Linux: Setup a transparent proxy with Squid in three easy steps

by on May 27, 2006 · 301 comments· LAST UPDATED December 5, 2007

in , ,

Y'day I got a chance to play with Squid and iptables. My job was simple : Setup Squid proxy as a transparent server.

Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.

My Setup:

i) System: HP dual Xeon CPU system with 8 GB RAM (good for squid).
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network (around 150 windows XP systems))
iv) OS: Red Hat Enterprise Linux 4.0 (Following instruction should work with Debian and all other Linux distros)

Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.

Server Configuration

  • Step #1 : Squid configuration so that it will act as a transparent proxy
  • Step #2 : Iptables configuration
    • a) Configure system as router
    • b) Forward all http requests to 3128 (DNAT)
  • Step #3: Run scripts and start squid service

First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf

Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan

Where,

  • httpd_accel_host virtual: Squid as an httpd accelerator
  • httpd_accel_port 80: 80 is port you want to act as a proxy
  • httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
  • httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
  • acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
  • http_access allow localhost: Squid access to LAN and localhost ACL only
  • http_access allow lan: -- same as above --

Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

OR, try out sed (thanks to kotnik for small sed trick)
# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'

Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid

Iptables configuration

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128 (Download the fw.proxy shell script):
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on

Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on

Desktop / Client computer configuration

Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.

How do I test my squid proxy is working correctly?

See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log

Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.

Problems and solutions

(a) Windows XP FTP Client

All Desktop client FTP session request ended with an error:
Illegal PORT command.

I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp

Please note that modprobe command is already added to a shell script (above).

(b) Port 443 redirection

I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, "Long answer: SSL is specifically designed to prevent "man in the middle" attacks, and setting up squid in such a way would be the same as such a "man in the middle" attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL".

Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.

(c) Squid Proxy authentication in a transparent mode

You cannot use Squid authentication with a transparently intercepting proxy.

Further reading:

Updated for accuracy.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 301 comments… read them below or add one }

1 Jay of Today May 27, 2006 at 6:15 am

you gotta be kidding, only 150 desktops and 8 gigs of RAM??????? I use to have p133 with 64megs with that setup way back then!!!

bah, newschoolers SUCKS

Reply

2 LinuxTitli May 27, 2006 at 12:39 pm

LOL :D

8GB gives you the best performance.

Squid performance = more ram + fast SCSI disk

Cost of RAM : Yet another reason or factor to have a more ram. Even people started to use desktop system with 1GiB:P

Reply

3 venkat June 2, 2011 at 5:05 am

Shell i install squid proxy in normal pc(Hp i5processor,8gb RAM)

Reply

4 kotnik May 27, 2006 at 4:17 pm

Use following sed magic to remove both comments and empty lines at the same expense:

sed ‘/ *#/d; /^ *$/d’

Reply

5 LinuxTitli May 27, 2006 at 5:23 pm

kotnik,

Nice sed trick, no need to use grep :)

Appreciate your post.

Reply

6 Aaron May 28, 2006 at 9:53 am

Hi,

I have similar setup, only one question, How do I block Yahoo and MSN messengers (block at router or transparent proxy+iptables level) ?

Cheers,

Aaron

Reply

7 LinuxTitli May 28, 2006 at 10:07 am

Aaron,

My firewall policy @ router:
Default firewall Policy: Close all door and open only required windows

Block all incoming and outgoing request
Open only required ports i.e. 80 (from proxy only) , 443, 21, 22, 25 etc as per requirement. This configuration automatically blocks rest of stuff.

You can implement similar policy using Squid ACL or iptables.

Reply

8 Scott May 29, 2006 at 5:01 am

Nice, quick, down and dirty article. :-)

Aaron: http://www.mail-archive.com/squid-users@squid-cache.org/msg38193.html will explain how to block Yahoo, MSN and other IM’s.

For anyone interested, I have thrown together a HOWTO on getting Squid to work properly in conjunction with Active Directory authentication. It can be found here: http://cryptoresync.com/2006/05/18/installing-squid-with-active-directory-authentication/

Enjoy!

Reply

9 Bill May 29, 2006 at 5:55 am

Aaron,

My findings with chat networks like AIM is that, even if you block the specific ports used by the network (ie, 5190), the login server will accept connections to other ports that are common, such as 80, 25, 443, 23, etc. Your best bet for blocking chat traffic is to block the ports used by the network, as well as the IP addresses associated with the login servers, like login.oscar.aol.com.

