Tuesday, May 28, 2013

How to make Squid 3.1.23 as Tproxy (Transparent Proxy) in Centos 6.4


squid tproxy as router
From the title, we will only make squid tproxy (transparent proxy), but there are actually 3 work to be done.
1. Configuration of the firewall / shorewall so Linux Centos  will become a router.
2. Make dhcp server, and
3. Install squid as tproxy ( I use squid version 3.1.23 ).
We will work on gradually, so you can easily fix it if there is an error.
Configuration firewall / shorewall
There are 2 lan card used is eth0 be set as dhcp, already connected to the Internet. then eth1, set the IP address 192.168.10.1/24.
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
vi /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=192.168.10.1
NETMASK=255.255.255.0
IPV4_FAILURE_FATAL=yes
IPV6INIT=no

Install shorewall and necessary files.
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
yum repolist 
yum  --enablerepo=epel,remi,remi-test  install wget mc vim unzip zip gcc gcc-c++ make perl-Digest-SHA1 perl-Digest-SHA redhat-lsb-core
cd /usr/local
wget http://www.shorewall.com.au/4.5/shorewall-4.5.16/shorewall-4.5.16.1.tgz
wget http://www.shorewall.com.au/4.5/shorewall-4.5.16/shorewall-core-4.5.16.1.tgz
tar zxvf shorewall-4.5.16.1.tgz
tar zxvf shorewall-core-4.5.16.1.tgz
cd shorewall-core-4.5.16.1
./configure
./install.sh
cd /usr/local/shorewall-4.5.16.1
./install.sh

Go to /etc/shorewall. Check some variable below in each file.
Zones
fw      firewall
loc     ipv4
net     ipv4
interfaces
loc     eth1
net     eth0
-       lo
Masq
eth0    192.168.10.0/24
policy
loc     fw      ACCEPT
loc     net      ACCEPT
net     fw      ACCEPT
fw      net     ACCEPT
net     all     DROP
all     all     REJECT
and make sure, startup is enable
shorewall.conf
STARTUP_ENABLED=Yes

Install DHCP server
yum install dhcp
cd /etc/dhcp/
vim dhcpd.conf
# DHCP Server Configuration file.
subnet 192.168.10.0 netmask 255.255.255.0 {
range dynamic-bootp 192.168.10.200 192.168.10.254;
option broadcast-address 192.168.10.255;
option routers 192.168.10.1;
 }
option domain-name-servers 8.8.8.8;
default-lease-time 600;
max-lease-time 7200;
For service automatically running.
chkconfig --level 235  shorewall on
shorewall start
chkconfig --level 235 dhcpd on
Reboot

Now, from the user computer . Make sure the computer  get a dynamic IP, ping and open the browser, try to connect to the internet. If successful, continue to install squid. If not, look for the error, make sure be fixed before going to the next stage.

Install Squid
cd /usr/local/
wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.23.tar.gz
tar zxvf squid-3.1.23.tar.gz
cd squid-3.1.23
./configure --prefix=/usr --exec-prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin --sysconfdir=/etc/squid --datadir=/usr/share/squid --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/lib/squid --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --x-includes=/usr/include --x-libraries=/usr/lib --enable-shared=yes --enable-static=no --enable-carp --enable-storeio=aufs,ufs --enable-removal-policies=heap,lru --disable-icmp --disable-delay-pools --disable-esi --enable-icap-client --enable-useragent-log --enable-referer-log --disable-wccp --enable-wccpv2 --disable-kill-parent-hack --enable-snmp --enable-cachemgr-hostname=localhost --enable-arp-acl --disable-htcp --disable-forw-via-db --enable-follow-x-forwarded-for --enable-cache-digests --disable-poll --enable-epoll --enable-linux-netfilter --disable-ident-lookups --enable-default-hostsfile=/etc/hosts --with-default-user=squid --with-large-files --enable-mit=/usr --with-logdir=/var/log/squid --enable-http-violations --enable-zph-qos --with-filedescriptors=65536 --enable-gnuregex --enable-async-io=64 --with-aufs-threads=64 --with-pthreads --with-aio --enable-default-err-languages=English --enable-err-languages=English --disable-hostname-checks --enable-underscores ; make; make install
useradd squid
touch /etc/squid/noway
cd /etc/squid/
mkdir swap
chown squid:squid /etc/squid/swap
mkdir /cache
chown squid:squid /cache
chown -Rf squid:squid /var/log/squid/
cd /etc/squid/
mv squid.conf squid.conf.old
vim squid.conf
For squid configuration, take it from http://myconfigure.blogspot.com/2013/01/squid-3122-example-squidconf-squid.html. Then look again at squid.conf, some variable must be change. Make sure some variable below is exist.
acl bamboe src 192.168.10.0/24
http_port 3127 tproxy

Make file startup squid
cd /etc/init.d/
vim squid
For start up squid, you can take it from http://myconfigure.blogspot.com/2013/01/squid-3122-example-squidconf-squid.html, ( look carefully at the link, section startup is below. )
chmod 755 /etc/init.d/squid
chkconfig --add squid
chkconfig --level 235 squid on
squid -z
/etc/init.d/squid start

Reconfigure shorewall.
Go to /etc/shorewall. Find and edit some file below.
providers
Tproxy  1       -       -               lo              -               tproxy

tcrules
DIVERT          eth0        0.0.0.0/0   tcp        -           80
TPROXY(3127)    eth1        0.0.0.0/0   tcp        80
Restart all service.
shorewall restart
service squid restart

Now, from user computer. Try to browse internet.  If you can connect and browse to internet, the squid is successfully to make transparent proxy with option tproxy. You can view users who active access to internet through proxy, with command.
tail -f /var/log/squid/access.log

Noted. 
Squid 3.2 and Squid 3.3 not working to be Tproxy. I have tried many times but not successfull. I don’t know why. Maybe tproxy is just for squid version 3.1.There's no error in file cache.log. Looks like, request from users directly to the internet, not via proxy.

netstat -tulan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
--------deleted-----------
tcp        0      0 :::22                       :::*                        LISTEN
tcp        0      0 :::3127                     :::*                        LISTEN
tcp        0      0 :::3128                     :::*                        LISTEN
--------deleted-------
tcp        0      0 ::ffff:203.190.241.43:80    ::ffff:192.168.10.200:1145  TIME_WAIT
tcp        0      0 ::ffff:203.190.241.43:80    ::ffff:192.168.10.200:1142  TIME_WAIT
tcp        0      0 ::ffff:98.139.183.24:80     ::ffff:192.168.10.200:1150  TIME_WAIT
tcp        0      0 ::ffff:206.190.36.45:80     ::ffff:192.168.10.200:1152  TIME_WAIT

If you have any information about this, please comment. Thanks.

Reference
http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY

11 comments:

  1. thank you very much for this!

    ReplyDelete
  2. Thanks for post. I am a newbe in squid proxy. How to configure windows client gateway? use with modem gateway, eth0 (proxy) or eth1 (proxy) as gateway?

    ReplyDelete
    Replies
    1. it's up to you, specify eth0 or eth1 (interface in proxy) for client gateway... most importantly, the gateway for client is the interface facing the client... In the example above... eth1 facing the client, then eth1 is gateway client...

      Delete
    2. Ok, thanks for your fast reply. is the post above running well at ubuntu? I used Ubuntu Server 13.10 amd 64. If work, how I configure /etc/network/interfaces?
      I am going to waiting your answer now.. :-D

      Delete
  3. look at here... http://myconfigure.blogspot.com/2013/03/transparent-squid-332-328-on-ubuntu.html

    ReplyDelete
  4. how if i using 1 interface and mikrotik as gateway ?

    ReplyDelete
  5. did you managed to get a solution??
    i will pay a bit to some one who can config troxy for mikrotik router

    ReplyDelete
  6. What dhcp I cant start after installing dhcp server am getting failed. I have centos 6.5

    ReplyDelete
  7. SwagBucks is a very recommended work from home website.

    ReplyDelete
  8. Discover how THOUSAND of people like YOU are making a LIVING from home and are living their wildest dreams TODAY.
    CLICK HERE TO FIND OUT

    ReplyDelete