Squid – transparent proxy with NICs on same subnet

squidtransparentproxyweb-filtering

I have setup a basic Squid + DansGuardian virtual machine that I was to use for the monitoring and blocking of certain websites. Currently, web traffic goes through a router set as the gateway – the IP address of this is handed out by a DHCP service on a Linux server. I'd like to route some clients to a different gateway, based on their MAC address (which I can do already). The setup is as follows:

Router (Gateway) - 192.168.0.1
DHCP/DNS Server  - 192.168.0.10
Squid Server     - 192.168.0.254
Client PCs       - 192.168.0.100-199

However, most tutorials seem to require that Squid accepts traffic on 1 NIC and then relays it to the outside world on another NIC, on a different subnet.

Is it possible to have Squid accept traffic on it's IP (192.168.0.254) and relay it to the gateway (192.168.0.1) to leave the building as normal? If so, does anyone have the relevant iptables rules they could give me?

Best Answer

You need not to have the separate interface for this purpose.

Just add a rule to redirect the HTTP traffic and to NAT the rest appropriately:

iptables -t nat -A PREROUTING -i eth0 -m iprange --src-range 192.168.0.100-192.168.0.199 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth0 -m iprange --src-range 192.168.0.100-192.168.0.199 -j SNAT --to-source 192.168.0.254

It is assumed, that the default policy for all chains is set to accept. Also, you will need the ipv4 forwarding to be enabled at this host and it's default gateway should be set to 192.168.0.1.

Related Solutions

Setting Squid Transparent Proxy

The standard port for squid is 3128. It supports HTTP, HTTPS, and other protocols on this port. It also supports a transparent HTTP proxy mode using a separate port. For a transparent proxy to work, you will need NAT rules to forward web traffic to the proxy. I Setup a Squid Transparent Proxy using both ports.

There is no conflict with your Apache server on 80 and 443. Do review the configuration so that you don't cache your local server. Normally you should exempt connections to your local server from passing though the transparent proxy.

EDIT: To operate as a transparent proxy for your users you will need to configure your firewall to forward all web requests not originating from your squid server to the squid server. In iptables this is done with a DNAT configuration. I use shorewall to build my firewall and have a rule like this. ($SQUID resolves to the IP address of my squid server.)

HTTP(DNAT)        loc             dmz:$SQUID:3129  -      -    -   !192.168.0.0/16

You may also want to forward other ports commonly used for HTTP to squid. I forward the ports 81, 82, and 8080 among other to squid.

You may want to distribute your proxy configuration as I detailed in Setting up Squid Proxy on Ubuntu. This can handle HTTPS as well as HTTP.

Best Answer

Related Solutions

Setting Squid Transparent Proxy

Related Question