Additionally, write your internal routing rules such that only traffic passing through your proxy can reach the Internet. Otherwise, users will be able to circumvent your proxy and use a public proxy.

Reply

10 Desert Zarzamora May 29, 2006 at 6:27 am

Sometime ago, i wrote another how-to, but this time for a COMPLETELY transparent proxy. That is, a bridged proxy.

That a bit more esoteric stuff, but very useful if you really can’t mess with your network topology.

Have a look at: http://freshmeat.net/articles/view/1433/

Reply

11 Hans May 29, 2006 at 6:51 am

I would love to run into your office, replace your server with a Pentium 200 with 128mb of RAM… you probably wouldn’t notice the difference, if all you are using it is for squid. then I would actually make some good use of the machine. I’ve got a pentium 200 doing far more (proper proxy, apache server, svn, samba, etc etc) and handles it perfectly well

???

Reply

12 LinuxTitli May 29, 2006 at 2:05 pm

@Desert Zarzamora and Scott, nice tutorial (thanks for links)

@Hans, heh Well to be frank I am just admin and decision regarding h/w or infrastructure made by someone else … this is how things work in an enterprise IT division (they don’t care about money as they also make more money from core business so they want world class stuff). However, I agree with you about h/w requirement can be low to run other services.

@Bill, Good advice there.

Appreciate all of yours post and feedback :)

Reply

13 Steve May 30, 2006 at 8:44 am

just wondering do wew really need quid acting as an accelerator here?

nice article, and what a beast of a proxy server i think everyone else is just jealous cos they only have p1′s

Reply

14 ADHDPHP June 1, 2006 at 3:24 am

Thanks LinuxTitli!!! I really appreciate you sharing your knoledge with others!

Keep up the great work!

KMC

Reply

15 ADHDPHP June 1, 2006 at 3:28 am

Also, LinuxTitli do you have any need to use dansguardian in conjuntion with squid for conent filtering? That would probably make good use of that RAM too!

Thanks again!

Reply

16 massage therapy products June 1, 2006 at 8:14 am

Well, I’ll be needing to set one of these up eventually, so you’re bookmarked. I wonder how performance would be if I set up a RAID system on USB drives…

Reply

17 avanish June 1, 2006 at 10:17 pm

how we can config the ftp service in squid proxy

reply

avanish gupta
india

Reply

18 nixCraft June 1, 2006 at 11:33 pm

Avanish,

Add following line to config file
acl ftp proto FTP
http_access allow ftp

If clients compters are using IE browser then Goto > Tools > Advance > and Uncheck option that reads Enable folder view for FTP-Sites.

FTP proxy only work through browser and it will not work at command line.

Remember squid is not a real ftp proxy.

Reply

19 nesargha June 2, 2006 at 5:07 pm

thank you,
i had little bit problems in running the script on redhat 9 , i had remove the $lan_in etc.. and type the actual values but at last i worked fine with me

nesargha
india

Reply

20 Aaron P June 4, 2006 at 9:18 am

Using squid transparently, you lose the ability to authenticate users (bummer). While I can understand why (to a certain degree), is there a way to just get the username for logging purposes?

It’s like I’m up a (little river) without a (rowing device). I need squid for logging user hits, but I can’t do it without transparent routing. And I can’t authenticate in transparent mode due to the accelerator. Any ideas?

Awesome article. Thanks!

AP

Reply

21 hosseini May 29, 2011 at 11:40 am

Hi
I send filter with easy installation
However, strong and durable

Reply

22 nixCraft June 4, 2006 at 3:35 pm

@Aaron,

Simple answer is you cannot do both things (transparent proxy + auth). The browser has
no way of knowing it is using a proxy.

So, what you can do is use automatic URL configuration (i.e. no transparent proxy) with WPAD.

The information for WAPD and automatic URL configuration available at official Squid FAQ: http://www.squid-cache.org/Doc/FAQ/FAQ-5.html

If you find any other way then let us know…

Hope this helps.

@nesargha,
May be because of html formatting… I will upload script as a text file so that others can use it directly (but you still need to make changes to script)

Reply

23 Vicky March 15, 2012 at 10:34 am

@vivek: am still confused why its not possible to configure squid to ask for Username & Password when operating in Transparent Mode.

Whats the difference between “specifying the proxy settings in the browser (NON-TRANSPARENT)” & “forwarding all http traffic to port 3128 (TRANSPARENT)” ??

Whats prevents squid for asking the login in TRANSPARENT mode??

