≡ Menu

Linux: Setup a transparent proxy with Squid in three easy steps

Y'day I got a chance to play with Squid and iptables. My job was simple : Setup Squid proxy as a transparent server.

Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.

My Setup:

i) System: HP dual Xeon CPU system with 8 GB RAM (good for squid).
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network (around 150 windows XP systems))
iv) OS: Red Hat Enterprise Linux 4.0 (Following instruction should work with Debian and all other Linux distros)

Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.

Server Configuration

  • Step #1 : Squid configuration so that it will act as a transparent proxy
  • Step #2 : Iptables configuration
    • a) Configure system as router
    • b) Forward all http requests to 3128 (DNAT)
  • Step #3: Run scripts and start squid service

First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf

Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan

Where,

  • httpd_accel_host virtual: Squid as an httpd accelerator
  • httpd_accel_port 80: 80 is port you want to act as a proxy
  • httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
  • httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
  • acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
  • http_access allow localhost: Squid access to LAN and localhost ACL only
  • http_access allow lan: -- same as above --

Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

OR, try out sed (thanks to kotnik for small sed trick)
# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'

Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid

Iptables configuration

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128 (Download the fw.proxy shell script):
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on

Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on

Desktop / Client computer configuration

Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.

How do I test my squid proxy is working correctly?

See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log

Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.

Problems and solutions

(a) Windows XP FTP Client

All Desktop client FTP session request ended with an error:
Illegal PORT command.

I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp

Please note that modprobe command is already added to a shell script (above).

(b) Port 443 redirection

I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, "Long answer: SSL is specifically designed to prevent "man in the middle" attacks, and setting up squid in such a way would be the same as such a "man in the middle" attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL".

Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.

(c) Squid Proxy authentication in a transparent mode

You cannot use Squid authentication with a transparently intercepting proxy.

Further reading:

Updated for accuracy.

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

Comments on this entry are closed.

  • Jay of Today May 27, 2006, 6:15 am

    you gotta be kidding, only 150 desktops and 8 gigs of RAM??????? I use to have p133 with 64megs with that setup way back then!!!

    bah, newschoolers SUCKS

  • LinuxTitli May 27, 2006, 12:39 pm

    LOL :D

    8GB gives you the best performance.

    Squid performance = more ram + fast SCSI disk

    Cost of RAM : Yet another reason or factor to have a more ram. Even people started to use desktop system with 1GiB:P

    • venkat June 2, 2011, 5:05 am

      Shell i install squid proxy in normal pc(Hp i5processor,8gb RAM)

  • kotnik May 27, 2006, 4:17 pm

    Use following sed magic to remove both comments and empty lines at the same expense:

    sed ‘/ *#/d; /^ *$/d’

  • LinuxTitli May 27, 2006, 5:23 pm

    kotnik,

    Nice sed trick, no need to use grep :)

    Appreciate your post.

  • Aaron May 28, 2006, 9:53 am

    Hi,

    I have similar setup, only one question, How do I block Yahoo and MSN messengers (block at router or transparent proxy+iptables level) ?

    Cheers,

    Aaron

  • LinuxTitli May 28, 2006, 10:07 am

    Aaron,

    My firewall policy @ router:
    Default firewall Policy: Close all door and open only required windows

    Block all incoming and outgoing request
    Open only required ports i.e. 80 (from proxy only) , 443, 21, 22, 25 etc as per requirement. This configuration automatically blocks rest of stuff.

    You can implement similar policy using Squid ACL or iptables.

  • Scott May 29, 2006, 5:01 am

    Nice, quick, down and dirty article. :-)

    Aaron: http://www.mail-archive.com/squid-users@squid-cache.org/msg38193.html will explain how to block Yahoo, MSN and other IM’s.

    For anyone interested, I have thrown together a HOWTO on getting Squid to work properly in conjunction with Active Directory authentication. It can be found here: http://cryptoresync.com/2006/05/18/installing-squid-with-active-directory-authentication/

    Enjoy!

  • Bill May 29, 2006, 5:55 am

    Aaron,

    My findings with chat networks like AIM is that, even if you block the specific ports used by the network (ie, 5190), the login server will accept connections to other ports that are common, such as 80, 25, 443, 23, etc. Your best bet for blocking chat traffic is to block the ports used by the network, as well as the IP addresses associated with the login servers, like login.oscar.aol.com.

    Additionally, write your internal routing rules such that only traffic passing through your proxy can reach the Internet. Otherwise, users will be able to circumvent your proxy and use a public proxy.

  • Desert Zarzamora May 29, 2006, 6:27 am

    Sometime ago, i wrote another how-to, but this time for a COMPLETELY transparent proxy. That is, a bridged proxy.

    That a bit more esoteric stuff, but very useful if you really can’t mess with your network topology.

    Have a look at: http://freshmeat.net/articles/view/1433/

  • Hans May 29, 2006, 6:51 am

    I would love to run into your office, replace your server with a Pentium 200 with 128mb of RAM… you probably wouldn’t notice the difference, if all you are using it is for squid. then I would actually make some good use of the machine. I’ve got a pentium 200 doing far more (proper proxy, apache server, svn, samba, etc etc) and handles it perfectly well

    ???

  • LinuxTitli May 29, 2006, 2:05 pm

    @Desert Zarzamora and Scott, nice tutorial (thanks for links)

    @Hans, heh Well to be frank I am just admin and decision regarding h/w or infrastructure made by someone else … this is how things work in an enterprise IT division (they don’t care about money as they also make more money from core business so they want world class stuff). However, I agree with you about h/w requirement can be low to run other services.

    @Bill, Good advice there.

    Appreciate all of yours post and feedback :)

  • Steve May 30, 2006, 8:44 am

    just wondering do wew really need quid acting as an accelerator here?

    nice article, and what a beast of a proxy server i think everyone else is just jealous cos they only have p1’s

  • ADHDPHP June 1, 2006, 3:24 am

    Thanks LinuxTitli!!! I really appreciate you sharing your knoledge with others!

    Keep up the great work!

    KMC

  • ADHDPHP June 1, 2006, 3:28 am

    Also, LinuxTitli do you have any need to use dansguardian in conjuntion with squid for conent filtering? That would probably make good use of that RAM too!

    Thanks again!

  • massage therapy products June 1, 2006, 8:14 am

    Well, I’ll be needing to set one of these up eventually, so you’re bookmarked. I wonder how performance would be if I set up a RAID system on USB drives…

  • avanish June 1, 2006, 10:17 pm

    how we can config the ftp service in squid proxy

    reply

    avanish gupta
    india

  • nixCraft June 1, 2006, 11:33 pm

    Avanish,

    Add following line to config file
    acl ftp proto FTP
    http_access allow ftp

    If clients compters are using IE browser then Goto > Tools > Advance > and Uncheck option that reads Enable folder view for FTP-Sites.

    FTP proxy only work through browser and it will not work at command line.

    Remember squid is not a real ftp proxy.

  • nesargha June 2, 2006, 5:07 pm

    thank you,
    i had little bit problems in running the script on redhat 9 , i had remove the $lan_in etc.. and type the actual values but at last i worked fine with me

    nesargha
    india

  • Aaron P June 4, 2006, 9:18 am

    Using squid transparently, you lose the ability to authenticate users (bummer). While I can understand why (to a certain degree), is there a way to just get the username for logging purposes?

    It’s like I’m up a (little river) without a (rowing device). I need squid for logging user hits, but I can’t do it without transparent routing. And I can’t authenticate in transparent mode due to the accelerator. Any ideas?

    Awesome article. Thanks!

    AP

    • hosseini May 29, 2011, 11:40 am

      Hi
      I send filter with easy installation
      However, strong and durable

  • nixCraft June 4, 2006, 3:35 pm

    @Aaron,

    Simple answer is you cannot do both things (transparent proxy + auth). The browser has
    no way of knowing it is using a proxy.

    So, what you can do is use automatic URL configuration (i.e. no transparent proxy) with WPAD.

    The information for WAPD and automatic URL configuration available at official Squid FAQ: http://www.squid-cache.org/Doc/FAQ/FAQ-5.html

    If you find any other way then let us know…

    Hope this helps.

    @nesargha,
    May be because of html formatting… I will upload script as a text file so that others can use it directly (but you still need to make changes to script)

    • Vicky March 15, 2012, 10:34 am

      @vivek: am still confused why its not possible to configure squid to ask for Username & Password when operating in Transparent Mode.

      Whats the difference between “specifying the proxy settings in the browser (NON-TRANSPARENT)” & “forwarding all http traffic to port 3128 (TRANSPARENT)” ??

      Whats prevents squid for asking the login in TRANSPARENT mode??

      VICKY
      EMAIL: vicky (at) LINUXMAIL.ORG

  • Martin Wallace June 17, 2006, 6:24 am

    I am just a newbie, but I think there’s an error in your configuration of iptables. The lines should read :

    iptables -t nat -A PREROUTING -i eth1 -p tcp -–dport 80 -j DNAT -–to 192.168.1.1:3128
    iptables -t nat -A PREROUTING -i eth0 -p tcp –-dport 80 -j REDIRECT -–to-port 3128

    That is, you need –, not -, before to, to-port and dport.

    Correct me if I’m wrong. Martin

  • Martin Wallace June 17, 2006, 6:31 am

    I see that the problem is with formatting. You need two dashes, not one, before to, to-port and dport, but they look like one (slightly longer) dasjh onm my screen.

    Try again:
    iptables -t nat -A PREROUTING -i eth1 -p tcp – –dport 80 -j DNAT – –to 192.168.1.1:3128
    iptables -t nat -A PREROUTING -i eth0 -p tcp – –dport 80 -j REDIRECT – –to-port 3128

    • harish singh August 17, 2014, 7:59 am

      i have two lan eth0- wan ip is 192.168.2.5 sub 255.255.255.0 dns 8.8.8.8,8.8.4.4
      and eth1 lan ip 192.168.1.1 sub 255.255.255.0
      and squid.conf
      acl mylan src 192.168.1.0/24
      http_access alow mylan
      http_port 3128 transparent
      visible_hostname harsh.singh.com
      adn iptables rulls is
      iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to 192.168.1.1:3128
      iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128
      iptables -I INPUT -s 192.168.1.0/8 -p tcp –dport 3128 -j ACCEPT
      client site window 7 pro
      ip 192.168.1.10 sub – 255.255.255.0 getway= 192.168.1.1
      but it’s not working when i am giving proxy setting then it work’s
      pls some body help me i am so disturbing

  • nixCraft June 17, 2006, 7:44 pm

    Martin,

    I just checked the script. There is no problem. However, it looks like, HTML formatting breaks the script. Direct link to download script:

    http://www.cyberciti.biz/tips/wp-content/uploads/2006/06/fw.proxy.txt

    Hope this helps :)

  • sohan July 12, 2006, 5:28 am

    i am using same rules given above , Can I block my users to use public proxy. Do i have to modify my squid.conf or Iptables

  • nixCraft July 12, 2006, 10:23 am

    sohan,

    You just need to setup LAN ACL. If you are using above config then it only allows access from LAN.

  • WebSean July 30, 2006, 9:55 pm

    I am running Squid 2.5 on Macintosh OS X (10.3.7) with the handy “SquidMan” port for OS X / Darwin and it works great. The interface does allow me to make the httpd_accel_… modifications to the squid.conf file for transparent proxying, but how do I set-up the iptables step? My system uses ipfw instead and I have tried “sudo ipfw add 1000 fwd 127.0.0.1,8080 tcp from any to any 80″ only to see my port 80 malfunction. How can I configure the port 80 hijack/redirect function to get transparency working on OS X? Thanks in advance.

    • tony September 6, 2010, 7:28 pm

      WebSean,

      Did you ever get a reply back? I have similar setup
      browser->dansguardian->squid->internet and I’m using ipfw

      Can’t seem to get transparent working. Meaning redirecting requests coming to port 80 to dansguardian port 8080

      I’ve tried all and each with different combinations of the following below in my ipfw ruleset – nothing works ..just goes straight to internet ..bypasses dansguadian completely

      ${IPF} add 01000 allow tcp from me to any 80 out via $EXT_INT setup $KS

      #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80
      #ipfw add 50 fwd 127.0.0.1 tcp from any to any 80
      #${IPF} add 01006 allow tcp from 127.0.0.1 to any 80
      #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80 in recv $EXT_INT
      #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80
      #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from me to any 80 via $EXT_INT
      #${IPF} add 01008 allow tcp from me to any 80 out xmit lo0
      #${IPF} add 01009 allow tcp from any 80 to me in recv lo0 established

      ${IPF} add 7000 fwd 127.0.0.1,8883 tcp from any to any 80

      my squid.conf looks like this

      http_port 127.0.0.1:3333 transparent

      because that is what squid 3.1.7 version all needs

    • tony September 6, 2010, 7:28 pm

      WebSean,

      Did you ever get a reply back? I have similar setup
      browser->dansguardian->squid->internet and I’m using ipfw

      Can’t seem to get transparent working. Meaning redirecting requests coming to port 80 to dansguardian port 8883

      I’ve tried all and each with different combinations of the following below in my ipfw ruleset – nothing works ..just goes straight to internet ..bypasses dansguadian completely

      ${IPF} add 01000 allow tcp from me to any 80 out via $EXT_INT setup $KS

      #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80
      #ipfw add 50 fwd 127.0.0.1 tcp from any to any 80
      #${IPF} add 01006 allow tcp from 127.0.0.1 to any 80
      #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80 in recv $EXT_INT
      #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80
      #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from me to any 80 via $EXT_INT
      #${IPF} add 01008 allow tcp from me to any 80 out xmit lo0
      #${IPF} add 01009 allow tcp from any 80 to me in recv lo0 established

      ${IPF} add 7000 fwd 127.0.0.1,8883 tcp from any to any 80

      my squid.conf looks like this

      http_port 127.0.0.1:3333 transparent

      because that is what squid 3.1.7 version all needs

  • Emre October 2, 2006, 7:52 am

    To not to see both empty lines and remarks grep can be used in this way;

    grep -Ev “^$|^#” /etc/squid/squid.conf

  • Praveen October 29, 2006, 1:57 am

    Hi,
    Is it possible to retain public Ip address, while using squid,
    All pc in my lan having public ip address. I want to use squid.
    But whenever i use transparent squid, the outgoing packet keeps squid server’s ip as source ip address. how can i use squid httpd_accel without proxy.

  • nixCraft October 29, 2006, 8:13 am

    The whole point of using transparent proxy/NAT is to hide internal IP address.

    As long as you have squid in between internet and other boxes anyone will see your squid ip address

  • karthick November 11, 2006, 2:23 pm

    dear,

    cyberciti guys,thank you very very mush.because your web site is good food for linux hungry peoples.
    Contineue yours job with god’s blassings.
    By,
    Your’s
    S.Karthick

  • Marlon November 15, 2006, 8:47 am

    Hi guys,

    I ask something about my firewall-squid-dhcp server in one box, i have eth0 for internet-connection and eth1 for local-connection…i want to do is, to be transparent proxy all clients connected at eth1 local-connection.

    Could you provide me the minimal config of iptables/squid.conf to make work as a transparent proxy my all-in-one linux box.

    i want the minimal config of iptables without filtering temporary.

    Thanks!

  • nixCraft November 15, 2006, 9:54 am

    Squid config remains the same. Only iptables will changes. Type following at command prompt to get started temporary:

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

    Replace 192.168.1.1 with your actual Linux server IP address (local LAN IP)

  • Jaimohan November 17, 2006, 6:13 am

    Dear friends,
    can i run the VPN-Checkpoint software with squid using transparent proxying, please reply asap

    Regrds
    Jai

  • nixCraft November 17, 2006, 12:59 pm

    Yes you can as long as everything is configured you should able to use VPN with any other internet service

  • Mimbari November 24, 2006, 1:58 am

    For a “completely totally” transparent proxy, use http://www.balabit.com/downloads/tproxy/linux-2.6/

    That way the client IP address will be used by the Squid, still caching etc too. Needs inbound routing of reply server traffic to be routed back through the Squid box though.

    It’s kernel & iptables patching only, yielding the tproxy iptables table..

    In Valen’s Name.

