Tuesday, March 05, 2013

Transparent Proxy Server, Squid 3.3.2 / 3.2.8 on Ubuntu 12.10 + Shorewall

Squid 3.1.xx (latest version 3.1.23), is a very simple and is used to make transparent / intercept. While the squid 3.3.2 / 3.2.8, to make transparent / intercept configuration is a bit different from the version of squid 3.1.23.  In this blog, I will explain how to create a transparent / intercept in two ways, the first is squid as well as a router, and the second, Mikrotik as a router coupled with squid external. Let's get to start, a transparent proxy server with squid as well as router.
network transparent proxy - squid as router

Network configuration.
After installing the new Ubuntu, configure the ethernet. In my case, Ethernet to the Internet is dhcp, and another ethernet to the LAN, using the IP address 10.10.10.1. Of course, customize your network environment.
vi /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 10.10.10.1
netmask 255.255.255.0
dns-nameservers 8.8.8.8
service networking restart
netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1    0.0.0.0         UG        0 0          0 eth0
10.10.10.0      0.0.0.0         255.255.255.0   U         0 0          0 eth1
192.168.1.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
If you are connected to the internet. Continue to the next step.
apt-get update
apt-get install vim mc make gcc g++
Install Squid
Download squid file at  http://www.squid-cache.org
cd /usr/local
wget http://www.squid-cache.org/Versions/v3/3.3/squid-3.3.2.tar.gz
tar zxvf squid-3.3.2.tar.gz
cd squid-3.3.2
./configure --prefix=/usr   --exec-prefix=/usr   --bindir=/usr/sbin   --sbindir=/usr/sbin   --sysconfdir=/etc/squid   --datadir=/usr/share/squid   --includedir=/usr/include   --libdir=/usr/lib   --libexecdir=/usr/lib/squid   --localstatedir=/var   --sharedstatedir=/usr/com   --mandir=/usr/share/man   --infodir=/usr/share/info   --x-includes=/usr/include   --x-libraries=/usr/lib   --enable-shared=yes   --enable-static=no   --enable-carp    --enable-storeio=aufs,ufs   --enable-removal-policies=heap,lru   --disable-icmp   --disable-delay-pools   --disable-esi   --enable-icap-client   --enable-useragent-log   --enable-referer-log   --disable-wccp   --enable-wccpv2   --disable-kill-parent-hack   --enable-snmp   --enable-cachemgr-hostname=localhost   --enable-arp-acl   --disable-htcp  --disable-forw-via-db   --disable-follow-x-forwarded-for   --enable-cache-digests    --disable-poll   --enable-epoll   --enable-linux-netfilter   --disable-ident-lookups   --enable-default-hostsfile=/etc/hosts    --with-default-user=squid   --with-large-files  --enable-mit=/usr   --with-logdir=/var/log/squid   --enable-http-violations   --enable-zph-qos   --with-filedescriptors=65536   --enable-gnuregex --enable-async-io=64 --with-aufs-threads=64  --with-pthreads --with-aio  --enable-default-err-languages=English --enable-err-languages=English --disable-hostname-checks --enable-underscores
make; make install

cd /etc/squid
mv squid.conf squid.conf.old
vim squid.conf
Squid.conf can be obtained from http://myconfigure.blogspot.com/2013/03/squid-332-328-example-squidconf.html.  Copy and place it in /etc/squid/squid.conf. Do not forget saved. If you are using squid configuration that I use, continue the following steps, so that squid is not an error.
useradd squid
cd /etc/squid/
mkdir swap
chown squid:squid /etc/squid/swap
mkdir /cache
chown squid:squid /cache
chown -Rf squid:squid /var/log/squid/
vim /etc/init.d/squid 
Find and get the contents of the startup file at http://myconfigure.blogspot.com/2012/03/missing-file-startup-squid.html, and place it in /etc/init.d/squid. After saved, change the permissions.
======Update ... because of the question of who tried this, and failed :)=====
See squid.conf again, make sure, "acl" is correct. In squid.conf example, acl = 192.168.10.0. Because in this post, the user's IP address is 10.10.10.0/24, then change acl in squid.conf, so it should be like this,

