How to make Squid 3.1.23 as Tproxy (Transparent Proxy) in Centos 6.4

From the title, we will only make squid tproxy (transparent proxy), but there are actually 3 work to be done.

1. Configuration of the firewall / shorewall so Linux Centos  will become a router.

2. Make dhcp server, and

3. Install squid as tproxy ( I use squid version 3.1.23 ).

We will work on gradually, so you can easily fix it if there is an error.

Configuration firewall / shorewall

There are 2 lan card used is eth0 be set as dhcp, already connected to the Internet. then eth1, set the IP address 192.168.10.1/24.

vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=dhcp

DEFROUTE=yes

PEERDNS=yes

PEERROUTES=yes

IPV4_FAILURE_FATAL=yes

IPV6INIT=no

vi /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=static

IPADDR=192.168.10.1

NETMASK=255.255.255.0

IPV4_FAILURE_FATAL=yes

IPV6INIT=no

Install shorewall and necessary files.

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

yum repolist 

yum  --enablerepo=epel,remi,remi-test  install wget mc vim unzip zip gcc gcc-c++ make perl-Digest-SHA1 perl-Digest-SHA redhat-lsb-core

cd /usr/local

wget http://www.shorewall.com.au/4.5/shorewall-4.5.16/shorewall-4.5.16.1.tgz

wget http://www.shorewall.com.au/4.5/shorewall-4.5.16/shorewall-core-4.5.16.1.tgz

tar zxvf shorewall-4.5.16.1.tgz

tar zxvf shorewall-core-4.5.16.1.tgz

cd shorewall-core-4.5.16.1

./configure

./install.sh

cd /usr/local/shorewall-4.5.16.1

./install.sh

Go to /etc/shorewall. Check some variable below in each file.

Zones

fw      firewall

loc     ipv4

net     ipv4

interfaces

loc     eth1

net     eth0

-       lo

Masq

eth0    192.168.10.0/24

policy

loc     fw      ACCEPT

loc     net      ACCEPT

net     fw      ACCEPT

fw      net     ACCEPT

net     all     DROP

all     all     REJECT

and make sure, startup is enable

shorewall.conf

STARTUP_ENABLED=Yes

Install DHCP server

yum install dhcp

cd /etc/dhcp/

vim dhcpd.conf

# DHCP Server Configuration file.

subnet 192.168.10.0 netmask 255.255.255.0 {

range dynamic-bootp 192.168.10.200 192.168.10.254;

option broadcast-address 192.168.10.255;

option routers 192.168.10.1;

 }

option domain-name-servers 8.8.8.8;

default-lease-time 600;

max-lease-time 7200;

For service automatically running.

chkconfig --level 235  shorewall on

shorewall start

chkconfig --level 235 dhcpd on

Reboot

Now, from the user computer . Make sure the computer  get a dynamic IP, ping and open the browser, try to connect to the internet. If successful, continue to install squid. If not, look for the error, make sure be fixed before going to the next stage.

Install Squid

cd /usr/local/

wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.23.tar.gz

tar zxvf squid-3.1.23.tar.gz

cd squid-3.1.23

./configure --prefix=/usr --exec-prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin --sysconfdir=/etc/squid --datadir=/usr/share/squid --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/lib/squid --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --x-includes=/usr/include --x-libraries=/usr/lib --enable-shared=yes --enable-static=no --enable-carp --enable-storeio=aufs,ufs --enable-removal-policies=heap,lru --disable-icmp --disable-delay-pools --disable-esi --enable-icap-client --enable-useragent-log --enable-referer-log --disable-wccp --enable-wccpv2 --disable-kill-parent-hack --enable-snmp --enable-cachemgr-hostname=localhost --enable-arp-acl --disable-htcp --disable-forw-via-db --enable-follow-x-forwarded-for --enable-cache-digests --disable-poll --enable-epoll --enable-linux-netfilter --disable-ident-lookups --enable-default-hostsfile=/etc/hosts --with-default-user=squid --with-large-files --enable-mit=/usr --with-logdir=/var/log/squid --enable-http-violations --enable-zph-qos --with-filedescriptors=65536 --enable-gnuregex --enable-async-io=64 --with-aufs-threads=64 --with-pthreads --with-aio --enable-default-err-languages=English --enable-err-languages=English --disable-hostname-checks --enable-underscores ; make; make install

useradd squid

touch /etc/squid/noway

cd /etc/squid/

mkdir swap

chown squid:squid /etc/squid/swap

mkdir /cache

chown squid:squid /cache

chown -Rf squid:squid /var/log/squid/

cd /etc/squid/

mv squid.conf squid.conf.old

vim squid.conf

For squid configuration, take it from http://myconfigure.blogspot.com/2013/01/squid-3122-example-squidconf-squid.html. Then look again at squid.conf, some variable must be change. Make sure some variable below is exist.

acl bamboe src 192.168.10.0/24

http_port 3127 tproxy

Make file startup squid

cd /etc/init.d/

vim squid

For start up squid, you can take it from http://myconfigure.blogspot.com/2013/01/squid-3122-example-squidconf-squid.html, ( look carefully at the link, section startup is below. )

chmod 755 /etc/init.d/squid
chkconfig --add squid

chkconfig --level 235 squid on

squid -z

/etc/init.d/squid start

Reconfigure shorewall.

Go to /etc/shorewall. Find and edit some file below.

providers

Tproxy  1       -       -               lo              -               tproxy

tcrules

DIVERT          eth0        0.0.0.0/0   tcp        -           80

TPROXY(3127)    eth1        0.0.0.0/0   tcp        80

Restart all service.

shorewall restart

service squid restart

Now, from user computer. Try to browse internet.  If you can connect and browse to internet, the squid is successfully to make transparent proxy with option tproxy. You can view users who active access to internet through proxy, with command.

tail -f /var/log/squid/access.log

Noted. 

Squid 3.2 and Squid 3.3 not working to be Tproxy. I have tried many times but not successfull. I don’t know why. Maybe tproxy is just for squid version 3.1.There's no error in file cache.log. Looks like, request from users directly to the internet, not via proxy.

netstat -tulan

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address               Foreign Address             State

--------deleted-----------

tcp        0      0 :::22                       :::*                        LISTEN

tcp        0      0 :::3127                     :::*                        LISTEN

tcp        0      0 :::3128                     :::*                        LISTEN

--------deleted-------

tcp        0      0 ::ffff:203.190.241.43:80    ::ffff:192.168.10.200:1145  TIME_WAIT

tcp        0      0 ::ffff:203.190.241.43:80    ::ffff:192.168.10.200:1142  TIME_WAIT

tcp        0      0 ::ffff:98.139.183.24:80     ::ffff:192.168.10.200:1150  TIME_WAIT

tcp        0      0 ::ffff:206.190.36.45:80     ::ffff:192.168.10.200:1152  TIME_WAIT

If you have any information about this, please comment. Thanks.

Reference
http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY