to port 3128(Proxy) before sending on to the interwebs.

sudo ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
sudo iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128

We also need to enable traffic to be passed through for both IPv4 and IPv6 on your proxy PC by uncommenting the following lines in sysctl.conf.

sudo nano /etc/sysctl.conf
(remove the # to uncomment these lines)
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Now to the NIC configs!

sudo nano /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth1
iface eth1 inet static
address 192.168.0.3
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
 
auto br0
iface br0 inet static
address 192.168.0.2
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
gateway 192.168.2.1
bridge-ports eth0 eth1

Save the file and either reboot the system or just the services with:

sudo /etc/init.d/networking restart
sudo service squid3 restart

This is a good time to make sure you disconnect the cable between your router and switch. As in the top diagram you should have Router –> br01 eth1 –> Switch

Jump on the net from another pc and browse some pictures of cats. Bounce back to your proxy terminal and….

sudo tail /var/log/squid3/access.log -f

This is the live Proxy log of everything hitting your proxy. Sweet huh? Its interesting just to watch what actually goes out of your network. You may feel your eyes drawn to the screen for awhile just to watch. Maybe that’s just me though 🙂 That wasn’t so hard! All going well you’re seeing some impressive shit. All not going well you are cursing and wondering what the hell to do now. I had such problems so lets go over them. Due to me deciding to re-organize my network IPs my proxy box didnt get a DNS server to use.

sudo nano /etc/resolv.conf
nameserver <strong>192.168.0.1</strong>(Your router or DNS server)
nameserver 8.8.8.8(Secondary google open DNS server)

That fixed DNS.

The other problem I had was having 2 gateways set in /etc/network/interfaces. One for each NIC. This caused two default IP routes and basically screwed me and the network for hours! You will see a rtnetlink error when trying to bring up the network interfaces if you are having much the same thing.

As I hopefully remembered to mention at the start of this post, You dont need to actually change anything on your local computers to have the traffic flow through your proxy. Wireless devices however are a little harder to deal with. The simple way is to just enter the proxy details manually on these devices. Those details being the IP of your proxy bridge interface(192.168.0.2) and the port (3128).

 

 

 

This entry was posted in Linux, Networking and tagged , , , , , , , , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback.

6 Comments

  1. Posted June 29, 2013 at 7:59 am | Permalink

    This doesn’t worked for me.

    • Posted June 29, 2013 at 11:01 am | Permalink

      Any errors? Lets see If we can find out why.

  2. Tranny's Parent
    Posted August 11, 2013 at 12:22 pm | Permalink

    Very nice *recent* article on the subject. I’m struggling with a home setup where I have eth1 and eth2 in promiscuous mode. I’m going to try the -i br0 for PREROUTING versus using the IP. Also, my topology is slightly different. Modem->Ubuntu server->dd-wrt->clients+wireless bridge and clients.

    Interesting to note that you advocate using resolv.conf. I had an issue here, so I used resolvconf instead. That being said, I have an IP on the br0 interface for management, but other than that the traffic passes through without need of DNS resolution. Poses some challenges. I don’t see too many examples of this setup that are recent.

    Traffic passes nicely until I enable ufw or squid3. That’s where I’m struggling through…

    Thanks, Dan

  3. Posted August 11, 2013 at 7:54 pm | Permalink

    I think a lot of pepes skip Squid because of its age. Surprisingly, it’s used by nearly all the commercial products you can buy for enterprise environments! Is your ubuntu server or the dd-wrt doing the proxy/firewalling? Something you could try after enabling Squid3 is pointing a browser to the proxies IP and port? From memory default is 3128. Watch the /var/log/squid3/access.log at the same time. You should atleast see a hit even though it may not work. Makes working through the problem easier 🙂

    • TrannysParent
      Posted August 12, 2013 at 2:21 am | Permalink

      Tried that. Nada. I do get a lot of DIRECT_MISS entries.

      Ufw is on the server and dd-wrt is also fire walling.

      I’m thinking its a network issue. I’ve gotta double check it all.

      Ps-squid rocks. I’ve used it before. I think its age has nothing to do with its relevance.
      Cheers

  4. Posted August 12, 2013 at 5:36 am | Permalink

    You can DNS lookup from the squid box? For awhile I had this problem. ended up I needed to fix DNS lookup and I was away.

Leave a Reply