VICKY
EMAIL: vicky (at) LINUXMAIL.ORG

Reply

24 Martin Wallace June 17, 2006 at 6:24 am

I am just a newbie, but I think there’s an error in your configuration of iptables. The lines should read :

iptables -t nat -A PREROUTING -i eth1 -p tcp -–dport 80 -j DNAT -–to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –-dport 80 -j REDIRECT -–to-port 3128

That is, you need –, not -, before to, to-port and dport.

Correct me if I’m wrong. Martin

Reply

25 Martin Wallace June 17, 2006 at 6:31 am

I see that the problem is with formatting. You need two dashes, not one, before to, to-port and dport, but they look like one (slightly longer) dasjh onm my screen.

Try again:
iptables -t nat -A PREROUTING -i eth1 -p tcp – –dport 80 -j DNAT – –to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp – –dport 80 -j REDIRECT – –to-port 3128

Reply

26 harish singh August 17, 2014 at 7:59 am

i have two lan eth0- wan ip is 192.168.2.5 sub 255.255.255.0 dns 8.8.8.8,8.8.4.4
and eth1 lan ip 192.168.1.1 sub 255.255.255.0
and squid.conf
acl mylan src 192.168.1.0/24
http_access alow mylan
http_port 3128 transparent
visible_hostname harsh.singh.com
adn iptables rulls is
iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128
iptables -I INPUT -s 192.168.1.0/8 -p tcp –dport 3128 -j ACCEPT
client site window 7 pro
ip 192.168.1.10 sub – 255.255.255.0 getway= 192.168.1.1
but it’s not working when i am giving proxy setting then it work’s
pls some body help me i am so disturbing

Reply

27 nixCraft June 17, 2006 at 7:44 pm

Martin,

I just checked the script. There is no problem. However, it looks like, HTML formatting breaks the script. Direct link to download script:

http://www.cyberciti.biz/tips/wp-content/uploads/2006/06/fw.proxy.txt

Hope this helps :)

Reply

28 sohan July 12, 2006 at 5:28 am

i am using same rules given above , Can I block my users to use public proxy. Do i have to modify my squid.conf or Iptables

Reply

29 nixCraft July 12, 2006 at 10:23 am

sohan,

You just need to setup LAN ACL. If you are using above config then it only allows access from LAN.

Reply

30 WebSean July 30, 2006 at 9:55 pm

I am running Squid 2.5 on Macintosh OS X (10.3.7) with the handy “SquidMan” port for OS X / Darwin and it works great. The interface does allow me to make the httpd_accel_… modifications to the squid.conf file for transparent proxying, but how do I set-up the iptables step? My system uses ipfw instead and I have tried “sudo ipfw add 1000 fwd 127.0.0.1,8080 tcp from any to any 80″ only to see my port 80 malfunction. How can I configure the port 80 hijack/redirect function to get transparency working on OS X? Thanks in advance.

Reply

31 tony September 6, 2010 at 7:28 pm

WebSean,

Did you ever get a reply back? I have similar setup
browser->dansguardian->squid->internet and I’m using ipfw

Can’t seem to get transparent working. Meaning redirecting requests coming to port 80 to dansguardian port 8080

I’ve tried all and each with different combinations of the following below in my ipfw ruleset – nothing works ..just goes straight to internet ..bypasses dansguadian completely

${IPF} add 01000 allow tcp from me to any 80 out via $EXT_INT setup $KS

#${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80
#ipfw add 50 fwd 127.0.0.1 tcp from any to any 80
#${IPF} add 01006 allow tcp from 127.0.0.1 to any 80
#${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80 in recv $EXT_INT
#${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80
#${IPF} add 01007 fwd 127.0.0.1,8883 tcp from me to any 80 via $EXT_INT
#${IPF} add 01008 allow tcp from me to any 80 out xmit lo0
#${IPF} add 01009 allow tcp from any 80 to me in recv lo0 established

${IPF} add 7000 fwd 127.0.0.1,8883 tcp from any to any 80

my squid.conf looks like this

http_port 127.0.0.1:3333 transparent

because that is what squid 3.1.7 version all needs

Reply

32 tony September 6, 2010 at 7:28 pm

WebSean,

Did you ever get a reply back? I have similar setup
browser->dansguardian->squid->internet and I’m using ipfw

Can’t seem to get transparent working. Meaning redirecting requests coming to port 80 to dansguardian port 8883

I’ve tried all and each with different combinations of the following below in my ipfw ruleset – nothing works ..just goes straight to internet ..bypasses dansguadian completely