  • neddy November 27, 2006, 12:23 am

    Hi there, i have a few questions…
    1) will this proxy things such as steam games / downloads, Microsoft updates, anti-virus updates and other things that do not run on port 80?

    2) The proxy appears to work, and i have set my ip address to it, but if i download a 10mb file, then download the same file on another pc, the speeds are still slow, indicating that the proxy may not be working…
    when i run: “tail -f /var/log/squid/access.log” i get the log to screen & file, and it is showing that there is data being proxied, but everything still runs ‘slow’

    3) I am running it on public ip addresses, one for the eth0 (internet) 203.16.209.x
    and the second ip address for the people using the proxy is eth1 (lan) 203.221.91.x the proxy all works, but could this be why it is running slow?

    – cheers

  • nixCraft November 27, 2006, 6:32 am

    Neddy ,

    Yes everything should work as long as remote site is using port 80 for downloading updates and patches.

    If you need to cache larger file you need to enable cache object size. Default is 4 MB. However it is not recommended to use such large cache object size until and unless you have monster cache server (normally ISP enables large cache object). You need to tune out your squid for this. The defaults are good to improve overall user experience.

    Proxy should work fast. Make sure you have correct DNS server setup. Try to use OpenDNS server http://opendns.com/

    HTH.

  • woodsturtle November 29, 2006, 3:40 pm

    I am having trouble accessing an MS sharepoint server through squid 2.6 configured in transparent proxy mode. Everything that I have read so far suggest that I must bypass squid althogether because of the NTLM authentication require to access share point. Is this the case? Also, what is the iptables statement which I should use before the DNAT statement? I am using wccp and have created a GRE tunnel on the squid box.

  • Hernan November 29, 2006, 4:45 pm

    Excelent guide, It work forme. Thanks. Now I{m working on acl that let a few machines acces msn.

  • woodsturtle November 29, 2006, 7:10 pm

    What guide are you referring to?

  • ReMSiS December 12, 2006, 12:31 pm

    Hello,

    Really the guide is wonderful and it worked 100% for me and even the clients using it are amazed with its speed. But there is one problem now !!! How can we access mail, i.e: Clients using outlook are not enabled to send and recieve mail because the ports is blocked or it is not able to make resolution to the mail server. How can I make the mail work too ? because now only http is working pop3 and smtp is not !!! how can I do that ?

    Regards,

  • nixCraft December 12, 2006, 7:39 pm

    I think your topic is already answered @ our forum.

  • ReMSiS December 13, 2006, 8:27 am

    Yes nixcraft answered but still not working right, the script yesterday worked now its not !!! I maybe going crazy…

  • sohan January 2, 2007, 9:55 am

    I have installed Squid-2.4 on Red Hat Linux enterprise 4
    2 Public IPs are available from 2 different ISPs.

    Now I want to configure Squid so as to apportion traffic among the IPs
    by destination (external) IP and by source (internal) IP. The aim is to give complete bandwidth available from one ISP to one set of users for thier access to specific URLs.

    Is there any way to do the same in Squid ?

  • sohan January 2, 2007, 11:04 am

    Hi All

    I want to put quota limit on Squid for users. I want to limit users for specific data limit like If i want to allow users to consume on 4 GB Data through Squid then what i need to do. Is there any additional tool for squid to do this or squid can do this also ?

    If anybody have solution for this please let me know.

    thanks

  • Raghuram January 31, 2007, 5:34 am

    Hi,

    Nice tut. Just what I wanted for an education facility of 45 machines. Have a 2Mbps ADSL connection which I want to share across the LAN. This is my first time with squid. One doubt – my lan ip (eth1) is DHCP driven while eth0 (internet facing) has a static IP. In this case, will squid work?

    thanks.

  • raghu January 31, 2007, 5:37 am

    will squid work with DHCP aasigned eth0 and static Ip eth1?

    Nie tuttorial.thanks

  • nixCraft February 1, 2007, 10:07 pm

    raghu,

    You can use Squid with DHCP assigned IP

  • Marco A. Barragan February 7, 2007, 1:48 pm

    All this not work for 2.6, in the case of using:

    http_port x.x.x.x:xx vhost transparent or any combination, the message is “Can’t use transparent and cache in the same port”, if you try to use the cache_peer command, appear an error FATAL: Bundle in line x: cache_peer …

    So, now you can’t use the server for caching and proxy at the same time :S

  • nixCraft February 7, 2007, 3:10 pm

    #1: You cannot set proxy and transparent http on same port.

    @2: There is some discussion going on about cache peering @ our forum.

    HTH

  • Clay February 8, 2007, 7:05 pm

    I’m trying to setup squid transparently on a box that has one network interface, but is plugged into a hub between the Internet connection and the switch that the clients are on. (I realize this is not ideal, but it’s what I have to work with.)

    Can anyone point me in the right direction?

  • rakesh February 9, 2007, 3:26 pm

    sir
    well i have one problem, i am one system with two ether lan card one connected to Public ip and another with local network. what i want is if any exterbal client send an request on port 80, that request should be redirect to my local DNS. how can it be possible.
    another thing i have two domain mydomain.com (local) and another http://www.com (internet). now if any client request to http://www.com it request should be redirect to mydomain.com. can it be possible, if possible plz send me the solution

  • raghu February 11, 2007, 1:23 pm

    Hi vivek,
    Can squid be set up on a machine different from the internet gateway machine? I have a DHCP (FC5) server on which I want to set up squid. My internet gateway (ADSL) machine runs Windows Xp and I don’t want to disturb it.

    Thanks.

  • Marco A. Barragan February 17, 2007, 3:41 pm

    But how i can configure it? any idea? how to activate the cache for my network? any can help me to make the right stuff? I’m redirecting the port 80 to 3128 with iptables (old style squid) and using this:

    http_port 10.42.0.1:3128 transparent
    half_closed_clients on
    visible_hostname 201.234.228.139
    coredump_dir /var/spool/squid

    Where 10.42.0.1 is the network interface (eth0) conected to lan, and eth1 is the Wan lan.

    I want make the cahce for my users with squid, and also using proxy, but i can’t go to every client to configure proxy setting, need transparent, and cache, i try all, i use this:

    http_port 10.42.0.1:3128 transparent
    cache_peer 127.0.0.1 parent 3128 3130 originserver
    half_closed_clients on
    visible_hostname 201.234.228.139
    coredump_dir /var/spool/squid

    Not work, use all “arrows” that i imagine and noting, can any explain me how to do it?

    Really thanks a lot for any help.

  • Siva February 19, 2007, 7:05 am

    how to control my bandwidth using squid proxy

  • Marco A. Barragan February 21, 2007, 4:12 pm

    for bandwidth you can use this:

    first step configure how many delay pools you going to use, for example if you have 2 types of users (one with big badwidth and others with low bandwidth) you need put this:

    delay_pools n, in our exaple: delay_pools 2

    then you need define the class of bandwidth, there are 3 types, 1, 2, 3, in our example we use the class 1 and 2, for unlimited general and the restricted:
    delay_class 1 1
    delay_class 2 2

    then use the parameter to define the velocity, remember, if you want 128 kbps, you need multiply it for 128 to convert to bps:

    delay_parameters 1 -1/-1
    delay_parameters 2 -1/-1 16384/57600
    -1 means unlimited
    second is for 128 and boost of 450

    last step is defining the acl, in my case:

    acl localhost src 127.0.0.1/255.255.255.255
    acl clientes src 10.42.100.0/255.255.255.0
    acl limitados src 10.42.99.0/255.255.255.0

    delay_access 1 allow clientes localhost !limitados
    delay_access 2 allow limitados
    delay_access 1 deny all
    delay_access 2 deny all

    Dunno if is correct but is an example, you can investigate more.

  • bitou February 26, 2007, 1:51 pm

    This fw.proxy is to be started every time the computer is started, manually. Then only transparent proxy will work.Is there a method to do it automatically , so that the script is executed on start up even without the need of the user to log in.
    Regards

  • nixCraft February 26, 2007, 2:14 pm

    bitou,

    If you are using RedHat/CentOS/FC Linux type:
    service iptables save
    chkconfig iptables on

    If you are using Debian/Ubuntu Linux read this

  • Coders2020 March 7, 2007, 5:26 am

    In the past I had serious problems with configuring squid on my local network. I am alrady under university firewall/proxy. Can I configure proxy under proxy(I know it has no pracktical use but just asking for testing purpose) ?

  • Prabir Das March 19, 2007, 9:04 am

    its good education packeg to us

  • Prashant Soni March 20, 2007, 7:07 am

    Hi,

    My name is Prashant. I am Sr.Network Engineer in an ISP.

    I would like to put a transparent proxy with bridge between our local networks and Internet.

    I’d tryinn to configure squid transparent proxy with bridge couple of times, but yet not successful.

    I am explaining the scenario and hope somebody will help me.

    SCENARIO :

    We have 2 ip pools in our networks.
    1. 128.0.0.0/18 (fake ip)
    2. 59.x.x.96/27 (real ip)
    3. 59.x.x.0/27 (Real IP Used in internetwork)

    We have one mikrotik master router from which both network goes to the radware(which is load balancer and using internetwork ip listed in a cisco). Now I want to put squid between mikrotik and radware (load-balancer)

    In my network nobody uses authentications so not needed.

    When, I configured the squid with trasparent proxy in bridge mod, sometimes it gives me acl errors. But when I changed in squid.conf “access_allow all” , no error comes but page is not loading till done.
    With this settings I can ping , traceroute to the internet from client addresses also but page is not loading.

    I’ve done all configuration as stated in below link :

    http://freshmeat.net/articles/view/1433/

    Please guide me regarding this matter.

    Regards,
    Prashant

  • Nandkishor March 27, 2007, 6:13 am

    Hi,
    I have configured the DHCP server using ES Linux-4 .It having 2 ethernet cards. eth0 is used dhcp (Lan) & eth1 is connceted to Internet.
    eth0 using IP 192.x.x.x
    Netmask 255.255.255.0
    Gateway 59.x.x.x (this is IP of eth1)
    eth1 using Ip 59.x.x.x
    Netmask 255.255.255.240
    Gateway 59.x.x.129

    Client M/c’s ping to IP of eth0, also ping to gateway of eth0 & ip of eth1. But not able to ping Gateway of eth1-59.x.x.129
    so they are not able to connect to the internet.
    So plz give me the solution for this.

  • Nandkishor March 30, 2007, 11:57 am

    Hi,
    I have configured the transperant proxy with dhcp server. How I block the files for downloading like *.dll & *.mp3 &*.mp4 etc. for a specific time.

  • nixCraft March 30, 2007, 5:25 pm

    Nandkishor,

    Please see this article

  • xaviero March 30, 2007, 6:13 pm

    how about if i use another PC for router & gateway, then use another PC (SLES installed) just for transparent proxy (DMZ).

    the proxy already worked, but its not transparent. what should i do with the iptable ?

    advice plz

  • Nandkishor April 3, 2007, 6:20 am

    Hi,
    I have configured the many virtual hosts at one server and added same big file in that all virtual hosts. But because of this big file more size is required.
    So it is posible to me create one folder on that server, put that file & give the path of that folder in the all virtual hosts.
    But How it is possible? Plz give me the solution for this.

  • Nandkishor April 3, 2007, 9:46 am

    Hi,
    I have see the article for blocking of the .dll, .mp3 ,mp4, .exe & many files downloades, & do the configuration.
    But this is not working to block the files downloading. Plz give me the solution for this.

  • Gurpinder Singh April 7, 2007, 10:34 am

    hello everybody

    i want to configure a squid server on fedora core 5. i want to that range of ip address is 192.168.1.1 – 192.168.1.60, and 192.168.1.101-192.168.1.160 . internet is running on this client machines. not running internet on others ip address i.e 192.168.1.61 – 192.168.1.100. please urgent reply me on my mail address.

    Gurpinder Singh

  • Alex Ling April 10, 2007, 3:43 am

    Hi all

    i would like to know how to forward HTTP request to others proxy (like privoxy).

    Thanks.

  • mark April 26, 2007, 10:44 am

    Good day. I’m currently running squid 2.5 on my centOS server… I needed authentication for my users before accessing the internet (80, 21, 443, etc) so I configured it correspondingly. However, one of my clients needs to access an ftp server which enforces a username and password authentication. Squid tries to connect using an anonymous user rather than prompting for a password…
    My question being: How could I enable user authentication to public ftp servers if my machine is behind a squid proxy server?
    I’d appreciate your best effort. Thanks in advance.

  • pankaj chauhan April 28, 2007, 9:54 am

    hello every body,
    i have a squid proxy server
    my server ip is 192.168.0.1
    my client ip is 192.168.0.2 to 192.168.0.240
    internet is working proper on client
    can it possible that first 30 client (192.168.0.2-192.168.0.30) get more bandwith than rest client
    plz told me wat change will do on squid.conf file for it.

  • Tapan May 3, 2007, 4:48 am

    how to prevent bypassing sarg and dansguardian

  • tushar May 9, 2007, 10:59 am

    Hi All
    My name is tushar and i want to make proejct on squid proxy server, because I want to submit the complet project on squid proxy server.
    Thanks.
    Tushar Raut

  • Frank May 10, 2007, 4:41 pm

    Is there any indication to use some sort of virus/malware filter in this setup, aka, HAVP – HTTP. http://www.server-side.de/

    Cheers!

    Frank

  • chandrakant May 24, 2007, 7:20 am

    Hi
    Thanks for the fw.proxy file.
    after enableing this file i’m able to run my system as router and proxy server.
    But after restart server I’m reciveing so many logs messages.
    Please have look and tel me how can block them.
    Due to this my server responding slovely…
    System log:-

    May 24 12:45:06 pune dbus: Can’t send to audit system: USER_AVC pid=2658 uid=81 loginuid=-1 message=avc: denied { send_msg } for scontext=root:system_r:unconfined_t tcontext=user_u:system_r:initrc_t tclass=dbus

    May 24 11:28:21 pune kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:64:d7:3e:08:00 SRC=10.20.204.70 DST=10.20.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=29613 PROTO=UDP SPT=137 DPT=137 LEN=58
    May 24 11:28:22 pune kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:64:d7:3e:08:00 SRC=10.20.204.70 DST=10.20.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=29615 PROTO=UDP SPT=137 DPT=137 LEN=58
    May 24 11:28:23 pune kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:64:d7:3e:08:00 SRC=10.20.204.70 DST=10.20.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=29616 PROTO=UDP SPT=137 DPT=137 LEN=58

    Regards,
    Chandrakant

  • csbot May 24, 2007, 9:57 am

    chandrakant,

    Remove last line:
    iptables -A INPUT -j LOG

    BTW, log will not slow down your server.

  • cedric May 27, 2007, 11:17 pm

    your instructions work good but i can’t connect to my network printer and another server on my lan. also having problem setting up static ip for eth0. i followed the instruction from the link you gave. i tried to do it several times and always had to go back to using dhcp. i need some help and what gateway would i use for eth0?

  • Chandrakant May 31, 2007, 12:31 pm

    Hi,

    One more problem i am facing with above configuration.
    I am not able to use web access of exchange 2003 server. and office scan http url

    can any buddy help me resolve this.

    Chandrakant

  • bhupesh karankar June 1, 2007, 10:07 am

    Hello Friend,
    i am bhupesh karankar, i have problem in squid.
    as above, i have implement squid in my server. but still my client not able to access mail via outlook with squid.
    wating for ur reply
    i have same configuration as above.
    wating for ur reply,
    need help

    Bhupesh Karankar
    bkarankar@gmail.com
    0998110488

  • Brent June 1, 2007, 5:42 pm

    Thanks for posting the transparent proxy script. It works very well. I like the way you choose to close everything and only open what you need. I do need to open a few ports, like https (443) and possibly one or two more (ssh). Can you post how you would do this? Thanks.

  • nixCraft June 1, 2007, 9:03 pm

    Find line
    # DROP everything and Log it

    Add your iptables rules before that line. Remember you must deal with eth0 and eth1, otherwise you will create a new security issue.

  • bhupesh karankar June 2, 2007, 9:39 am

    hello,
    this is nice script.
    but when i use this, it blocked smb and squid and my web server,
    what to do.
    wating for reply
    bkarankar@gmail.com
    bhupesh karankar

  • nixCraft June 2, 2007, 10:14 am

    bhupesh,

    Open those port using iptables rules as this script locks down eveything. read my comment # 82. If you have more questions please post to our forum.

