Wednesday, March 06, 2013

Transparent Proxy with Squid 3.3.2 on Ubuntu 12.10 + Shorewall + Mikrotik

network transparent proxy, mikrotik as router 
This post explains how to setup a transparent proxy (intercept proxy) by combining mikrotik and squid eksternal. Look at a network above. a mikrotik as router, coupled with a proxy server (squid as transparent proxy). In the previous article has been discussed about this network. You can read at "Ubuntu 12.10 + Squid (Transparent Proxy) + Shorewall + Mikrotik". But the squid that was used is version 3.1.23. If you replace it with squid version 3.2.8 or 3.3.2, would be an error. The reason is, the proxy misrepresented the "redirect".
So.  If you want to use squid 3.2.8 or 3.3.2 as a transparent proxy, in a network as above, then there are some things that should be changed, the configuration on the router mikrotik and the Squid.
A few steps below, would be similar to the steps at "Transparent Proxy Server, Squid 3.3.2 / 3.2.8 on Ubuntu 12.10 + Shorewall"
We begin by configuring the Ethernet.
vi /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.11.11.2
netmask 255.255.255.0
gateway 10.11.11.1
dns-nameservers 202.134.1.10
service networking restart
Install Squid & Shorewall
Follow the installation steps the Squid and shorewall in the previous article ("Transparent Proxy Server, Squid 3.3.2 / 3.2.8 on Ubuntu 12.10 + Shorewall").
Then for shorewall configuration,  edit some files below, and make sure there are some command lines in each file.
zones
####################################
#ZONE   TYPE            OPTIONS         IN                      OUT
fw      firewall
net     ipv4

interfaces
#####################################
#ZONE           INTERFACE               OPTIONS
net     eth0

policy
#####################################
net     fw      ACCEPT
fw     net      ACCEPT
net     all     DROP
all     all     REJECT

rules
####################################
SECTION NEW
REDIRECT        net     3127    tcp     www     -     !10.11.11.12

shorewall.conf
STARTUP_ENABLED=Yes
Add the following line to /etc/rc.local, in order to automatically run.
Shorewall restart
Exit 0
Mikrotik Configuration
/ ip address
add address=10.10.10.1/24 network=10.10.10.0 broadcast=10.10.10.255 interface=ether1 \
comment="" disabled=no
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=ether2 comment="" \
disabled=no
add address=10.11.11.1/24 network=10.11.11.0 broadcast=10.11.11.255 interface=ether3 \
comment="" disabled=no

/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=route-www passthrough=yes protocol=tcp src-address=10.10.10.0/24 dst-port=80,3128,3127

/ ip route
add dst-address=0.0.0.0/0 gateway=10.11.11.2 scope=255 target-scope=10 routing-mark=route-www \
comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 comment="" \
disabled=no

/ ip firewall nat
add chain=srcnat action=masquerade src-address=10.11.11.2 out-interface=ether2
add chain=srcnat action=masquerade src-address=10.10.10.0/24 out-interface=ether2

/ip dns set primary-dns=8.8.8.8 allow-remote-request=yes
/ip dns set secondary-dns=8.8.4.4 allow-remote-request=yes

Done,.. :)

Note Update :  look at my update posting about this. http://myconfigure.blogspot.com/2013/12/transparent-proxy-with-squid-3310.html

13 comments:

  1. gan, saya pake tutor ini kok hasilnya TCP_MISS semua ya?

    kira2 apanya yg salah ya?

    untuk bagian ini,
    add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 comment="" \
    disabled=no

    itu kan PPoE-nya lewat modem ya? klo PPoE-nya lewat mikrotik gimana gan? apa gateway-nya dimasukin interface PPoE-nya? thx.

    ReplyDelete
    Replies
    1. untuk ppoenya di mikrotik. cukup konfigurasi PPP client saja... gatewaynya otomatis dapat, karena dhcp. (pastikan centang add default route, dibagian tab dial up, PPP client)

      Delete
  2. thank you so much for share a poste for Proxy

    ReplyDelete
  3. gan kog gak bisa gan...
    saya pakai ubuntu 12

    ReplyDelete
    Replies
    1. Apanya yang ndak bisa ?? errornya apa ?
      Baca dan ikuti tutorialnya dengan benar,
      Jika menggunakan konfigurasi squid sendiri, sesuaikan port dan IP nya sendiri...
      Jika menggunakan konfigurasi squid yang saya punya, ikuti sampai benar-benar tuntas... good luck...

      Delete
  4. SECTION NEW
    REDIRECT net 3127 tcp www - !10.11.11.12

    THIS IP IS FOR MIKROTIK (10.11.11.1) OR FOR SQUID 10.11.11.2 BECAUSE 10.11.11.12 IS NOT IN ANY DEVICE ?

    ReplyDelete
    Replies
    1. In Proxy / squid server linux, install shorewall, and then make file some file like zones, interfaces, rules, policy, etc. and the content of the file is command lines like above.

      Delete
  5. What would I have to do to also get https through my squid? Just for logging. Thanks

    ReplyDelete
  6. Gak salah masqueradnya mas ?

    ip 10.10.10.0/24 ada di ether1
    masquerade di ether2

    CMIIW

    ReplyDelete
    Replies
    1. udah betul...
      artinya ip yang 10.10.10.0/24 di ether 1 dinatkan masquerade, menuju ke arah luar yaitu ether 2.

      Delete
  7. gan ko saya tetep ga ke trap ya traffic si client di servernya.
    kalo di sisi mikrotik sih udah ke trap.

    mohon bantuannya

    ReplyDelete