${IPF} add 01000 allow tcp from me to any 80 out via $EXT_INT setup $KS

#${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80
#ipfw add 50 fwd 127.0.0.1 tcp from any to any 80
#${IPF} add 01006 allow tcp from 127.0.0.1 to any 80
#${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80 in recv $EXT_INT
#${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80
#${IPF} add 01007 fwd 127.0.0.1,8883 tcp from me to any 80 via $EXT_INT
#${IPF} add 01008 allow tcp from me to any 80 out xmit lo0
#${IPF} add 01009 allow tcp from any 80 to me in recv lo0 established

${IPF} add 7000 fwd 127.0.0.1,8883 tcp from any to any 80

my squid.conf looks like this

http_port 127.0.0.1:3333 transparent

because that is what squid 3.1.7 version all needs

Reply

33 Emre October 2, 2006 at 7:52 am

To not to see both empty lines and remarks grep can be used in this way;

grep -Ev “^$|^#” /etc/squid/squid.conf

Reply

34 Praveen October 29, 2006 at 1:57 am

Hi,
Is it possible to retain public Ip address, while using squid,
All pc in my lan having public ip address. I want to use squid.
But whenever i use transparent squid, the outgoing packet keeps squid server’s ip as source ip address. how can i use squid httpd_accel without proxy.

Reply

35 nixCraft October 29, 2006 at 8:13 am

The whole point of using transparent proxy/NAT is to hide internal IP address.

As long as you have squid in between internet and other boxes anyone will see your squid ip address

Reply

36 karthick November 11, 2006 at 2:23 pm

dear,

cyberciti guys,thank you very very mush.because your web site is good food for linux hungry peoples.
Contineue yours job with god’s blassings.
By,
Your’s
S.Karthick

Reply

37 Marlon November 15, 2006 at 8:47 am

Hi guys,

I ask something about my firewall-squid-dhcp server in one box, i have eth0 for internet-connection and eth1 for local-connection…i want to do is, to be transparent proxy all clients connected at eth1 local-connection.

Could you provide me the minimal config of iptables/squid.conf to make work as a transparent proxy my all-in-one linux box.

i want the minimal config of iptables without filtering temporary.

Thanks!

Reply

38 nixCraft November 15, 2006 at 9:54 am

Squid config remains the same. Only iptables will changes. Type following at command prompt to get started temporary:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

Replace 192.168.1.1 with your actual Linux server IP address (local LAN IP)

Reply

39 Jaimohan November 17, 2006 at 6:13 am

Dear friends,
can i run the VPN-Checkpoint software with squid using transparent proxying, please reply asap

Regrds
Jai

Reply

40 nixCraft November 17, 2006 at 12:59 pm

Yes you can as long as everything is configured you should able to use VPN with any other internet service

Reply

41 Mimbari November 24, 2006 at 1:58 am

For a “completely totally” transparent proxy, use http://www.balabit.com/downloads/tproxy/linux-2.6/

That way the client IP address will be used by the Squid, still caching etc too. Needs inbound routing of reply server traffic to be routed back through the Squid box though.

It’s kernel & iptables patching only, yielding the tproxy iptables table..

In Valen’s Name.

Reply

42 neddy November 27, 2006 at 12:23 am

Hi there, i have a few questions…
1) will this proxy things such as steam games / downloads, Microsoft updates, anti-virus updates and other things that do not run on port 80?

2) The proxy appears to work, and i have set my ip address to it, but if i download a 10mb file, then download the same file on another pc, the speeds are still slow, indicating that the proxy may not be working…
when i run: “tail -f /var/log/squid/access.log” i get the log to screen & file, and it is showing that there is data being proxied, but everything still runs ‘slow’

3) I am running it on public ip addresses, one for the eth0 (internet) 203.16.209.x
and the second ip address for the people using the proxy is eth1 (lan) 203.221.91.x the proxy all works, but could this be why it is running slow?

- cheers

Reply

43 nixCraft November 27, 2006 at 6:32 am

Neddy ,

Yes everything should work as long as remote site is using port 80 for downloading updates and patches.

If you need to cache larger file you need to enable cache object size. Default is 4 MB. However it is not recommended to use such large cache object size until and unless you have monster cache server (normally ISP enables large cache object). You need to tune out your squid for this. The defaults are good to improve overall user experience.

Proxy should work fast. Make sure you have correct DNS server setup. Try to use OpenDNS server http://opendns.com/

HTH.