  • Maroon Ibrahim June 11, 2007, 6:16 am

    Prashant!!!

    allow access for ICP

    Regards

  • Nandkishor June 11, 2007, 6:35 am

    Hi,
    I configured the transperant proxy & also set the IPtables. This is working fine. But recentaly I trust by a trouble. If I try to open any site like gmail.com or any other sites. Some time that are works but some time they give follwing error.

    The requested URL could not be retrieved

    While trying to retrieve the URL: http://gmail.com/

    The following error was encountered:

    Unable to determine IP address from host name for gmail.com

    The dnsserver returned:

    Refused: The name server refuses to perform the specified operation.

    This means that:

    The cache was not able to resolve the hostname presented in the URL.
    Check if the address is correct.

    Your cache administrator is root.

    Pleas give me the solution for this.

    Regards,
    Nandkishor

  • Linuxnewbie June 11, 2007, 11:19 am

    Hi,
    I need to install transparent proxy with squid caching, but my eth0 is connected using DHCP, so what all changes need to be done ? Thank you for publishing your experiences and configurations…

    Regards

  • nixCraft June 11, 2007, 3:16 pm

    Hi Linuxnewbie,

    Make sure eth0 always get same IP using eth0, if not possible modify a script to obtain IP address using following statement:
    ifconfig eth0 | grep 'inet addr:' | cut -d':' -f2 | awk '{ print $1}'

    Set SQUID_SERVER as follows:
    SQUID_SERVER=$(ifconfig eth0 | grep 'inet addr:' | cut -d':' -f2 | awk '{ print $1}')

    NOTE: you only need to use above, if SQUID_SERVER ip is dynamic; otherwise it should work out of box.

    HTH

  • linxnewbie June 12, 2007, 7:22 am

    Thanks for the reply…so no need to make any changes in the IPTABLES, right ?

  • chandar June 25, 2007, 1:53 pm

    Hi Vivek,
    I configured squid/2.6.STABLE12 with the help of your script file. below is my N/W scenario
    client–> Squid + Router –> pix–> Router–> Internet.

    In this case everything is working very fine. For few minutes. After sometime client not able to ping gateway that is my squid server. But client able to ping next hope ip I’s Pix ip or router ip. This problem is resolved when I restart network service of Linux machine.
    and it’s happened every time.
    Please find below linux machine iptables snap.

    # squid server IP
    SQUID_SERVER=”10.30.200.1″
    # Interface connected to Internet
    INTERNET=”eth0″
    # Interface connected to LAN
    LAN_IN=”eth1″
    # Squid port
    SQUID_PORT=”3128″

    # DO NOT MODIFY BELOW
    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    # Load IPTABLES modules for NAT and IP conntrack support
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    # For win xp ftp client
    modprobe ip_nat_ftp
    echo 1 > /proc/sys/net/ipv4/ip_forward
    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # Allow UDP, DNS and Passive FTP
    iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
    # set this system as a router for Rest of LAN
    iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
    iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
    # unlimited access to LAN
    iptables -A INPUT -i $LAN_IN -j ACCEPT
    iptables -A OUTPUT -o $LAN_IN -j ACCEPT
    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
    # if it is same system
    iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP

    • permittivity March 6, 2011, 3:37 am

      check /etc/resolv.conf on the gateway and squid while the network is working fine, then when it’s not working fine, check it again

  • chandar June 25, 2007, 1:54 pm

    Hi Vivek,
    I configured squid/2.6.STABLE12 with the help of your script file. below is my N/W scenario

    client–> Squid + Router –> pix–> Router–> Internet.

    In this case everything is working very fine. For few minutes. After sometime client not able to ping gateway that is my squid server. But client able to ping next hope ip I’s Pix ip or router ip. This problem is resolved when I restart network service of Linux machine.
    and it’s happened every time.

    Please help me to resolve this issue.

    Regards,
    Chandru

  • shellyacs June 27, 2007, 4:03 pm

    Need help. I have read the forum on transparent proxy. I have followed it to the letter. A cannot get it to work. I am using Suse linux 10.2. I can get to the internet from the workstations, but only if I setup the squid server as a proxy in IE. Any help would be greatly appreciated. Thanks

  • Amrendra July 6, 2007, 10:00 am

    I have used above kind of firewall (IPTABLE), I don’t want to use transparent proxy because we need to use authentication, and if I am allowing forward and unlimited access to LAN then they are also able to bypass the proxy to use internet,
    So can anyone give me solution that, for accessing websites ( http/https) people must go through Proxy and its authentication, and rest for everything they should be allowed from the LAN rest everything includes (FTP , DNS ) respose.
    Thanks
    Amrendra.

  • forweb July 9, 2007, 3:32 am

    I had got some errors when I used the instructions above, 400 something like syntax of the request was wrong…
    The script above works great but this is what I have to add to get it to work on my ubuntu 7.04
    squid.conf:
    http_port 80
    http_port 192.168.1.9:3128 transparent
    (this is NIC connected to internet)
    acl jamal_net src 192.168.2.0/24
    (this LAN Nic)
    http_access allow jamal_net
    http_access allow localhost

    Change your IP’s to comply with you above script.
    start your squid.conf
    start your fw-proxy
    add it to rc.local so it will boot at startup.

  • oj July 16, 2007, 10:20 am

    Execellent write-up.Very helpful to me

  • Slavko July 26, 2007, 7:08 pm

    From SquidFaq

    For Squid-2.6 and Squid-3.0 you simply need to add the keyword transparent on the http_port that your proxy will receive the redirected requests on as the above directives are not necessary and in fact have been removed in those releases:

    http_port 3128 transparent

  • eq1425 July 29, 2007, 2:49 am

    hi all,

    will this shel script work even if i install a redirector program(i.e squidguard)on squid?and how??

    thanks

  • John August 5, 2007, 12:40 am

    I work in a public library and we provide wireless access to our patrons. No configuration is required on their laptops because transparent proxying is in effect, via a rule in SUSE Firewall.

    I’m using SUSE 10.2, SQUID, Dansguardian, and the SUSE2 Firewall.

    Is it possible with my existing setup to also forward users to a custom home page that I have set up? This page will have our wireless policy, etc. on it. If so, how exactly would this be done?

    Thanks!

  • ankush August 7, 2007, 5:13 am

    how configure best squid server on RHEL 5
    i have create in RHEL 4
    but i have problem about RHEL 5

  • Mani August 8, 2007, 5:57 am

    Hi,

    when i execute squid -z.the following error is appear.

    FATAL: Could not determine fully qualified hostname. Please set ‘visible_hostname’

    Squid Cache (Version 2.6.STABLE13): Terminated abnormally.
    CPU Usage: 0.004 seconds = 0.004 user + 0.000 sys
    Maximum Resident Size: 0 KB
    Page faults with physical i/o: 0
    Aborted

    but i configure visible_hostname myhostname in my squid.conf file.still the same error comming again.what can i do?

  • IRFAN August 13, 2007, 7:44 am

    any one have squid configaration than can use any where

  • Mark Ng August 15, 2007, 10:23 am

    I have a box running public IP on eth0 and private IP on eth1.
    Everything seems to be working but my sites running apache can’t be accessed via their Public IP anymore. However I can still access them via eth1. Any help is appreciated.

  • Abdul Latif August 17, 2007, 6:20 am

    Sir,

    is there any solution regarding linux Squid Proxy which responsible to handle two ADSL internet connection. combining bandwidth, Provide loadsharing, feed back if one connection goes down.

  • Elliott August 20, 2007, 9:24 am

    Thanks for your excellent site.
    I have followed your guide and set this up successfully.
    I will recommend this guide to anyone setting up a squid server.

    Elliott
    Systems Administrator

    • Rith November 21, 2011, 7:19 am

      Hi ALL ,

      i want to allow window 7 can activated by using internet proxy server. but i can’t do it
      Please give me some advice ?

      THANKS.

  • Chris August 26, 2007, 6:29 pm

    What about setting this up using the latest version of Squid?

    Fedora 6 comes with squid but the parameters mentioned above are not there. They have been updated.

    Any help?

  • Chris August 26, 2007, 6:32 pm

    DUH, i see the post explaining it. Disregard my last post

  • vijay August 30, 2007, 11:39 am

    I like to know how to configure ftp and proxy for my internal use and external( internet) ftp with proxy.
    Please help

  • king of the internet September 18, 2007, 6:16 pm

    You said allowing port 443 out solves your problems, but in fact it creates more. Now users can simply use SSL-based web proxies to tunnel past your proxy. This means no logging, control, nothing. For example, try https://vtunnel.com/

  • nixCraft September 19, 2007, 11:05 am

    King,

    You cannot redirect port 443 with a transparent proxy and this the only solution. Other option is disable a transparent proxy and use port such as 3128.

    HTH

  • Saji Alexander October 22, 2007, 8:11 am

    Hi,

    I had gone thru your notes. It is very good and interesting. I have 2 network cards in my squid proxy server on centos.

    I need all the users to access only certain sites during the office hours and after office hours they can access anysites as they wish. This should not be applicable for managers who can access anysite at anytime.

    This I made it but when I configured squid I had given the port 8080 instead of 3128 the default port.

    The end users if the remove the proxy (ip of squid server) then they can access any site during the office hours. How to disable this ????

    Something to do with firewall. I tried but I failed. I am pasting it can you correct it.

    $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT

    squid_server has two network card. One is having internal ip and the other external ip.

    I had give external ip for SQUID_SERVER.

    SQUID_PORT is 8080

    Thanks and Regards,

    Saji Alexander.

  • Wolfox October 25, 2007, 12:08 am

    Anyone knows how to get this instructions working on SuSe 9 Enterprise Edition…. It looks like some of the syntax doesn’t work.

    Because in my case I cannot get it to work. Please help, I’m a newbie that is very eager to learn about proxying.

    Please Help…

    Thanks in advance

  • hanz October 25, 2007, 4:58 am

    I have read your instruction but I have the same question as Saji ALexander.

    I have been trying to figure this out but failed.

    Is it possible to force all browser on a server running transparent proxy to use its proxy service for its web traffic? The server has dual interface.

    Thanks
    hanz

  • nixCraft October 25, 2007, 10:11 am

    @Saji, You have to define TIME based ACL for squid to put time based restrictions.

    @hanz, yup, this config force all http traffic via squid.

  • harish November 24, 2007, 10:33 am

    Hi Dear,

    Thanks or very simple steps.

    Harish

  • fmstereo November 28, 2007, 9:42 pm

    I have configured the transparent proxy but not all users are able to use it. Most of them must have the proxy in their browsers, just a few are able to conect without having to configure. And is very slow with transparent proxy. Any sugestions?

  • Babu Ram Dawadi December 12, 2007, 2:52 am

    thanks for ur three steps to create transparent proxy but i am not sure it works with squid 2.6 stables 13. because i tried ur step on this squid 2.6. may be this article suit to squid 2.5. :)

    hi fmstereo>>i think u have to enable one options on ur proxy which is previously off like the following
    httpd_accel_no_pmtu_disc off
    change it to
    httpd_accel_no_pmtu_disc on

  • Atman December 12, 2007, 10:45 pm

    Why not use only one utility to filter out comments and empty lines when going through squid.conf:

    grep -v ^# /etc/squid/squid.conf | grep -v ^$

    or if you prefer sed:

    sed ‘/ *#/d; /^ *$/d’ < /etc/squid/squid.conf

  • arun December 13, 2007, 8:06 am

    give me a step of linux centos proxy setting and iptables confige and many more service starting

  • Vijay Godiyal December 20, 2007, 12:58 pm

    Hello Friends,

    Need help from you…

    I had configured my squid server, squid+dansguardian with Linux RHCL-4 .. its working for a hrs abustaly fine but abt 1 hrs its getting slow and get stoped work .. i m not able to understand the problem. normail proxy is working fine… but when it get started with dansguardian then problenm comes….

    can someone help me out on this i have squid version squid-2.5.STABLE6-3.4E.11 and dansG is dansguardian-2.8.0.6-1.2.el4.rf

    following is the conf file …
    dansguardian….
    #################################################
    DansGuardian config file for version 2.8.0

    # **NOTE** as of version 2.7.5 most of the list files are now in dansguardianf1.conf

    # Web Access Denied Reporting (does not affect logging)
    #
    # -1 = log, but do not block – Stealth mode
    # 0 = just say ‘Access Denied’
    # 1 = report why but not what denied phrase
    # 2 = report fully
    # 3 = use HTML template file (accessdeniedaddress ignored) – recommended
    #
    reportinglevel = 3

    # Language dir where languages are stored for internationalisation.
    # The HTML template within this dir is only used when reportinglevel
    # is set to 3. When used, DansGuardian will display the HTML file instead of
    # using the perl cgi script. This option is faster, cleaner
    # and easier to customise the access denied page.
    # The language file is used no matter what setting however.
    #
    languagedir = ‘/etc/dansguardian/languages’

    # language to use from languagedir.
    language = ‘ukenglish’

    # Logging Settings
    # 0 = none 1 = just denied 2 = all text based 3 = all requests
    loglevel = 2

    # Log Exception Hits
    # Log if an exception (user, ip, URL, phrase) is matched and so
    # the page gets let through. Can be useful for diagnosing
    # why a site gets through the filter. on | off
    logexceptionhits = on

    # Log File Format
    # 1 = DansGuardian format 2 = CSV-style format
    # 3 = Squid Log File Format 4 = Tab delimited
    logfileformat = 1

    # Log file location
    #
    # Defines the log directory and filename.
    #loglocation = ‘/var/log/dansguardian/access.log’

    # Network Settings
    #
    # the IP that DansGuardian listens on. If left blank DansGuardian will
    # listen on all IPs. That would include all NICs, loopback, modem, etc.
    # Normally you would have your firewall protecting this, but if you want
    # you can limit it to only 1 IP. Yes only one.
    filterip =
    # the port that DansGuardian listens to.
    filterport = 3128

    # the ip of the proxy (default is the loopback – i.e. this server)
    proxyip = 172.16.24.12

    # the port DansGuardian connects to proxy on
    proxyport = 8080

    # accessdeniedaddress is the address of your web server to which the cgi
    # dansguardian reporting script was copied
    # Do NOT change from the default if you are not using the cgi.
    #
    accessdeniedaddress = ‘http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl’

    # Non standard delimiter (only used with accessdeniedaddress)
    # Default is enabled but to go back to the original standard mode dissable it.
    nonstandarddelimiter = on

    # Banned image replacement
    # Images that are banned due to domain/url/etc reasons including those
    # in the adverts blacklists can be replaced by an image. This will,
    # for example, hide images from advert sites and remove broken image
    # icons from banned domains.
    # 0 = off
    # 1 = on (default)
    usecustombannedimage = 1
    filtergroupslist = ‘/etc/dansguardian/filtergroupslist’

    # Authentication files location
    bannediplist = ‘/etc/dansguardian/bannediplist’
    exceptioniplist = ‘/etc/dansguardian/exceptioniplist’
    banneduserlist = ‘/etc/dansguardian/banneduserlist’
    exceptionuserlist = ‘/etc/dansguardian/exceptionuserlist’

    # Show weighted phrases found
    # If enabled then the phrases found that made up the total which excedes
    # the naughtyness limit will be logged and, if the reporting level is
    # high enough, reported. on | off
    showweightedfound = on

    # Weighted phrase mode
    # There are 3 possible modes of operation:
    # 0 = off = do not use the weighted phrase feature.
    # 1 = on, normal = normal weighted phrase operation.
    # 2 = on, singular = each weighted phrase found only counts once on a page.
    #
    weightedphrasemode = 2
    # Positive result caching for text URLs
    # Caches good pages so they don’t need to be scanned again
    # 0 = off (recommended for ISPs with users with disimilar browsing)
    # 1000 = recommended for most users
    # 5000 = suggested max upper limit
    urlcachenumber = 5000
    #
    # Age before they are stale and should be ignored in seconds
    # 0 = never
    # 900 = recommended = 15 mins
    urlcacheage = 9000