acl bamboe src 10.10.10.0/24
Then, if you are using another IP address, do not forget to adjust the acl in squid too. Save and continue to the steps below
chmod 755 /etc/init.d/squid
update-rc.d squid defaults
squid -z
service squid restart
until this point, squid should be ok.
Install Shorewall.
Download shorewall file at http://www.shorewall.net
wget http://baltimore.shorewall.net/pub/CURRENT_STABLE_VERSION_IS_4.5/shorewall-4.5.13/shorewall-4.5.13.tgz
wget http://baltimore.shorewall.net/pub/CURRENT_STABLE_VERSION_IS_4.5/shorewall-4.5.13/shorewall-core-4.5.13.tgz
tar zxvf shorewall-core-4.5.13.tgz
cd shorewall-core-4.5.13
./configure
./install.sh
cd ..
tar zxvf shorewall-4.5.13.tgz
cd shorewall-4.5.13
./install.sh
cp /usr/share/shorewall/configfiles/* /etc/shorewall/
cd /etc/shorewall/
Edit some files below, and make sure there are some command lines in each file.
zones
###########################
fw firewall
net ipv4
loc ipv4

interfaces
###########################
net eth0
loc eth1


masq
###########################
eth0 10.10.10.0/24

policy
###########################
loc net ACCEPT
fw net ACCEPT
loc fw ACCEPT
net all DROP
all all REJECT

rules
###########################
SECTION NEW
REDIRECT loc 3127 tcp www -

shorewall.conf
STARTUP_ENABLED=Yes
 Add the following line to /etc/rc.local, in order to automatically run.
shorewall restart
exit 0
Done. It’s time to try from  computer client.

Note Update. 
There is no difference, for new version squid, 3.3.3 and 3.2.9. I've tried and succeeded.

36 comments:

  1. Hello,
    can you help me? because when I "make" I have the following error

    collect2: ld returned 1 exit status
    libtool: link: rm -f ".libs/squidS.o"
    make[3]: *** [squid] Error 1
    make[3]: Leaving directory `/usr/local/squid-3.3.2/src'
    make[2]: *** [all-recursive] Error 1
    make[2]: Leaving directory `/usr/local/squid-3.3.2/src'
    make[1]: *** [all] Error 2
    make[1]: Leaving directory `/usr/local/squid-3.3.2/src'
    make: *** [all-recursive] Error 1

    ReplyDelete
    Replies
    1. I think you don't follow installation steps carefully.
      try to update your ubuntu.
      #apt-get update
      #apt-get install make gcc g++

      Delete
  2. hello actually I am using CentOS. And I did

    #yum update
    #yum install make gcc g++

    After ./configure, I will command make den the above error was observed.

    ReplyDelete
    Replies
    1. It's been a long time, more than 5 years, never using centos and fedora again. :) To find solution for this problem, I have tried myself to use centos 6.4. And installing gcc and g++, a little different.
      #yum install gcc-c++

      Delete
  3. hey the link to your squid.conf for 3.3.2 is not working?? it says not found? The sample startup link works.

    ReplyDelete
  4. can you please post the squid.conf via a working link

    ReplyDelete
  5. when i type this
    /etc/squid/squid.conf

    it replay
    -bash: /etc/squid/ : no such file or directory

    ReplyDelete
  6. there's no file squid.conf in /etc/squid/
    make the file.
    vim /etc/squid/squid.conf
    and the content of squid.conf is here ( http://myconfigure.blogspot.com/2013/03/squid-332-328-example-squidconf.html )

    ReplyDelete
  7. how to connect to ubuntu from another windows computer ?

    ReplyDelete
    Replies
    1. IP address of ubuntu and windows, must have same network ID.
      for example, ubuntu : IP address 10.10.1.1, netmask 255.255.255.0
      windows : IP address 10.10.1.5, netmask 255.255.255.0
      please learn again about IP address.

      Delete
    2. thnks 4 replay, I know that
      I was asking about method ... I use this (apt-get install ssh) on ubuntu and use (PUTTY.exe) on windows to copy and past all configuration to avoiding mikstake that is right ?
      I tried your configuration twice and did all thing exactly as you explain but I can not surfing

      Delete
    3. That's right... check again your network configuration..

      Delete
    4. check your sshd_config file on nano /etc/ssh/sshd_config
      find line #PermitRootLogin no, if like that change with PermitRootLogin yes

      Delete
  8. Did I change The static IP of eth1 to 192.168.10.1 acordding to squid configuration at (http://myconfigure.blogspot.com/2013/03/squid-332-328-example-squidconf.html)

    acl bamboe src 192.168.10.0/24

    ReplyDelete
    Replies
    1. yes, you can change IP of Lan ( eth1 ) to 192.168.10.1 according to example squid configuration, or
      you can change example squid configuration,
      acl bamboe src 10.10.10.0/24
      accoring your IP of Lan (eth 1)

      Delete
  9. Are there any other configurations which i must do beside this configuration ? like sharing internet or enable dhcp server ?!!
    because I tried your konfiguration three times and I can not surfing internet at the end
    i try ping to the router but no request although i ping Successfully to the ubunto server

    ReplyDelete
    Replies
    1. this is step to check your configuration
      1. ping from computer client to router /proxy server...
      2. ping from computer client to internet..
      3. ping from router / proxy server to internet...
      4. if step 1 - 3, is ok... but still not browsing... check your squid again... check at /var/log/squid/access.log and /var/log/squid/cache.log..