Reply

44 woodsturtle November 29, 2006 at 3:40 pm

I am having trouble accessing an MS sharepoint server through squid 2.6 configured in transparent proxy mode. Everything that I have read so far suggest that I must bypass squid althogether because of the NTLM authentication require to access share point. Is this the case? Also, what is the iptables statement which I should use before the DNAT statement? I am using wccp and have created a GRE tunnel on the squid box.

Reply

45 Hernan November 29, 2006 at 4:45 pm

Excelent guide, It work forme. Thanks. Now I{m working on acl that let a few machines acces msn.

Reply

46 woodsturtle November 29, 2006 at 7:10 pm

What guide are you referring to?

Reply

47 ReMSiS December 12, 2006 at 12:31 pm

Hello,

Really the guide is wonderful and it worked 100% for me and even the clients using it are amazed with its speed. But there is one problem now !!! How can we access mail, i.e: Clients using outlook are not enabled to send and recieve mail because the ports is blocked or it is not able to make resolution to the mail server. How can I make the mail work too ? because now only http is working pop3 and smtp is not !!! how can I do that ?

Regards,

Reply

48 nixCraft December 12, 2006 at 7:39 pm

I think your topic is already answered @ our forum.

Reply

49 ReMSiS December 13, 2006 at 8:27 am

Yes nixcraft answered but still not working right, the script yesterday worked now its not !!! I maybe going crazy…

Reply

50 sohan January 2, 2007 at 9:55 am

I have installed Squid-2.4 on Red Hat Linux enterprise 4
2 Public IPs are available from 2 different ISPs.

Now I want to configure Squid so as to apportion traffic among the IPs
by destination (external) IP and by source (internal) IP. The aim is to give complete bandwidth available from one ISP to one set of users for thier access to specific URLs.

Is there any way to do the same in Squid ?

Reply

51 sohan January 2, 2007 at 11:04 am

Hi All

I want to put quota limit on Squid for users. I want to limit users for specific data limit like If i want to allow users to consume on 4 GB Data through Squid then what i need to do. Is there any additional tool for squid to do this or squid can do this also ?

If anybody have solution for this please let me know.

thanks

Reply

52 Raghuram January 31, 2007 at 5:34 am

Hi,

Nice tut. Just what I wanted for an education facility of 45 machines. Have a 2Mbps ADSL connection which I want to share across the LAN. This is my first time with squid. One doubt – my lan ip (eth1) is DHCP driven while eth0 (internet facing) has a static IP. In this case, will squid work?

thanks.

Reply

53 raghu January 31, 2007 at 5:37 am

will squid work with DHCP aasigned eth0 and static Ip eth1?

Nie tuttorial.thanks

Reply

54 nixCraft February 1, 2007 at 10:07 pm

raghu,

You can use Squid with DHCP assigned IP

Reply

55 Marco A. Barragan February 7, 2007 at 1:48 pm

All this not work for 2.6, in the case of using:

http_port x.x.x.x:xx vhost transparent or any combination, the message is “Can’t use transparent and cache in the same port”, if you try to use the cache_peer command, appear an error FATAL: Bundle in line x: cache_peer …

So, now you can’t use the server for caching and proxy at the same time :S

Reply

56 nixCraft February 7, 2007 at 3:10 pm

#1: You cannot set proxy and transparent http on same port.

@2: There is some discussion going on about cache peering @ our forum.

HTH

Reply

57 Clay February 8, 2007 at 7:05 pm

I’m trying to setup squid transparently on a box that has one network interface, but is plugged into a hub between the Internet connection and the switch that the clients are on. (I realize this is not ideal, but it’s what I have to work with.)

Can anyone point me in the right direction?

Reply

58 rakesh February 9, 2007 at 3:26 pm

sir
well i have one problem, i am one system with two ether lan card one connected to Public ip and another with local network. what i want is if any exterbal client send an request on port 80, that request should be redirect to my local DNS. how can it be possible.
another thing i have two domain mydomain.com (local) and another http://www.com (internet). now if any client request to http://www.com it request should be redirect to mydomain.com. can it be possible, if possible plz send me the solution

Reply

59 raghu February 11, 2007 at 1:23 pm

Hi vivek,
Can squid be set up on a machine different from the internet gateway machine? I have a DHCP (FC5) server on which I want to set up squid. My internet gateway (ADSL) machine runs Windows Xp and I don’t want to disturb it.

Thanks.