    # Smart and Raw phrase content filtering options
    # Smart is where the multiple spaces and HTML are removed before phrase filtering
    # Raw is where the raw HTML including meta tags are phrase filtered
    # CPU usage can be effectively halved by using setting 0 or 1
    # 0 = raw only
    # 1 = smart only
    # 2 = both (default)
    phrasefiltermode = 2

    # Lower casing options
    # When a document is scanned the uppercase letters are converted to lower case
    # in order to compare them with the phrases. However this can break Big5 and
    # other 16-bit texts. If needed preserve the case. As of version 2.7.0 accented
    # characters are supported.
    # 0 = force lower case (default)
    # 1 = do not change case
    preservecase = 0

    # Hex decoding options
    # When a document is scanned it can optionally convert %XX to chars.
    # If you find documents are getting past the phrase filtering due to encoding
    # then enable. However this can break Big5 and other 16-bit texts.
    # 0 = disabled (default)
    # 1 = enabled
    hexdecodecontent = 0

    # Force Quick Search rather than DFA search algorithm
    # The current DFA implementation is not totally 16-bit character compatible
    # but is used by default as it handles large phrase lists much faster.
    # If you wish to use a large number of 16-bit character phrases then
    # enable this option.
    # 0 = off (default)
    # 1 = on (Big5 compatible)
    forcequicksearch = 0
    # Reverse lookups for banned site and URLs.
    # If set to on, DansGuardian will look up the forward DNS for an IP URL
    # address and search for both in the banned site and URL lists. This would
    # prevent a user from simply entering the IP for a banned address.
    # It will reduce searching speed somewhat so unless you have a local caching
    # DNS server, leave it off and use the Blanket IP Block option in the
    # bannedsitelist file instead.
    reverseaddresslookups = off

    # Reverse lookups for banned and exception IP lists.
    # If set to on, DansGuardian will look up the forward DNS for the IP
    # of the connecting computer. This means you can put in hostnames in
    # the exceptioniplist and bannediplist.
    # It will reduce searching speed somewhat so unless you have a local DNS server,
    # leave it off.
    reverseclientiplookups = off

    # Build bannedsitelist and bannedurllist cache files.
    # This will compare the date stamp of the list file with the date stamp of
    # the cache file and will recreate as needed.
    # If a bsl or bul .processed file exists, then that will be used instead.
    # It will increase process start speed by 300%. On slow computers this will
    # be significant. Fast computers do not need this option. on | off
    createlistcachefiles = on
    # POST protection (web upload and forms)
    # does not block forms without any file upload, i.e. this is just for
    # blocking or limiting uploads
    # measured in kibibytes after MIME encoding and header bumph
    # use 0 for a complete block
    # use higher (e.g. 512 = 512Kbytes) for limiting
    # use -1 for no blocking
    #maxuploadsize = 512
    #maxuploadsize = 0
    maxuploadsize = -1

    # Max content filter page size
    # Sometimes web servers label binary files as text which can be very
    # large which causes a huge drain on memory and cpu resources.
    # To counter this, you can limit the size of the document to be
    # filtered and get it to just pass it straight through.
    # This setting also applies to content regular expression modification.
    # The size is in Kibibytes – eg 2048 = 2Mb
    # use 0 for no limit
    maxcontentfiltersize = 256

    # Username identification methods (used in logging)
    # You can have as many methods as you want and not just one. The first one
    # will be used then if no username is found, the next will be used.
    # * proxyauth is for when basic proxy authentication is used (no good for
    # transparent proxying).
    # * ntlm is for when the proxy supports the MS NTLM authentication
    # protocol. (Only works with IE5.5 sp1 and later). **NOT IMPLEMENTED**
    # * ident is for when the others don’t work. It will contact the computer
    # that the connection came from and try to connect to an identd server
    # and query it for the user owner of the connection.
    usernameidmethodproxyauth = on
    usernameidmethodntlm = off # **NOT IMPLEMENTED**
    usernameidmethodident = off

    # Preemptive banning – this means that if you have proxy auth enabled and a user accesses
    # a site banned by URL for example they will be denied straight away without a request
    # for their user and pass. This has the effect of requiring the user to visit a clean
    # site first before it knows who they are and thus maybe an admin user.
    # This is how DansGuardian has always worked but in some situations it is less than
    # ideal. So you can optionally disable it. Default is on.
    # As a side effect disabling this makes AD image replacement work better as the mime
    # type is know.
    preemptivebanning = on
    # Misc settings

    # if on it adds an X-Forwarded-For: to the HTTP request
    # header. This may help solve some problem sites that need to know the
    # source ip. on | off
    forwardedfor = off

    # if on it uses the X-Forwarded-For: to determine the client
    # IP. This is for when you have squid between the clients and DansGuardian.
    # Warning – headers are easily spoofed. on | off
    usexforwardedfor = off

    # if on it logs some debug info regarding fork()ing and accept()ing which
    # can usually be ignored. These are logged by syslog. It is safe to leave
    # it on or off
    logconnectionhandlingerrors = on

    # Fork pool options

    # sets the maximum number of processes to sporn to handle the incomming
    # connections. Max value usually 250 depending on OS.
    # On large sites you might want to try 180.
    maxchildren = 120
    # sets the minimum number of processes to sporn to handle the incomming connections.
    # On large sites you might want to try 32.
    minchildren = 8

    # sets the minimum number of processes to be kept ready to handle connections.
    # On large sites you might want to try 8.
    minsparechildren = 4

    # sets the minimum number of processes to sporn when it runs out
    # On large sites you might want to try 10.
    preforkchildren = 6

    # sets the maximum number of processes to have doing nothing.
    # When this many are spare it will cull some of them.
    # On large sites you might want to try 64.
    maxsparechildren = 32

    # sets the maximum age of a child process before it croaks it.
    # This is the number of connections they handle before exiting.
    # On large sites you might want to try 10000.
    maxagechildren = 500
    # Process options
    # (Change these only if you really know what you are doing).
    # These options allow you to run multiple instances of DansGuardian on a single machine.
    # Remember to edit the log file path above also if that is your intention.

    # IPC filename
    #
    # Defines IPC server directory and filename used to communicate with the log process.
    ipcfilename = ‘/tmp/.dguardianipc’

    # URL list IPC filename
    #
    # Defines URL list IPC server directory and filename used to communicate with the URL
    # cache process.
    urlipcfilename = ‘/tmp/.dguardianurlipc’

    # PID filename
    #
    # Defines process id directory and filename.
    #pidfilename = ‘/var/run/dansguardian.pid’

    # Disable daemoning
    # If enabled the process will not fork into the background.
    # It is not usually advantageous to do this.
    # on|off ( defaults to off )
    nodaemon = off

    # Disable logging process
    # on|off ( defaults to off )
    nologger = off

    # Daemon runas user and group
    # This is the user that DansGuardian runs as. Normally the user/group nobody.
    # Uncomment to use. Defaults to the user set at compile time.
    # daemonuser = ‘nobody’
    # daemongroup = ‘nobody’

    # Soft restart
    # When on this disables the forced killing off all processes in the process group.
    # This is not to be confused with the -g run time option – they are not related.
    # on|off ( defaults to off )
    softrestart = off

  • Robert December 22, 2007, 1:00 am

    I am building a rather unique Proxy server
    I need to be able to forward requests by maching the destintaions to 3 lists:
    – blacklist -> Block,
    – freelist -> Forward to upstreem Proxy with Spesified username and password same for all,
    – DirrectAccesslist – Retreve directly,
    What ever is remaining is forward to the upstreem proxy which will request username and password for charging purposes.

    The AD and charging Side of this I will work out later, it is the routeing with creds by list lookup that I have no idea where to start..

    Site info
    300 computers, 1000 users, 40M internet link
    I have a Dual Xeon 1.6 with 2G ram SCSI HW Raid HDD Server for the task (retired Ms Server)

    Ideas?

    Thanks

  • Sai Wunna Aung January 5, 2008, 11:20 am

    hello all friends,

    pls help me. now i created squid 2.6 server on windows server 2003. but our ISP is burnned some websites.e.g http://mail.yahoo.com, https://mail.google.com .so, i want to open that web site and other to squid’s redirect setting.
    i want to know http redirect setting of squid 2.6.

    best reguards,
    Sai Wunna Aung
    Network Technician

  • Ali Bhai January 8, 2008, 9:28 am

    hey, nice work. I appreciate the way u spread your knowledge just alike a teacher spreads to new bie’s. Thx Again

  • Ambot January 11, 2008, 12:17 am

    Hey guys,

    How do i able to open the ports in proxy? i have the problems on my network, in which i can’t able to view webcam and voice in the yahoo messenger…
    As what i know 5000-5010 used for voice both tcp and udp while 5100 for video as tcp… I put it in Safe_ports but it seems not working…

    And also i’m not able to upload files but good downloadings….

  • Sajid January 11, 2008, 8:14 am

    Hi,
    Please help me to solve this problem.
    i have four network cards in linux machine
    3 NC for WAN
    1 for local LAN
    my squid is sending all the internet traffic to only on one network card other two are free
    its is possible that squid bind three wan NC and combine the Internet.
    thanks

  • Arulkumar January 19, 2008, 10:40 am

    how to manage users browsing time quotas by squid.

    Example: Set a limit of 1 hour per day for the user

  • dennyhalim January 24, 2008, 7:08 am

    dual xeon with 8 gig ram?
    how many (hundreds?) users this monster serve???

    i’m using old refurbished p3 with 384meg ram serving 50+ heavy downloaders users with no problem.

    and, with ipcop, it only takes TWO clicks to activate transparent proxy from its web gui.

    off course, you learn nothing with ipcop. coz it’s simply usable and minimal learning curve.
    you’ll learn a lot from getting dirty on cli.
    :)

  • Mangal January 31, 2008, 7:15 am

    How can we block PC using Mac addresses ?
    I tried by: – acl block arp 12:23:43:df:32:df

    but my squid does not know keyword arp
    for solving this i tried to rebuild it but i failed can u help me to rebuild ?

  • nixCraft January 31, 2008, 7:49 am
  • Anas January 31, 2008, 8:17 am

    Dear all

    Need Help ….

    I have Squid 2.6 STABLE6
    Actually when I add

    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on
    acl Tiajri src 10.0.0.0/24
    http_access allow localhost
    http_access allow Tijari

    and when I tried to Stop And Start Squid service
    it gaves me Faild to start

    Faild …. please help me

  • Pirkia.lt admin February 2, 2008, 10:46 pm

    Simple script to save your users from badware:

    #!/bin/bash

    URL0=http://www.mvps.org/winhelp2002/hosts.txt
    URL1=http://everythingisnt.com/hosts

    SQUIDBADWARE=/etc/squid/badware_list
    BADWARESTATS=/etc/squid/badware_stats

    wget $URL0 -O /tmp/SQUIDBADWARE0 -o /dev/null
    wget $URL1 -O /tmp/SQUIDBADWARE1 -o /dev/null

    BADWARE0=`cat /tmp/SQUIDBADWARE0`
    echo "$BADWARE0" >> /tmp/SQUIDBADWARE1

    cat /tmp/SQUIDBADWARE1 | grep 127.0.0.1 | sed 's/127.0.0.1 //g' > /tmp/SQUIDBADWARE2
    cat /tmp/SQUIDBADWARE2 | grep -v localhost | cut -d "#" -f 1 > /tmp/SQUIDBADWARE3

    rm $SQUIDBADWARE.backup
    mv $SQUIDBADWARE $SQUIDBADWARE.backup
    cp /tmp/SQUIDBADWARE3 $SQUIDBADWARE

    SUM=`wc -l $SQUIDBADWARE`
    DATE=`date +%Y-%m-%d`

    echo "$DATE $SUM" >> $BADWARESTATS

    rm /tmp/SQUIDBADWARE0 /tmp/SQUIDBADWARE1 /tmp/SQUIDBADWARE2 /tmp/SQUIDBADWARE3

    /etc/init.d/squid reload > /dev/null

    To squid.conf add/update following lines:

    acl BADWARE_LIST_1 dstdomain url_regex -i "/etc/squid/badware_list"
    deny_info ERR_BADWARE_ACCESS_DENIED BADWARE_LIST_1

    …..

    http_access deny BADWARE_LIST_1
    http_access deny !Safe_ports BADWARE_LIST_1
    http_access deny CONNECT !SSL_ports

    Don’t forget add this script to your crontab


    crontab –e

    30 23 * * * /data/scripts/squidguard.sh

  • Faisal February 5, 2008, 8:31 am

    Dear I am using CentOS Linux server here I don’t need to define proxy in squid.conf.
    kindly guide me how to use without ISP proxy. also i have 3 DSL modems connected in office and i need to configure all together if 1 is not working it switch to other automatically.

    your quick response will be higly appreciative.
    Best Regards.
    Faisal

  • Santosh February 8, 2008, 5:24 am

    Hi,
    This site is good with good comments.

    can you help me. i am using the same config.
    Pls clear my 2 doubts.

    1.after making proxy transparent. the sites which are blocked in squid-block.acl does not works from client pc. (again if we use a proxy server then only it works).
    2. how to block a website (such as http://www.youtube.com) using iptables.

    regards,
    Santosh

  • Santosh February 8, 2008, 5:31 am

    hello,

    pls reply ASAP.

    regards,
    santosh

  • nandhakumar February 22, 2008, 7:29 am

    Hi all

    I configured squid proxy in our office but problem is outlook express not working please help me out..
    regards
    nandha

    • vaibhavraj June 29, 2010, 1:20 pm

      Hi,

      Just put IP of outlook machine as a acl in squid.conf.
      It will work.

      Regards,
      Vaibhavraj

  • Sulman March 5, 2008, 3:37 pm

    Dear,
    i have 3 NIC in Squid Proxy, One connect with Lan and other 2 connect with 2 DSL modems. I want to combine more than 1 DSL link speed togetehr. Kindly Helo me regarding this what will be need to configure in Linux. Halp me ASAP
    Thanks

  • Jit March 13, 2008, 9:07 am

    Hi,

    I’ve configured my Squid as par your guidence but am nt able to access any website from client nor I’m able to ping.

    though I’m able to open some of websites from their IP and even able to open control panel of my ADSL Router!

    I’ve no clue where things are wrong! :(
    I wud highly be grateful to you help me to fix this issue!

    here is the complete scenario of my network

    [LAN] —> e1 [ SQUID ] e0 —-> [ADSL]

    192.168.2.0 [LAN]
    192.168.2.1 [e1 of squid]
    192.168.1.2 [e0 of squid]
    192.168.1.1 [adsl router ip]

    waiting despreatly!

    Rock on
    Jit

  • Yusuf March 15, 2008, 1:27 pm

    I have configured SQUID PROXY with TRANSPARENT using this site help

    Thanks

  • gautam April 8, 2008, 9:57 am

    I had gone throug your notes. It is very good and interesting. I have 2 network cards in my squid proxy server on RHEL5.

    I need all the users to access only certain sites during the office hours and after office hours they can access any sites as they wish. This should not be applicable for managers who can access any site at anytime.

    This I made it but when I configured squid I had given the port 8080 instead of 3128 the default port.

    The end users if the remove the proxy (ip of squid server) then they can access any site during the office hours. How to disable this ????

    Something to do with firewall. I tried but I failed. I am pasting it can you correct it.

    $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT

    squid_server has two network card. One is having internal ip and the other external ip.

    I had give external ip for SQUID_SERVER.

    SQUID_PORT is 8080
    Please help me.. It is very urgent.

    Thanks and Regards,

  • flex April 11, 2008, 11:39 am

    I have a clarkconnect linux box am not that good in linux but can configure when given the example.

    My network has layer three switch which does the routing for all Vlans. I have created a specia Vlan where all traffic fron the LAN Vlans is routed, coonected this node to CC box LAN interface. Also i have added the static routes on the CC box and all vlans can access the internet properly.