      Delete
    2. i tried to set up squid again
      step 1 and 3 is ok but no browsing
      /var/log/squid/access.log (access.log not found )

      Delete
    3. make a file access.log
      touch /var/log/squid/access.log
      chown squid.squid /var/log/squid/access.log

      Delete
  10. chmod 755 squid

    the above step where should i do?
    at ( cd /etc) OR at ( cd /etc/init) ?

    ReplyDelete
  11. Is an error in this step or that is normal?

    root@ubuntu:/etc/init.d# squid .z
    2013/05/21 03:04:03| squid.conf:1 unrecognized: 'OME'
    2013/05/21 03:04:03| strtokFile: /etc/squid/noway not found
    2013/05/21 03:04:03| Warning: empty ACL: acl noway url_regex -i "/etc/squid/nowa y"

    ReplyDelete
    Replies
    1. OME in squid.conf ?? romove that line...
      /etc/squid/noway not found... make file
      touch /etc/squid/noway
      ... or remove the line configuration in squid.conf

      Delete
    2. I don't know how to remove line OME
      I hade made the file "noway"

      i hade set up squid again but also no surfing the internet I am very sad
      notice: I hade setup squid successfuly on ubuntu9.10 befor but I need this to can cash youtube


      is this the error?notice {fail} at the end

      root@ubuntu:/# service squid start

      /etc/init.d/squid: 1: /etc/init.d/squid: quid: not found
      ....... * Starting Squid HTTP proxy squid * Creating squid cache structure
      2013/05/22 03:58:44| WARNING: -D command-line option is obsolete.
      2013/05/22 03:58:44| squid.conf:1 unrecognized: 'OME'
      2013/05/22 03:58:44| Warning: empty ACL: acl noway url_regex -i "/etc/squid/nowa y"
      2013/05/22 03:58:44| WARNING: -D command-line option is obsolete.
      2013/05/22 03:58:44| squid.conf:1 unrecognized: 'OME'
      2013/05/22 03:58:44| Warning: empty ACL: acl noway url_regex -i "/etc/squid/nowa y"
      [fail]

      Delete
    3. please try to make a video about this method , I think I do a mistake but ican't determine it..
      thanks for all

      Delete
    4. check in file /etc/squid/squid.conf
      search "OME" then remove that line...
      search "/etc/squid/nowa y", then remove the line...

      Delete
  12. masq
    ###########################
    eth0 10.10.10.0/24


    Is that right? or must be eth1?

    ReplyDelete
    Replies
    1. depending interface to internet...
      eth0 : interface to internet...
      10.10.10.0/24 --> ip lan...

      Delete
  13. root@ubuntu:/etc/init.d# service squid start
    /etc/init.d/squid: 1: /etc/init.d/squid: quid: not found
    ....... * Starting Squid HTTP proxy squid

    ReplyDelete
    Replies
    1. Please look carefully the error. "/etc/init.d/squid: 1: /etc/init.d/squid: quid: not found"
      May be you are wrong to type the configuration. Pay attention at "/etc/init.d/squid: quid". Search in file /etc/init.d/squid. Find and fix or delete it. And if you dont find, continue to search in file /etc/squid/squid.conf

      Delete
  14. Helllo I was trying to make this work on the included squid version (3.3.8 i think) on ubuntu 14.04, and it seems I'm having access denied errors when using the 3127 transparent port, though the 3128 port works fine, I'm planning on compiling squid myself, but was wondering if this guide would work with squid 3.3.12 or the newer 3.4+ releases?

    ReplyDelete
    Replies
    1. if you want to use my configuration in this post, you should read everything carefully ....
      This post about squid configuration, should be used as well for the latest squid...

      Delete
  15. SwagBucks is an high paying work from home website.

    ReplyDelete
  16. Get daily suggestions and instructions for making $1,000s per day FROM HOME totally FREE.
    JOIN NOW

    ReplyDelete