    But i want to use proxy. WHEN I START THE SQUID PROCESS it block all outgoing traffic and gives me the ip and port to configure as proxy on brower settings , that i do but still cannt connect.

    here is a file for my routes

    Adding extra LANs on Clark Connect
    #/etc/system/network file

    EXTRALANS=”10.0.2.0/24 10.0.3.0/24 10.0.4.0/24 10.0.5.0/24 10.0.6.0/24 10.0.7.0/24 10.0.8.0/24 10.0.9.0/24 10.0.10.0/24 10.0.11.0/24 10.0.12.0/24 10.0.13.0/24 10.0.14.0/24 10.0.15.0/24 10.0.16.0/24 10.0.17.0/24 10.0.18.0/24 10.0.19.0/24 10.0.20.0/24 10.0.21.0/24 10.0.22.0/24 10.0.23.0/24 10.0.24.0/24 10.0.25.0/24 10.0.26.0/24 10.0.27.0/24 10.0.28.0/24 10.0.29.0/24 10.0.30.0/24 10.0.31.0/24 10.0.32.0/24 10.0.33.0/24 10.0.34.0/24 10.0.35.0/24 10.0.36.0/24 10.0.37.0/24 10.0.38.0/24 10.0.39.0/24″

    #Adding Static routes to Clark Connect for Vlans to work with proxy
    #This should work
    #/etc/sysconfig/network-scripts/route-eth1

    10.0.2.0/24 via 10.2.56.2
    10.0.3.0/24 via 10.2.56.2
    10.0.4.0/24 via 10.2.56.2
    10.0.5.0/24 via 10.2.56.2
    10.0.6.0/24 via 10.2.56.2
    10.0.7.0/24 via 10.2.56.2
    10.0.8.0/24 via 10.2.56.2
    10.0.9.0/24 via 10.2.56.2
    10.0.10.0/24 via 10.2.56.2
    10.0.11.0/24 via 10.2.56.2
    10.0.12.0/24 via 10.2.56.2
    10.0.13.0/24 via 10.2.56.2
    10.0.14.0/24 via 10.2.56.2
    10.0.15.0/24 via 10.2.56.2
    10.0.16.0/24 via 10.2.56.2
    10.0.17.0/24 via 10.2.56.2
    10.0.18.0/24 via 10.2.56.2
    10.0.19.0/24 via 10.2.56.2
    10.0.20.0/24 via 10.2.56.2
    10.0.21.0/24 via 10.2.56.2
    10.0.22.0/24 via 10.2.56.2
    10.0.23.0/24 via 10.2.56.2
    10.0.24.0/24 via 10.2.56.2
    10.0.25.0/24 via 10.2.56.2
    10.0.26.0/24 via 10.2.56.2
    10.0.27.0/24 via 10.2.56.2
    10.0.28.0/24 via 10.2.56.2
    10.0.29.0/24 via 10.2.56.2
    10.0.30.0/24 via 10.2.56.2
    10.0.31.0/24 via 10.2.56.2
    10.0.32.0/24 via 10.2.56.2
    10.0.33.0/24 via 10.2.56.2
    10.0.34.0/24 via 10.2.56.2
    10.0.35.0/24 via 10.2.56.2
    10.0.36.0/24 via 10.2.56.2
    10.0.37.0/24 via 10.2.56.2
    10.0.38.0/24 via 10.2.56.2
    10.0.39.0/24 via 10.2.56.2

    which other file should i configure for web proxy to work
    IP and port CC is giving for proxy is

    10.2.56.2
    8080 or 3128

    but does not work

  • Sohbet April 27, 2008, 5:35 pm

    hey, nice work. I appreciate the way u spread your knowledge just alike a teacher spreads to new bie’s. Thx Again

  • Ye khaung May 8, 2008, 4:56 pm

    I just test smooth wall express with in built squid.
    Not only in that squid but all, i can’t find where to put web server chaining i.e forward request to upstream proxy(isp’s proxy). Can any one explain me about following case.

    My server have 2 NIC card.
    Eth0 : 10.254.8.1.1 (internet)
    Eth1 : 192.168.0.1 (Lan)

    Subnet: 255.255.252.0
    D.G : 10.254.8.1

    My isp give their proxy ip and port.
    203.81.71.148:9090
    They prevent direct access.
    In that case i want a proxy server in my own.
    I want my clients computers to use proxy of mine but not ISP.
    (i want them to put my server Eth1 no as a proxy ip and port 9090 in ther IE and fire fox)

    Can any one give me a sample scripts?
    Please help me out.
    Our country is not very familiar with linux.

    S.O.S

    Ye Khaung
    Burma

  • Peyman June 8, 2008, 5:36 pm

    Excellent! Simply it worked. But after running the iptables shell script I could not reach my server via SSH or VNC.
    I had to comment these 4 lines of the script to get my remote access back.

    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP

    Is it no problem commenting those lines? my squid is working as I want ;)

  • Padani June 28, 2008, 11:10 am

    When i gave the above config to the squid on a VPS
    (Debain).The following errors came.
    I didn’t implement that iptable rules

    root@x:/etc/squid# /etc/init.d/squid restart
    Restarting Squid HTTP proxy: squid2008/06/28 11:02:10| parseConfigFile: unrecognized:
    2008/06/28 11:02:10| parseConfigFile: line 44 unrecognized: ‘httpd_accel_host virtual’
    2008/06/28 11:02:10| parseConfigFile: line 45 unrecognized: ‘httpd_accel_port 80′
    2008/06/28 11:02:10| parseConfigFile: line 46 unrecognized: ‘httpd_accel_with_proxy on’
    2008/06/28 11:02:10| parseConfigFile: line 47 unrecognized: ‘httpd_accel_uses_host_header on’
    2008/06/28 11:02:10| WARNING cache_mem is larger than total disk cache space!
    FATAL: No port defined
    Squid Cache (Version 2.6.STABLE5): Terminated abnormally.
    CPU Usage: 0.005 seconds = 0.000 user + 0.005 sys
    Maximum Resident Size: 0 KB
    Page faults with physical i/o: 0
    /etc/init.d/squid: line 74: 30103 Aborted start-stop-daemon –quiet –start –pidfile $PIDFILE –chuid $CHUID –exec $DAEMON — $SQUID_ARGS </dev/null

  • ramesh July 25, 2008, 5:29 am

    Hi,

    I have a problem
    I configured Transparent proxy it is working fine. problem with web server wheni tried to access the web page from external network.
    Error message :
    ERROR
    The requested URL could not be retrieved
    Access Denied.
    Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect

  • nazrin July 29, 2008, 9:57 am

    dear guys,

    is there anyway of doing proxy on port 25 and 110. i wanted to test it with spamassassin checking on that port using transparent proxy.

    thanks,
    nazrin.

  • Khalid August 2, 2008, 12:02 am

    I am running FC6, 2.6.STABLE13 and I need help

    2 network cards:
    eth0 on a local LAN address 10.6.9.171
    eth1 190.2.168.0.0/24
    my server is running DHCP and assigning addresses to local clients

    But Squid is giving me a headache
    I did follow the stpes in this tutorial, and my Squid FAILS to start everytime

    Firt it gave me this error
    ACL name ‘Safe_ports’ not defined!
    FATAL: Bungled squid.conf line 19: http_access deny !Safe_ports
    Squid Cache (Version 2.6.STABLE13): Terminated abnormally.

    Then when I defiene Safe_ports by adding definitions that I got from another website is does not like the added lines and it asks for a hostname

    2008/08/01 16:08:53| parseConfigFile: line 36 unrecognized: ‘http_accel_host virtual’
    2008/08/01 16:08:53| parseConfigFile: line 37 unrecognized: ‘http_accel_port 80′
    2008/08/01 16:08:53| parseConfigFile: line 38 unrecognized: ‘http_accel_with_proxy on’
    2008/08/01 16:08:53| parseConfigFile: line 39 unrecognized: ‘http_accel_uses_host_header on’
    FATAL: Could not determine fully qualified hostname. Please set ‘visible_hostname’

    Can someone please direct me on what I’m missing here

    =======================
    here is my config file:

    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    no_cache deny QUERY
    hosts_file /etc/hosts
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl purge method PURGE
    acl CONNECT method CONNECT
    cache_mem 1024 MB
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    acl lan src 10.6.9.177 192.168.0.0/24
    http_access allow localhost
    http_access allow lan
    http_access deny all
    http_reply_access allow all
    icp_access allow all
    visible_hostname proxytest
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on
    coredump_dir /var/spool/squid
    ================================


    Khalid

    • Seymur November 7, 2010, 12:47 pm

      remove
      httpd_accel_host virtual
      httpd_accel_port 80
      httpd_accel_with_proxy on
      httpd_accel_uses_host_header on

  • Jakykong August 7, 2008, 7:40 am

    I thought I would mention that newer Squid versions (or maybe it’s older ones… I use 2.7) don’t accept the httpd_accel_* entries. Another way to do the same thing, which seems to work the same way, is to use the http_port entry.
    When you set the port (3128 by default), you can add “transparent” to the end of the line to make the proxy transparent.

  • shantanu August 7, 2008, 8:08 pm

    hiii, i know very less abt squid and linux, m in a college and my isp has blocked many of the sites and downloads , i need to unblock those sites as want to see my favourite football matches, so plz will anyone guide me how to unblock these sites and see streaming videos, my isp uses squid/2.6.STABLE6, plz reply……………..

  • shantanu August 12, 2008, 6:31 pm

    if any one knows plz tell me e mail id is gupta.shaan5@gmail.com
    !!!

  • Baku August 27, 2008, 12:36 am

    Excellent article. The firewall script works fine in my GNU/Linux Debian Etch. However, the squid.conf should be update to squid 2.6 a later versions, which have the specific ‘transparent’ parameter. In addition, should be convenient add a fourth step: configure named daemon on squid host.

    Best regards

    Baku

  • we3cares September 2, 2008, 9:12 am

    Very Good Work… :) But, I can tell a small easier step instead of

    grep -v “^#” /etc/squid/squid.conf | sed -e ‘/^$/d’

    Use:
    # grep -v “^#” /etc/squid/squid.conf | cat -s

    • Umer August 5, 2010, 6:57 am

      Gud .. Its working now

  • MikeC September 25, 2008, 7:24 pm

    Good write up…question though. After setting everything up I get the following error when I try to access a site:

    While trying to retrieve the URL: /

    The following error was encountered:

    * Invalid URL

    Some aspect of the requested URL is incorrect. Possible problems:

    * Missing or incorrect access protocol (should be `http://” or similar)
    * Missing hostname
    * Illegal double-escape in the URL-Path
    * Illegal character in hostname; underscores are not allowed

    Any ideas would be appreciated!

    • Muhammad Suleman Hasib October 22, 2011, 9:19 pm

      just add “transparent” at the end of http_port. if you are using 3128 port then it should look as follows:

      http_port 3128 transparent

  • Nandkishor September 26, 2008, 5:40 am

    Hi vivek,
    I have configured the transperant proxy & also Blocked the downloading of movies & songs. But some peoples are downloads by using the torrent or utorrent. Can u tell me how to blocked this torrent downloading by using squid or pear to pear?

  • Rizwan Ahmed October 24, 2008, 6:42 am

    nice help

  • cpyd October 26, 2008, 4:37 pm

    this is funny. okay first of all, thanks vivek, thanks a ton for your fantabulous article. I setup two servers using your script and it works great. save one freak stuff.. while i see everyone running around saying they cant accept anything except port 80, my problem is exact opposite! ie.. it seems my firewall is allowing every damn traffic through itself, and no, i dint change a thing in the script except, ofcourse the variables in beginning. the iptables -L command gives this :-


    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    LOG all -- anywhere anywhere LOG level debug prefix `LOG_DROP '
    ACCEPT all -- anywhere anywhere
    LOG all -- anywhere anywhere LOG level warning
    DROP all -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    i commented out the unlimited LAN access line, and i was completely blocked out, including the webserver running on the same machine.

    Anyone out there who can point me in the right direction??

    I want to allow only ports 25, 465, 110, 995, 443 and 80 through my proxy server..

    thanks :)

  • jayarm December 7, 2008, 9:50 am

    I want to allow two prot which used for VOIP (port 8661 10500) how can enable the same
    Please tell me with the example , i am using redhat
    my ip is 172.21.100.10 (eth0) 192.168.103.10 (eth1)

  • Nick December 14, 2008, 12:45 pm

    Is it possible to set a machine with one ethernet adapter on the network as a transparent proxy?

    So my machine (“machine2″) on 10.0.0.2 becomes my default gateway (in the DHCP config), which in turn either transparently proxies or sends the packet on to the ‘real’ default gateway at 10.0.0.1.

    Machine2 would need to match incoming packets and if not destined for it, and not destined for port 80, forward them to the router.

    Incoming packets not destined for the machine2, but are destined for port 80, forward to the squid proxy.

    This would be neat, as it would simplify network layout, avoid having to have two subnets, and make bypassing the proxy a simple method of adding a static network config with a different default gateway.

  • bashir December 26, 2008, 4:01 am

    Hi
    i m using squid 2.6 in Centos 5.1. But i found some errors:
    1. arp 2. when i blocked the ip’s but even that allow

    please helpd

    bashir pakistan islamabad

  • khzied December 28, 2008, 1:22 pm

    Hi everybody,
    I have a problem with squid..

    In my network internet, i would like to have connection in the same time like this:
    * some ip address connect to internet with authentification
    * some ip address connect to internet without authentification

    How can i do in squid configuration and iptables rules..

    Thanks :)

  • khzied December 28, 2008, 1:25 pm

    with ipcop, i use the type “unrestricted user” that access internet without authentification.. Other user without type “unrestricted user” should connect by authentification..

    How can i do?
    Ps: I use squid 3.0

    Thanks

  • brijesh January 10, 2009, 7:33 am

    dear sir
    Sir i want to installation squitd proxy but not installedd
    please give the setup and how do you installed

  • Ibru January 19, 2009, 3:25 pm

    Hi,

    You have done an excellent work.

    How can I run fw.proxy script every time when my computer starts.

    Thanks
    Ibrhaim PP

  • Bjornar January 28, 2009, 12:18 pm

    Hi.

    When i load the script I get a error message:

    iptables: No chain/target/match by that name

    Someone know whats wrong?

    im a noob (A)

  • needh January 29, 2009, 6:19 pm

    I use your squid on ubuntu 7.04. It complains no httpd_accel, etc. If I remove those lines in squid.conf, that’s no proxy at all. Nothing in access.log.

  • baxbixbux February 20, 2009, 2:35 am

    good … now i can setup squid

  • col February 23, 2009, 9:59 am

    Hi – thanks for the really useful information. I have now setup my main PC as a transparent proxy so can log and see all the websites that my family lan has been to. Is there a way to also log all MSN chat messages using squid?
    (we have a policy of open internet access, with the responsibility of where they choose to go being on the child, with them knowing that occasion spot checks of the logs will be carried out).

  • iniabasi February 25, 2009, 8:37 am

    i have gone through all the comments here and I have done everything – configuring the squid 2.7 stable 13 and iptables in ubuntu 8.10. my problem is that i only browse when i fix the proxy in the explorer, the transparency does not work. when i add this line of code, i have errors:
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on.
    I am really at a loss on what to do.
    This what my squid conf looks like
    acl all src all
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8
    acl ECONOMICS src 10.0.0.0/24 # RFC1918 possible internal network
    http_access allow ECONOMICS
    acl SSL_ports port 443 # https
    acl SSL_ports port 563 # snews
    acl SSL_ports port 873 # rsync
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 631 # cups
    acl Safe_ports port 873 # rsync
    acl Safe_ports port 901 # SWAT
    acl purge method PURGE
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost
    http_access deny all
    icp_access allow ECONOMICS
    icp_access deny all
    http_port 80
    http_port 3128 transparent
    hierarchy_stoplist cgi-bin ?
    access_log /var/log/squid/access.log squid
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
    refresh_pattern . 0 20% 4320
    acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
    upgrade_http0.9 deny shoutcast
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    extension_methods REPORT MERGE MKACTIVITY CHECKOUT
    visible_hostname EconnetServer
    hosts_file /etc/hosts
    coredump_dir /var/spool/squid

    Please can someone help me.
    Thanks.

  • manjunath February 25, 2009, 1:02 pm

    Hi,

    I do have setup internet->router(cisco 2600)->firewall (506 E)->Cisco Switch (6500) no routing captability ->DHCP Server->Lan .

    Planning to have Squid transparent proxy. Plz help me how to setup I am new
    to Squid project.

    Manjunath

  • Xavier February 27, 2009, 2:20 am

    Hi all,

    My Squid server works fantastically with the script above if I only have 2 network adapters enabled.

    I have an eth2 that I wish Apache to listen on as I was getting some oddities with it running on eth0 and eth1 which i am guessing is attributed to SQUID. I can configure Apache to listen on eth2 ok, the problem is as soon as I enable and start eth2 everything dies. eth0 and eth1 are unpingable and squid doesn’t work.

    All I am doing is an out of the box version of squid with a very basic conf and the script above.

    Any help?

    Thanks,

    Xavier.

  • hana March 5, 2009, 12:37 pm

    is it possible to implament transparent proxy using only one NIC?

  • kpm March 14, 2009, 5:56 pm

    We are using two ip numbers for accessing internet and intranet. The IP 172.16.0.0/24 is for accessing our Intranet application from our remote office. The IP 192.168.1.0/24 is local broadband connection used for accessing internet locally. I want to access both the connection in a single IP by configuring linux squid proxy sever. Can u please help me out how to do the settings.

  • Christofer March 17, 2009, 10:41 am

    Thanks cyberciti for the great tutorial, help me a lot.

  • vijay March 29, 2009, 8:49 am

    This setup can use in fedora 10

  • Tricky April 15, 2009, 1:12 am

    I like how you’ve built this post. The httpd entries don’t seem to work on my server however its not a particularly important function for me. I think perhaps it wasn’t built into the build I have from Arch Linux.

    On a purely academic note, I often work with grep and sed and I recognised some even shorter ways to strip the squid.conf file. The shortest is still a combination:
    grep . /etc/squid/squid.conf|sed '/ *#/d'
    unless you want to actually strip it inline:
    sed -i '/ *#/d; /^ *$/d' /etc/squid/squid.conf

  • Bruce Smith April 16, 2009, 1:01 pm

    I’m looking for help for a fix.
    i work at a school. and im looking to run squid to speed up net access
    i have 2 up stream proxy’s we use 1 for kids 1 for staff, and i want to bind them in to 1 proxy in school with 2 ports.

    so port 8080 for students caching from upstream proxy student.proxy port 80
    so port 8099 for staff caching from upstream proxy staff.proxy port 80

    any one any clues ?

  • nichive April 26, 2009, 10:21 pm

    to da point, I need some help with this configuration

    I’m running my squid on Ubuntu Server 8.10
    with the transparent configuration applied, and the iptables script made, without any error on the start/restart part.

    but my problem is, I can’t open anything through any web-browser that is installed on my Local Area Network
    but if I try some ping command to any web-address, it works fine
    pitty, not doing so with the web-browser

    anyhelp would be appreciated :)

  • nichive April 26, 2009, 10:37 pm

    ignore my last question, I found out what my problem was..

    my machine was a fresh installed one, didn’t have the masquerading method…
    just run the following command and voila

    $ sudo apt-get install ipmasq

  • dave love May 7, 2009, 8:04 pm

    I am using this setup but I am having trouble connecting to port 443. Any ideas? Do I need to tell it to use 443 and 80 in the squid.conf?

  • Md. Saidur Hasan May 10, 2009, 11:49 am

    hi boss,
    it’s working but problem with the email. i can’s download my email in outlook.
    my configuration is as follows
    # cat /etc/squid/squid.conf | sed ‘/ *#/d; /^ *$/d’
    Output
    ——————–
    http_port 3128 transparent
    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    cache deny QUERY
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    cache_mem 32 MB
    access_log /var/log/squid/access.log squid
    auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
    auth_param basic children 30
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours
    auth_param basic casesensitive off
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443
    acl CONNECT method CONNECT
    acl bad_sites dstdomain “/etc/squid/squid-block.acl”
    http_access deny bad_sites
    acl esl src 172.16.10.0/24
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost
    http_access allow esl
    http_access deny all
    http_reply_access allow all
    icp_access allow all
    cache_mgr ahmed.rahman@esl.com.bd
    visible_hostname ESL-NNC
    coredump_dir /var/spool/squid

    please help me..

  • chrkc May 25, 2009, 10:20 am

    Hi,
    I have three systems, my apache web server is running on 192.168.0.26 machine,
    squid/proxy is running on 192.168.0.25 and my firewall/shorewall is running on 192.168.0.20
    And there is a local network 192.168.0.X of systems with gateway mentioned as 192.168.0.20.
    Can anyone tell me how do i manage in a way that all the http requests made are directed to the squid/proxy?
    As the people in the local network through the browser direct connection are able to open sites that were restricted through the proxy settings.

    Thanks

  • Wiki June 8, 2009, 4:19 am

    Where can i find or where should i paste the following commands? in line number?

    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy
    httpd_accel_uses_host_header on

  • Nand June 17, 2009, 5:44 am

    I have setup the squid using transperant proxy & in iptables I have chnge the polixy of filter table to DROP. Everything is working fine. But any idea how to block the torrent downloading? what iptables rules are want to setup?

    Regards,
    Nandkishor

  • Rashid Iqbal June 27, 2009, 8:01 am

    hi friends
    I am new to linux. right now i am using the fedora… I configure the proxy and configure the iptables to forward the traffic Microsoft Outlook . now there is a problem that users are able to browse withoutt the client proxy settings…… although I only add the iptables script that forward the port 80 traffic to port 3128 that users should go through proxy…

    secondly we are using the citrix server……… how to enable remote users to connect out db server through citrix server… using TCP 1494 and
    UDP is 1600 to 1699…
    and tcp is 80..
    and how to restrict the wireless users that they should go thorugh proxy….
    and finally I want that only some specific users to use the internet through client proxy settings and remaining will be blocked….

    please help me in this regard……..I will be highly obliged..

  • Rashid Iqbal June 27, 2009, 9:35 am

    Friends I am new to squid

    I want to configure the proxy server with squid but not with the transparent….
    like that every used should put the ipaddress+port 3128…..
    secondly I want to receive the emails on Microsoft Outlook… for this purpose I use the iptables now mail is working but user can bypass the proxy after putting the proxy address into the clients gateway..

    please help me to solve this issue..

  • Anindya Banerjee July 6, 2009, 8:52 am

    How can I install and configure squid proxy in my red hat linux system.

  • Mohd Anas July 14, 2009, 11:58 am

    Hi,
    Can someone suggest how can I configure my squid http proxy for FTP also.
    And what are the settings for ftp client like filezilla.

    Thanks

  • Gregory I Okumoro July 22, 2009, 3:38 pm

    Hi,
    I am new to Linux but I like what you have to say about port 80 redirection to port 3128.
    Currently, my website is unavailable online because the Cable Company (ISP) has blocked all the ports that I have to work except port 3128.
    !. What is the directory of the firewalls to which I have to copy the “firewall” scripts?
    2.What directory do I copy “fw.proxy” to?

    Thanks,
    Gregory Omkpokoro

  • Ajit Upadhyay August 4, 2009, 10:28 am

    Hi!

    I have a server with eth0 (10.126.2.101) connected to my ISP (proxy 10.31.31.10:3128 with authentication ie. userid/pwd) and eth1 (192.168.1.1) connected to local network through a fast ethernet switch. The server is also a DHCP sever for local network (192.168.1.2 – 192.168.1.254). Now, I have configured squid on this server so that local netwrok PCs can access internet thorugh my server (which is behind ISP’s authenticated proxy). The detail of squid.conf is listed below:
    ——————–

    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8
    acl localnet src 10.0.0.0/8
    acl localnet src 172.16.0.0/12
    acl localnet src 192.168.1.1
    acl SSL_ports port 443
    acl Safe_ports port 80
    acl Safe_ports port 21
    acl Safe_ports port 443
    acl Saf_ports port 70
    acl Safe_ports port 210
    acl Safe_ports port 1025-65535
    acl Safe_ports port 280
    acl Safe_ports port 488
    acl Safe_ports port 591
    acl Safe_ports port 777
    acl purge method PURGE
    acl CONNECT method CONNECT
    access_log /var/log/squid/access.log
    acl plasma_net src 192.168.1.2
    acl plasma_net src 192.168.1.3
    acl plasma_net src 192.168.1.4
    acl plasma_net src 192.168.1.5
    http_access allow plasma_net
    acl lan src 10.126.2.101 192.168.1.1
    http_access allow localhost
    http_access allow lan
    http_access allow all
    http_access allow localnet
    http_access deny all
    acl ftp proto FTP
    http_access allow ftp
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_reply_access allow all
    icp_access allow all
    icp_access allow localnet
    icp_access deny all
    htcp_access allow localnet
    htcp_access deny all
    http_port 192.168.1.1:3128 transparent
    hierarchy_stoplist cgi-bin ?
    cache_mem 8 MB
    memory_replacement_policy lru
    cache_replacement_policy lru
    cache_dir ufs /var/cache/squid 100 16 256
    minimum_object_size 0 KB
    maximum_object_size 4096 KB
    cache_swap_low 90
    cache_log /var/log/squid/cache.log
    cache_store_log /var/log/squid/store.log
    emulate_httpd_log off
    ftp_passive on
    refresh_pattern ^ftp: 1440 20 10080
    refresh_pattern ^gopher: 1440 0 1440
    refresh_pattern (cgi-bin|\?) 0 0 0
    refresh_pattern . 0 20 4320
    always_direct allow all
    connect_timeout 2 minutes
    client_lifetime 1 days
    cache_mgr webmaster
    visible_hostname plasma1
    icp_port 3130
    error_directory /usr/share/squid/errors/English
    coredump_dir /var/cache/squid
    cache_swap_high 95
    

    ——————-

    When any PC on network tries to use internet, I get following error in my access.log and
    ——————————————————
    1249380227.459 10 192.168.1.4 TCP_REFRESH_UNMODIFIED/304 259 GET http://webmail1.cat.ernet.in/newmail/images/dotted_bullet.gif – DIRECT/10.11.100.123 –
    1249380237.766 294 192.168.1.4 TCP_MISS/503 2419 GET http://www.google.com/ – DIRECT/209.85.231.104 text/html
    1249380328.894 290 192.168.1.4 TCP_MISS/503 2468 GET http://www.google.com/ – DIRECT/209.85.231.104 text/html
    1249380437.333 184 192.168.1.4 TCP_MISS/503 2350 GET http://www.yahoo.com/ – DIRECT/69.147.76.15 text/html
    ———————————————-
    the user gets following error:
    while trying to retrieve the URL http://www.yahoo.com/ The following error was encountered: Connection to 69.147.76.15 Failed. The system returned: (101) Network is unreachable

    [whereas, i am able to access above url / ip from server]

    PLEASE, HELP me resolve this issue.

  • Ajit Upadhyay August 4, 2009, 10:33 am

    Hi!

    I have a server with eth0 (10.126.2.101) connected to my ISP (proxy 10.31.31.10:3128 with authentication ie. userid/pwd) and eth1 (192.168.1.1) connected to local network through a fast ethernet switch. The server is also a DHCP sever for local network (192.168.1.2 – 192.168.1.254). Now, I have configured squid on this server so that local netwrok PCs can access internet thorugh my server (which is behind ISP’s authenticated proxy). The detail of squid.conf is listed below:
    ——————–
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8
    acl localnet src 10.0.0.0/8
    acl localnet src 172.16.0.0/12
    acl localnet src 192.168.1.1
    acl SSL_ports port 443
    acl Safe_ports port 80
    acl Safe_ports port 21
    acl Safe_ports port 443
    acl Safe_ports port 70
    acl Safe_ports port 210
    acl Safe_ports port 1025-65535
    acl Safe_ports port 280
    acl Safe_ports port 488
    acl Safe_ports port 591
    acl Safe_ports port 777
    acl purge method PURGE
    acl CONNECT method CONNECT
    access_log /var/log/squid/access.log
    acl plasma_net src 192.168.1.2
    acl plasma_net src 192.168.1.3
    acl plasma_net src 192.168.1.4
    acl plasma_net src 192.168.1.5
    http_access allow plasma_net
    acl lan src 10.126.2.101 192.168.1.1
    http_access allow localhost
    http_access allow lan
    http_access allow all
    http_access allow localnet
    http_access deny all
    acl ftp proto FTP
    http_access allow ftp
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_reply_access allow all
    icp_access allow all
    icp_access allow localnet
    icp_access deny all
    htcp_access allow localnet
    htcp_access deny all
    http_port 192.168.1.1:3128 transparent
    hierarchy_stoplist cgi-bin ?
    cache_mem 8 MB
    memory_replacement_policy lru
    cache_replacement_policy lru
    cache_dir ufs /var/cache/squid 100 16 256
    minimum_object_size 0 KB
    maximum_object_size 4096 KB
    cache_swap_low 90
    cache_log /var/log/squid/cache.log
    cache_store_log /var/log/squid/store.log
    emulate_httpd_log off
    ftp_passive on
    refresh_pattern ^ftp: 1440 20 10080
    refresh_pattern ^gopher: 1440 0 1440
    refresh_pattern (cgi-bin|\?) 0 0 0
    refresh_pattern . 0 20 4320
    always_direct allow all
    connect_timeout 2 minutes
    client_lifetime 1 days
    cache_mgr webmaster
    visible_hostname plasma1
    icp_port 3130
    error_directory /usr/share/squid/errors/English
    coredump_dir /var/cache/squid
    cache_swap_high 95
    ——————-

    When any PC on network tries to use internet, I get following error in my access.log and
    ——————————————————
    1249380227.459 10 192.168.1.4 TCP_REFRESH_UNMODIFIED/304 259 GET webmail1…. – DIRECT/10.11.100.123 –
    1249380237.766 294 192.168.1.4 TCP_MISS/503 2419 GET http://www…/ – DIRECT/209.85.231.104 text/html
    1249380328.894 290 192.168.1.4 TCP_MISS/503 2468 GET http://www…./ – DIRECT/209.85.231.104 text/html
    1249380437.333 184 192.168.1.4 TCP_MISS/503 2350 GET http://www…/ – DIRECT/69.147.76.15 text/html
    ———————————————-
    the user gets following error:
    while trying to retrieve the URL http://www…./ The following error was encountered: Connection to 69.147.76.15 Failed. The system returned: (101) Network is unreachable

    [whereas, i am able to access above url / ip from server]

    PLEASE, HELP me resolve this issue.

  • Ajit Upadhyay August 4, 2009, 11:12 am

    further info:
    OS: openSuSE 11.0

    Also, I have disabled firewall, as of now (MY ISP is highly secure / protected).

  • Ajit Upadhyay August 4, 2009, 11:44 am

    I have also set in squid.conf

    ———————–
    cache_peer 10.31.31.10 parent 3128 0 no-query
    prefer_direct off
    ———————–

    where my ISP’s proxy is 10.31.31.10:3128

    but the error still continues.

  • Javier August 17, 2009, 9:11 pm

    Hello worot exactly the script and got a problem I can not see my etho that connect with my local lan.
    How I can delete this script

    javier

  • Javier August 18, 2009, 12:08 am

    After I complete the script I got a problem I can see the eth0 that is connected to my local network

  • Marc August 18, 2009, 6:59 am

    Hello,
    I’m using a transparent proxy bridge, and I noticed that a download never completes and it always cuts, as to connection to the server is reset !
    I’m using these rules in the firewall :
    ebtables -t broute -A BROUTING -p IPv4 –ip-protocol 6 –ip-destination-port 80 -j redirect –redirect-target ACCEPT
    iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080
    iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-port 8080
    iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 -j REDIRECT –to-port 8080

    Where port 8080 is the dansguardian port for url filtering.
    Any idea why the connection resets ? It’s like a tcp reset is being done.
    Thanks.

  • jac August 18, 2009, 3:35 pm

    Ehy, pay attention kotnik’s sed trick delete ALL rows that CONTAIN a #, not just that START with #

  • John September 3, 2009, 7:57 am

    Hi,
    I am running a transparent bridge with squid and dansguardian.
    I noticed that a download can never complete and I get the message “The connection with the server was reset” as soon as the download starts.
    Very small files ( < 1MB ) are hardly able to finish.
    Browsing is fine, the problem is only with the downloads and they always cut.
    Anybody's having a similar problem with a transparent bridge ?
    Appreciate your help solving this critical matter.

    Thanks.

    John

  • theleftfoot September 3, 2009, 9:44 am

    hey guys,

    i hope someone can help me out….i’ve got problems withe the following two steps:

    Save shell script. Execute script so that system will act as a router and forward the ports:
    # chmod +x /etc/fw.proxy
    # /etc/fw.proxy
    # service iptables save
    # chkconfig iptables on

    Start or Restart the squid:
    # /etc/init.d/squid restart
    # chkconfig squid on

    it doesn’t work! got these error

    test:/ # chmod +x /etc/fw.proxy
    test:/ # /etc/fw.proxy
    test:/ # service iptables save
    [b]service: no such service iptables[/b]
    test:/ #

    can someone help me out?

    cheers raffa

  • Anant Patel September 18, 2009, 2:29 pm

    hello!!!
    my collage server blocked many ports like 3128,8822,3127,8125,8130…so i cant access net..i have to use only collage provided net…what can i do?? they stop also ports in utorrent…
    plz help me..
    thank u..

  • safdar azam September 24, 2009, 9:47 am

    hello. i am using Linux redhat version 3 and i have two lan port both are configured so
    i want to share my internet connection to winbee thin client. tell me how can connect with thinclient.
    plz i am witing

  • Stolz October 7, 2009, 2:09 pm

    AFAIK, the rule “iptables -A OUTPUT -o lo -j ACCEPT” is redundant because the default policy rule “iptables -P OUTPUT ACCEPT” already allows all outgoing traffic in all interfaces

  • Baswaraj Ramshette November 13, 2009, 7:19 am

    Hi,
    I have followed whatever steps you have given in this article regarding transparent proxy configuration , I did everything according to your article
    I am getting following error please help me
    /etc/init.d/squid restart
    Stopping squid: 2009/11/13 12:42:28| parseConfigFile: line 4519 unrecognized: ‘httpd_accel_host virtual’
    2009/11/13 12:42:28| parseConfigFile: line 4520 unrecognized: ‘httpd_accel_port 80′
    2009/11/13 12:42:28| parseConfigFile: line 4521 unrecognized: ‘httpd_accel_with_proxy on’
    2009/11/13 12:42:28| parseConfigFile: line 4522 unrecognized: ‘httpd_accel_uses_host_header on’
    . [ OK ]
    Starting squid: . [ OK ]

    On client side

    The requested url could not be retrive .

  • Jeffry November 25, 2009, 7:43 am

    I need help, I use Ubuntu Jaunty 9.04, want to configure Squid, and everyting is okey, cause I took a proxy 1.1.1.1:3128 in every browser. but if i want to make the squid being transparent. i still get nothing. all i do is just put transparent next http_port 3128 . and few configuration like above. then put iptables like as usuall..
    iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 3128
    and in ubuntu, the iptables version is 1.1.4.1
    please advice… my hair become “fall season” :`(

  • e December 9, 2009, 5:30 pm

    how do i get on myspace from school

  • Live December 15, 2009, 2:26 am

    Does anybody’s question ever get answered in this tutorial? This tutorial is obsolete in later versions of SQUID!

  • Sye MUshtaq Ahmed December 24, 2009, 7:24 pm

    Hello,

    Really the guide is wonderful and it worked 100% for me and even the clients using it are amazed with its speed. But there is one problem now !!! When client access Email, like yahoo and hotmail any others in i.e: massege will show after few seconds this page can’t be dis[layed plz solve my problem ASAP
    REGARDS

  • Sam December 31, 2009, 8:49 am

    Hello,
    I facing a problem when setup the server as router. My client can ping to eth 1 and eth 0 succesfully. However the client can’t browse internet through proxy servy (eth 0). For your information, i setup the proxy server follow exactly what was writen hre. May i know what is the problem?

    Thanks !

  • Devinka January 16, 2010, 5:35 am

    HI ,

    Thanks for the howto . it works fine .

  • Lalit Kumar January 16, 2010, 7:19 pm

    Hi All,

    i have a issue with my transparent squid server it is working transparet for it’s own subnet or vlan systems .

    Like my sqy=uid server ip is 172.16.110.24 and it;s working fine for a system with ip 172.16.110.22 .

    but it is not working transparently for other systems like 172.16.119.37 and 172.16.122.43
    i add acl mynet src 172.16.110.0 /24 172.16.119.0/24
    http_access allow mynet .

    but it is working only for same vlan systems why ?

    can anyone help me out in this issue

  • gopi chand January 19, 2010, 12:42 pm

    where can I add the following line in squid.conf . please help me anybody .the line are
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on
    acl lan src 192.168.1.1 192.168.2.0/24
    http_access allow localhost
    http_access allow lan

  • Kartik Vashishta February 4, 2010, 5:33 pm

    So I have to enable IP rotuing for this to work, what is the command to do that…tell eth0 to route to eth1?

  • bobzi February 12, 2010, 6:19 pm

    Dear LINUXTITLI
    I configured Squid 2.5 with your configuration. Everything is fine but HTTPS sites don’t accept request. I’ve tried several times to open HTTPS (SSL Port) in iptables by some different commands, however I still have problem. On the other hands, when I set Proxy in Internet Option tab, clients can open Secure sites, when I erase the proxy setting only the secure site has a problem to login. And also I need setup clients without any setting in browser for some reasons.
    Actually I have a serious problem in this setting. I need some help.
    Could you please give a solution?! Dear LINUXTITLI or somebody else.
    I will be grateful.
    Many thanks

  • Fredl February 12, 2010, 11:26 pm

    Hi,
    kotnik’s magic filter in posting #4 ignores the greediness of sed. His code will hide any lines containing a ‘#’ (and following comment) somewhere in them. This will reflect an uncomplete setup. Better use this grep-only command:
    grep -vE ‘^#|^*$’ /etc/squid3/squid.conf

    To all the help-seekers here: Better try a suitable forum for your questions, a blog like this one is far from being a perfect platform for helping with configuration mistakes.

    Regards,
    Fredl.

  • Fredl February 12, 2010, 11:33 pm

    NB:
    Sorry, forgot to say “thank you” for the fine tutorial, LINUXTITLI!
    :)

    @Lalit Kumar: try
    acl mynet src 172.16.110.0/24 172.16.119.0/24 172.16.122.0/24
    or simplier (but less restrictive):
    acl mynet src 172.16.0.0/16

    Most of the others here have some typos, too…

  • Manoj February 15, 2010, 11:20 am

    I configured RHEL5 squid server as an proxy server in windows envirnoment, it give me an problem for outlook express & for Ms outlook that users on windows side are not able to send & recieve their e-mails. However i have open the safe ports & iptable rule’s.

    Also, i want to configure an squid server as an proxy server in such way that some of the users are not able to access the specific web sites but some users are able to access same websites. While users get their IP’s from DHCP server.

    • saltio May 12, 2010, 12:55 pm

      outlook express & for Ms outlook that users on windows side are not able to send & recieve their e-mails. What are the commands to open the safe ports & iptable rule’s. Thanks for the setup – this will save alot of time.

  • vikram February 24, 2010, 5:40 am

    I have always noticed one thing, while going for transparent squid or IP MASQUERADING, i always have to keep by named service on. and specify the DNS ip settings in client. Is dns necessary. because we dont need that in normal squid (non-transparent). Kindly Guide

  • bezt March 4, 2010, 3:04 pm

    can U tell me how i configure my iptables to non-transparen proxy
    Thx b4
    regards

  • Sharon March 9, 2010, 3:38 pm

    Hi
    i am very bad at Linux and failed many a time, but want to setup a similar system including web content filtering using dansgaurdian package. This system is intented for use in non-profit organisations with which i am associated. If somebody could spare some time to setup this system please mail me back at my email address sharon.joel77@gmail.com

    Best Regards,
    Sharon.

  • Anil March 19, 2010, 10:22 am

    I want to setup squid proxy servers ( three ) with one gateway server. I know it can be done by linux LVS. can somebody give me detailed howto or step by step guide to setup this.

    Thanks in advance

  • Nick April 9, 2010, 9:02 am

    Please Help, i have installed and configured squid-3.1.1 on open suse 10.2 but and it starts well but for some reason client machines cant access internet through squid, I have one LAN port connected to the switch and i want all computers to use it as a proxy server with port 8080. Do i need to install Apache as well?..Below are the configurations

    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl localhost src ::1/128
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
    acl to_localhost dst ::1/128
    acl mrc src 10.0.1.0/24
    acl localnet src 10.0.0.0/24 # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access allow safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localnet
    http_access allow localhost
    http_access allow mrc
    http_access deny all
    icp_access allow localnet
    icp_access deny all
    htcp_access allow localnet
    http_port 3128
    http_port 8080
    hierarchy_stoplist cgi-bin ?
    cache_dir ufs /usr/local/squid/var/cache 1000 16 256
    access_log /usr/local/squid/var/logs/cache.log squid
    cache_access_log /usr/local/squid/var/logs/access.log squid
    cache_store_log /usr/local/squid/var/logs/store.log squid
    cache_store_log /usr/local/squid/var/logs/store.log squid
    coredump_dir /usr/local/squid/var/cache
    coredump_dir /var/spool/squid
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320
    cache_mgr root
    visible_hostname mskproxy.mrcuganda.org
    icp_port 3130
    always_direct allow all
    cache_effective_user squid
    cache_effective_group squid
    htcp_port 4827
    cache_mgr it@mrcuganda.org

    • JAYGUPTA September 7, 2011, 6:15 am

      Sir
      i want to make Transperent proxy but i don`t know where is edit (httpd_accel_host virtual
      httpd_accel_port 80
      httpd_accel_with_proxy on
      httpd_accel_uses_host_header on ) this line in squid.conf !!!!!
      plz help me

      and thanks in advance !!!!

    • Saad Hammad October 10, 2011, 9:38 am

      did u change the acl localnet src 10.0.0.0/8 network to 10.0.0.0/24 yourself?
      if you have give separate acl mrc
      then no need to put the RFC1918 defination just put # sign before the above line

      #10.0.0.0/8 # RFC1918 possible internal

      and see if it works provided 10.0.0.0 is your internal network

  • ammar ali April 13, 2010, 2:27 pm

    i need all proxy seting

  • Sarmed Rahman April 18, 2010, 11:09 am

    a million thanks ^_^

  • Prasad May 13, 2010, 12:36 pm

    thanks for the info.
    i was really in need of this.

  • hmtum01 May 19, 2010, 11:12 pm

    how can i block user according to the mac address filtering in trasparent squid proxy.
    which is the version of that squid

  • rocky May 31, 2010, 4:42 am

    thanks

  • Alex Y. Telkov (Russia) June 2, 2010, 4:51 am

    Thank a lot! I have a problem with Total Commander
    while users from local net try to access FTP resources.
    I have classic architecture in local HQ lan “LAN — Linux-router — CISCO 871-k9 — Internet”. I apologize, You approach in solving FTP-port-error problem helps me
    to solve my situation. If my “server-under-construction” be turned on at moment,
    I start to emplement You solution remotely immideatly! :)

  • Pradip Raut Chhetri June 6, 2010, 1:07 pm

    I have done everything, 3 easy steps for transparent proxy but every time i restart the squid, i m gettin error regarding followin':-

    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on

    Help me, Do i have to set up httpd server before configuring your “3 easy steps transparent proxy”.

    Thank YOU

  • gbrane June 14, 2010, 11:16 am

    Important !!!!!
    for Ubuntu users !!!
    in /etc/sysctl.d/10-network-security.conf
    must be comment !!
    net.ipv4.conf.default.rp_filter=1
    net.ipv4.conf.all.rp_filter=1
    i lost one month to solve this problem !!!!!!

  • Lawrence Giam June 22, 2010, 9:51 am

    Hi All,

    I am trying to install and configure transparent proxy but it doesn’t seem to work.

    This is my setup:
    Server #1 (Proxy Server)
    eth0 IP : 10X.XXX.94.XX
    eth0 IP : 10X.XXX.94.1
    eth0:1 IP : 10.0.2.139
    eth0:1 GW : No gateway specified

    ## /etc/squid/squid.conf ##
    acl all src all
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8
    acl purge method PURGE
    acl CONNECT method CONNECT

    acl lan src 10.0.2.0/24
    http_access allow localhost
    http_access allow lan
    cache_mem 50 MB
    http_port 3128 transparent
    icp_port 3130

    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl localnet src 10.0.2.0/24

    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access deny all

    icp_access allow localnet
    icp_access deny all

    hierarchy_stoplist cgi-bin ?
    access_log /var/log/squid/access.log squid

    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
    refresh_pattern . 0 20% 4320

    acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
    upgrade_http0.9 deny shoutcast

    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache

    extension_methods REPORT MERGE MKACTIVITY CHECKOUT

    hosts_file /etc/hosts

    coredump_dir /var/spool/squid
    ##############################

    ## iptables rules ##
    SQUID_SVR=”10.0.2.139″
    SQUID_PORT=”3128″
    INET_IFACE=”eth0″

    INT_NET”10.0.2.0/24″

    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X

    # Enable Forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT

    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    # Allow UDP, DNS and Passive FTP
    iptables -A INPUT -i $INET_IFACE -m state –state ESTABLISHED,RELATED -j ACCEPT

    # set this system as a router for Rest of LAN
    iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
    iptables -A FORWARD -s $INT_NET -j ACCEPT

    # unlimited access to LAN
    iptables -A INPUT -s $INT_NET -j ACCEPT
    iptables -A OUTPUT -s $INT_NET -j ACCEPT

    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -s $INT_NET -p tcp –dport 80 -j DNAT –to $SQUID_SVR:$SQUID_PORT

    # if it is same system
    iptables -t nat -A PREROUTING -i $INET_IFACE -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT

    #open everything
    iptables -A INPUT -i $INET_IFACE -j ACCEPT
    iptables -A OUTPUT -o $INET_IFACE -j ACCEPT

    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP
    ###########################

    Server #2 (Webserver)
    eth0 IP : 10X.XXX.98.XXX
    eth0 GW : 10X.XXX.98.1
    eth0:1 IP : 10.0.2.191
    eth0:1 GW : No gateway specified

    ## iptables rules ##
    iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to 10.0.2.139:3128
    ####################

    To check if squid is been accessed, i tail /var/log/squid/access.log

    Using curl httt://www.myservers.com
    I get the response but there is no hit on the squid, mean that the request went out via the Server #2 gateway.

    Can anyone advise if there is any other rule I need to add and on which machine?

  • DEEPAK June 30, 2010, 7:41 am

    any budy help for the linux firewall configure this is first time using please help how to configure give some link either commond send.

  • Vijith P A August 31, 2010, 4:04 pm

    Hai Guyz,
    I Configured Proxy server with Transparent in above mentioned way expect this code httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on

    When i trying to access internet in client side it will showing error message “The following error was encountered while trying to retrieve the URL: /

    Invalid URL” Actually i type http://www.google.com
    Error message of /var/log/squid3/access.log file is
    1283269708.780 0 192.168.1.121 NONE/400 1951 GET /firefox – NONE/- text/html

  • tendy September 9, 2010, 4:00 pm

    Will anyone ever give a solution to this problem???

    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on

    Help me, Do i have to set up httpd server before configuring your “3 easy steps transparent proxy”.

  • Anonymous September 20, 2010, 9:54 pm

    grep ^[^#] /etc/squid/squid.conf

  • pdk October 4, 2010, 1:00 pm

    It’s not at all working as a transparent proxy. I have rhel5.3 and squid3. Packets come to clients only after mentioning the port and gateway IP otherwise not.

  • wezt October 29, 2010, 7:16 am

    @vijith and tendy

    AFAIK but CMIIW,

    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header o its not for squid

    all of above directives are not for squid-3.x version, only valid until squid-2.6

  • Bishal November 16, 2010, 6:42 am

    Hello all,

    I have different scenario. I have linux firewall and squid installed in different server.
    How can forward all lan clients to squid box from linux router, since forwarding from cisco router make squid box see all client coming from linux gateway ip. I want to see individual ip logs in squid box. How is it possible?

    cisco router
    |
    |
    Squid box rl0(172.160.10.2)—–|——-Linux router eth0(172.16.103)
    |
    eth1
    |
    LAN CLients (192.168.9.0/24)

  • sleiman December 18, 2010, 11:19 pm

    Hi all,
    i want to make cashe server
    any bady help me
    no problem about money i can pay
    plz send me email
    thx all

  • sajeet January 24, 2011, 11:08 am

    hi,

    nice script for transparent proxy server

    in your script you uses 2 lan cards for proxy settings

    but i have only one lan card on my squid proxy server ,this is working fine .
    but i want to know how to configure Transparent proxy server using 1 LAN card.

    i uses squid 2.5 Stable in Redhat 9
    so pls help me, waiting for ur reply

  • aditya February 5, 2011, 6:54 am

    i have installed Red Hat Linux 5 Enterprises on one PC to make Web Proxy Server.
    internet access on this machine is working ok. the other win XP PC’s not access the internet. i have cofigured squid as:
    acl lab src 192.168.2.1-192.168.2.249/255.255.255.0

    pl. help me

  • Volverin (Vivek) February 9, 2011, 9:13 pm

    ThANKS A LOADS for the information. Following you.

  • Bikash February 18, 2011, 6:57 am

    Hi frnds…
    i have install linux 5.0 and configure squid but there is problem in transparent squid…
    can anybody tell me how to transparent my linux to the clint desktop
    My squid is working when i manually put the proxy address on internet browser..
    I want to make transparent so there is no need to put the proxy on internet brower…
    I have a broadband connection….

    thanx

  • Atul M February 20, 2011, 7:23 am

    guys!!!

    three hats to this article and people who has contributed everything before my opinion.

    this is one if the EXCELLENT!!! web page on the internet.

    I would say THE BEST

  • nikhil February 24, 2011, 4:46 am

    hi
    can any one define that how to set the time limit in dansguardian.

    thnks in advance

    nikhil

  • Denie April 25, 2011, 4:01 am

    my squid server only 256MB RAM & P4 only and serving ~300clients… why do you need such big of RAM (8GB) for only 150 clients?

  • Wasim Sheikh April 26, 2011, 10:27 am

    that is not filtering https traffic the user can access the block sites via https………please sugess how to filter https traffic via transparent proxy.

  • Syed Mushtaq Ahmed April 27, 2011, 4:22 pm

    Hi,
    I have configured the squid 2.6 Stable 6 server using Fedora core 6.It having 2 ethernet cards. eth0 is used intetnet (Lan) & eth1 is connceted to localArea.
    eth0 using IP 192.x.x.x
    Netmask 255.255.255.0
    Gateway 192.168.x.x
    Dns 203.x.x.x
    Dns 203.x.x.x
    eth1 using Ip 192.x.x.x
    Netmask 255.255.255.0

    When i run fw.proxy script and save iptable and restart squid then i ping to eth0 from client site its replying,and also ping to eth1 its not replying
    So plz give me the solution for this.

  • turn the power on May 31, 2011, 6:25 pm

    grep -v “^#” /etc/squid/squid.conf | sed -e ‘/^$/d’
    RRRRRIGHT !!!!! … sed is … FOR ?!? what EXACTLY ?!?
    your personal pleasure or just to prove beyond any resonable doubt that you are really “PRO” ?

    grep -ve ^# -ve ^$ /etc/squid/squid.conf
    is the right line

    but you really LOST ME when you PROVED BEYOND ANY REASONABLE DOUBT THAT YOU ARE RETARDED !

    cat /etc/squid/squid.conf | sed ‘/ *#/d; /^ *$/d’
    ignoring some cat that is for nothing sed ‘balabla’ file name does the same thing

    and telling you, your beloved command is cutting any single thing with a # in it, so, it will TOTALLY CUT VALID DIRECTIVES, like this one:
    acl Safe_ports port 80 # http

    TURN THE POWER ON RETARD !!!!!

  • soumalya June 3, 2011, 4:18 am

    Sir

    I have two lab in my college, one is 172.16.0.0 series and another is 192.168.10.0 series.
    Now I want to allow both the labs to access internet through squid which has 172.16.0.10 ip address.

    pls help.

  • Amos Jeffries June 3, 2011, 9:42 am

    This whole article is now 5 years old and the version it was written for is squid-2.5. Both Squid and iptables syntax have changed.

    It needs to be removed from public distribution please. Current documentation can be found in the official Squid wiki website.

  • ericmilyon July 24, 2011, 6:33 am

    hi,

    im a newbie for can i know if can use iptables using freebsd?

    Thanks..

  • Muhammad Naveed July 27, 2011, 12:47 pm

    Hi i am using linux 5 and squid 2.6.STABLE21. my eth 0 ip is 77.0.0.4 & eth 1 is 192.168.0.3. i want to set 3128 my squid port. i am unable to add or modify the lines mentioned below. i dont know where to add these 4 lines.
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on
    acl lan src 192.168.1.1 192.168.2.0/24
    http_access allow localhost
    http_access allow lan

  • Iain August 11, 2011, 7:44 pm

    Hi,

    I tried running your script and got the following error

    FATAL: Error inserting nf_conntrack_ftp (/lib/modules/2.6.32-5-686/kernel/net/netfilter/nf_conntrack_ftp.ko): Cannot allocate memory

  • JAYGUPTA September 7, 2011, 6:24 am

    i am use squid 3.0 version and i want to make transperent proxy plz help me
    i am edit one line in squid.conf and this line is
    http_access 8080 i change it
    “http_port 3128 intercept”
    but it not work plz tell me why ??????

  • ben October 16, 2011, 2:00 am

    I live in europe, but I’d like for my xbox360 to connect to xbox live in the states.

    Currently, I have the xbox go through my pc that is configured for the isa proxy. But I’d love a solution that doesn’t require my pc running!

    Maybe a tiny bare bones linux machine (raspberry pi? chumby? modified dd-wrt/tomato router?) that is capable of connecting the xbox to the internet via a proxy or vpn.

    Any suggestions?

  • jonasor October 24, 2011, 8:57 pm

    hi my question is:
    How I can make a specific ip not pass through the proxy?
    What would be the rule in IPtables?

  • abizar October 25, 2011, 9:46 am

    how i can configure Squid as transparent proxy in windows 7
    i install squid 2.7stable8 in windows 7

  • LtPitt October 28, 2011, 11:51 am

    Hi all!

    I have a lovely squid proxy working but my windows clients on the lan can’t access using outlook express our mail server (external —> on the internet).

    What can I do to solve the problem?

    • Oleg November 26, 2011, 12:22 am

      Hi, I have the same probles of bobzi…………..

      Everything is fine but HTTPS sites don’t accept request. When I set Proxy in Internet Option tab, clients can open Secure sites, when I erase the proxy setting only the secure site has a problem
      Could you please give a solution?! Dear LINUXTITLI or somebody else.
      I will be grateful.
      Many thanks

  • arfie December 23, 2011, 1:02 pm

    Dear All,
    how to disconnect a client connect by proxy squid?

  • Khuram Raza January 2, 2012, 3:43 pm

    excellent tip on transparent proxy,

    but i want to configure parent proxy (cache_peer), any how can i do it with transparent proxy, so far when ever i ran your script my VPN (hamachi) stops working thus no connection to parent proxy

    • Thura Ko Ko March 15, 2012, 8:58 pm

      Hi ~ Khuram Raza . U should run NAT+SQUID .
      1 . Service squid stop. #service squid stop
      2. NAT Open. #iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
      #service iptables save
      #service iptables restart
      3. Test Connection .. Auto Detect in Firefox .. If Run .. Step Complete..
      4. Squid restart # Service squid restart
      5. Add Roll on iptables #iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to 192.168.1.254:3128
      #iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-port 3128
      #service iptables save
      #service iptables restart

      6.Startup Run #chkconfig squid on
      #chkconfig iptables on

      • Thura Ko Ko March 15, 2012, 9:05 pm

        192.168.1.254:3218 is LAN IP and Port ( if u run to u r network port eg: 3218 Now)

  • David January 10, 2012, 12:46 am

    I want to setup online/cloud Transparent Proxy Server that will act as a gateway for all my clients PC’s internet connections with authentication (e.g; PC MAC, Username & Password.,) to connect with the Proxy Server.

    Please how possible to setup this proxy server??

  • Y RCRAO January 22, 2012, 5:35 am

    Dear Sir,
    Plz give the steps how to install squid.conf in RHEL-4 System.

  • saint February 22, 2012, 3:25 pm

    Hello everyone i need some help to setup a transparent proxy and gateway (firewall), i have a clean installation of my server centos 6.2 squid 3.1 and dansguardian working but my lan clients doesn´t have internet, just if manually configure the browser, it works, i need in transparent mode, please some one can help me, here the steps and configuration, i am newbie, Thank you for your help.

    1. ip configuration
    eth0:    10.0.0.2
                255.255.255.0
                10.0.0.1
    Dns       8.8.8.8
                 4.4.4.4
    eth1: 192.168.30.254
             255.255.255.0
    Dns    8.8.8.8
              4.4.4.4
    Squid configuration
    #
    # Recommended minimum configuration:
    #
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
    acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
    acl localnet src 192.168.30.0/24	# RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    acl SSL_ports port 443
    acl Safe_ports port 80		# http
    acl Safe_ports port 21		# ftp
    acl Safe_ports port 443		# https
    acl Safe_ports port 70		# gopher
    acl Safe_ports port 210		# wais
    acl Safe_ports port 1025-65535	# unregistered ports
    acl Safe_ports port 280		# http-mgmt
    acl Safe_ports port 488		# gss-http
    acl Safe_ports port 591		# filemaker
    acl Safe_ports port 777		# multiling http
    acl CONNECT method CONNECT
    #
    # Recommended minimum Access Permission configuration:
    #
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost
    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow localhost
    # And finally deny all other access to this proxy
    http_access deny all
    # Squid normally listens to port 3128
    http_port 3128 intercept
    # We recommend you to use at least the following line.
    hierarchy_stoplist cgi-bin ?
    # Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/spool/squid 3000 16 256
    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid
    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp:		1440	20%	10080
    refresh_pattern ^gopher:	1440	0%	1440
    refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
    refresh_pattern .		0	20%	4320
    visible_hostname Aldebaran
    2. Dansguardian configuration
    i just modify this
    # Network Settings
    #
    # the IP that DansGuardian listens on.  If left blank DansGuardian will
    # listen on all IPs.  That would include all NICs, loopback, modem, etc.
    # Normally you would have your firewall protecting this, but if you want
    # you can limit it to a certain IP. To bind to multiple interfaces,
    # specify each IP on an individual filterip line.
    filterip =
    # the port that DansGuardian listens to.
    filterport = 8080
    # the ip of the proxy (default is the loopback - i.e. this server)
    proxyip = 192.168.30.254
    # the port DansGuardian connects to proxy on
    proxyport = 3128
    3. enable nat support
    echo 1 > /proc/sys/net/ipv4/ip_forward
    4. Add the redirection rule on iptables
    # Firewall configuration written by system-config-firewall
    # Manual customization of this file is not recommended.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.30.254:8080
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    I complete this steps then save the iptables file with nano and restart the firewall with the following command and shows me the error.
    [root@fw ~]# service iptables restart
     iptables: Flushing firewall rules:                           [  OK  ]
    iptables: Setting chains to policy ACCEPT: filter     [  OK  ]
    iptables: Unloading modules:                               [  OK  ]
    iptables: Applying firewall rules: iptables-restore: line 8 failed [FAILED]
    

    I don´t know what else to do, please help.

  • alex March 11, 2012, 11:27 am

    Hello guys , thank you very much for this how to guide.

    I wanned to ask how can i restrict a single IP/client from my lan access to http port (internet browsing) or any other port.
    My linux box is also a web server, dhcp server + proxy
    i’ve changed the firewall script with nixcraft’s suggestions in this reply

  • pixel June 22, 2012, 10:39 am

    Is there anyway to do the same with SSH ?
    I have a vpn network and want to allow all the clients who connect via ssh automatically forward to TOR

  • WIN July 11, 2012, 4:27 am

    sir,
    how can i do,now i have proxy server and i need to connect directly with the router,
    and i need all client pass by proxy server and then pass by router to internet
    pls help

  • Javi July 31, 2012, 12:45 pm

    here’s another one …

    grep ^\# file | grep .

    ;)

  • Zach August 8, 2012, 8:56 pm

    I was wondering if there was any helpful advice on turning the iptables command into config notes when running shorewall?
    I use shorewall to manage all my firewall activities and since it’s a top-layer to iptables, I figure there must be a way to translate. I think that is the final piece I need in getting this to work.

  • Mushy September 8, 2012, 2:26 pm

    i am using squid transparent proxy server i want to block https request like facebook gmail. can any one tell me how is it possible.

  • Dentist September 30, 2012, 9:18 am

    Finally after reading dozens of instructions this one finally worked!

  • linuxsn October 17, 2012, 10:05 pm

    thanks for this document . i want to know how i can configure NAT if my eth0 is not directly connected to internet ?

  • LinkoVitch November 9, 2012, 10:54 am

    Simpler grep command for you:

    grep -e “^[^#]” squid.conf

  • TunnelGuru November 27, 2012, 1:41 pm

    Transparent SSL Proxy Can be achievable using IPTABLES – libnefilter_queue.
    Such a module is there in Tunnelguru Software to forward traffic .

  • Yogesh December 30, 2012, 6:15 pm

    Hi Vivek,
    I am using Squid proxy (Non transparent), everything seems fine, but sometime I need to bypass some of my users to direct access the internet with proxy settings in browser.
    For the same I do run the following command.
    iptables -t nat -A POSTROUTING -s 192.168.1.200 -p tcp -m state –state NEW,ESTABLISHED -j SNAT –to-source 210.123.65.175
    This will open everything for the IP address 192.1681.200.

    But I don’t want to open everything except port 80. Can u please help me configuring the same.

  • Rakesh April 15, 2013, 5:21 am

    Does squid proxy works for tun interfaces in transparent mode?

  • srinivas April 26, 2013, 11:43 am

    I installed Squid ,it is working very slow if i browse any thing from client machines .

    For server i inserted two NIC Cards, do i need to give same ip and Gateway for both or need to give different .

    Please help me.
    Thanks,
    Srinivas

  • srinivas May 3, 2013, 1:08 pm

    I installed squid transparent proxy server in one system(eth0=192.168.1.203 ,eth1=192.168.3.5) I deployed one application in one system (proxy Client, eth0=192.168.3.60) .We have router with IP 192.168.1.1

    Now i can access this application from lan (proxy server area 192.168.3.0/24) .But i am unable to access this application from 192.168.1.0/24 and External network.

    Can you please help me how can i give remote access of app. of proxy client system.

    Thanks, Srinivas

  • Arun June 7, 2013, 8:20 am

    Hiiii…i configured squid server on linux server and its working but when i use wifi through squid server then android apps not working only internet explorer working on my android mobile. so i just want to know that how can i run android apps on my mobile through (Wi-Fi) squid server……plz tell me…..thanx…..

    • Babin Lonston February 17, 2014, 5:17 am

      Just give your squid server’s IP as Default gateway to Mobile

  • Kris July 13, 2013, 4:48 pm

    You can also use grep to remove all commented or blank lines from a file:

    egrep -v ‘^#|^$’ filename.txt

  • Bibekananda mIshra August 8, 2013, 2:07 pm

    Plz help me to configure the squid proxy server. i am new to Linux.I want to block the unwanted downloads from torrentz.com.& limit the bandwidth who is able to download from torrrentz.com.

  • derp derpson October 3, 2013, 10:37 am

    instead of
    grep -v “^#” /etc/squid/squid.conf | sed -e ‘/^$/d’
    you can
    egrep -v “^#|^$” /etc/squid/squid.conf

  • vikas October 24, 2013, 1:08 pm

    Hi All,
    I had configured the squid server by following this steps its working fine.
    But my Thunderbird and outlook is not working in my system.
    can any one help me out for this problem.

    Thanks

  • venkat April 28, 2014, 9:36 am

    (client side windows server 2008 users AD users) how can i block internet sites through Linux squid proxy server it is possible please guide me

  • Ralph May 10, 2014, 3:03 am

    @venkat – you may see this forum http://nixcraft.com/showthread.php/16253-Squid-Proxy-Block-Facebook-com-amp-Orkut-com-Social-Networking-site

    This is a very helpfull tutorial for squid server. Thank you very much.

  • Alisson November 14, 2014, 6:33 pm

    Thanks a lot. Script works fine for my Cent-OS!