Reply

60 Marco A. Barragan February 17, 2007 at 3:41 pm

But how i can configure it? any idea? how to activate the cache for my network? any can help me to make the right stuff? I’m redirecting the port 80 to 3128 with iptables (old style squid) and using this:

http_port 10.42.0.1:3128 transparent
half_closed_clients on
visible_hostname 201.234.228.139
coredump_dir /var/spool/squid

Where 10.42.0.1 is the network interface (eth0) conected to lan, and eth1 is the Wan lan.

I want make the cahce for my users with squid, and also using proxy, but i can’t go to every client to configure proxy setting, need transparent, and cache, i try all, i use this:

http_port 10.42.0.1:3128 transparent
cache_peer 127.0.0.1 parent 3128 3130 originserver
half_closed_clients on
visible_hostname 201.234.228.139
coredump_dir /var/spool/squid

Not work, use all “arrows” that i imagine and noting, can any explain me how to do it?

Really thanks a lot for any help.

Reply

61 Siva February 19, 2007 at 7:05 am

how to control my bandwidth using squid proxy

Reply

62 Marco A. Barragan February 21, 2007 at 4:12 pm

for bandwidth you can use this:

first step configure how many delay pools you going to use, for example if you have 2 types of users (one with big badwidth and others with low bandwidth) you need put this:

delay_pools n, in our exaple: delay_pools 2

then you need define the class of bandwidth, there are 3 types, 1, 2, 3, in our example we use the class 1 and 2, for unlimited general and the restricted:
delay_class 1 1
delay_class 2 2

then use the parameter to define the velocity, remember, if you want 128 kbps, you need multiply it for 128 to convert to bps:

delay_parameters 1 -1/-1
delay_parameters 2 -1/-1 16384/57600
-1 means unlimited
second is for 128 and boost of 450

last step is defining the acl, in my case:

acl localhost src 127.0.0.1/255.255.255.255
acl clientes src 10.42.100.0/255.255.255.0
acl limitados src 10.42.99.0/255.255.255.0

delay_access 1 allow clientes localhost !limitados
delay_access 2 allow limitados
delay_access 1 deny all
delay_access 2 deny all

Dunno if is correct but is an example, you can investigate more.

Reply

63 bitou February 26, 2007 at 1:51 pm

This fw.proxy is to be started every time the computer is started, manually. Then only transparent proxy will work.Is there a method to do it automatically , so that the script is executed on start up even without the need of the user to log in.
Regards

Reply

64 nixCraft February 26, 2007 at 2:14 pm

bitou,

If you are using RedHat/CentOS/FC Linux type:
service iptables save
chkconfig iptables on

If you are using Debian/Ubuntu Linux read this

Reply

65 Coders2020 March 7, 2007 at 5:26 am

In the past I had serious problems with configuring squid on my local network. I am alrady under university firewall/proxy. Can I configure proxy under proxy(I know it has no pracktical use but just asking for testing purpose) ?

Reply

66 Prabir Das March 19, 2007 at 9:04 am

its good education packeg to us

Reply

67 Prashant Soni March 20, 2007 at 7:07 am

Hi,

My name is Prashant. I am Sr.Network Engineer in an ISP.

I would like to put a transparent proxy with bridge between our local networks and Internet.

I’d tryinn to configure squid transparent proxy with bridge couple of times, but yet not successful.

I am explaining the scenario and hope somebody will help me.

SCENARIO :

We have 2 ip pools in our networks.
1. 128.0.0.0/18 (fake ip)
2. 59.x.x.96/27 (real ip)
3. 59.x.x.0/27 (Real IP Used in internetwork)

We have one mikrotik master router from which both network goes to the radware(which is load balancer and using internetwork ip listed in a cisco). Now I want to put squid between mikrotik and radware (load-balancer)

In my network nobody uses authentications so not needed.

When, I configured the squid with trasparent proxy in bridge mod, sometimes it gives me acl errors. But when I changed in squid.conf “access_allow all” , no error comes but page is not loading till done.
With this settings I can ping , traceroute to the internet from client addresses also but page is not loading.

I’ve done all configuration as stated in below link :

http://freshmeat.net/articles/view/1433/

Please guide me regarding this matter.

Regards,
Prashant

Reply

68 Nandkishor March 27, 2007 at 6:13 am

Hi,
I have configured the DHCP server using ES Linux-4 .It having 2 ethernet cards. eth0 is used dhcp (Lan) & eth1 is connceted to Internet.
eth0 using IP 192.x.x.x
Netmask 255.255.255.0
Gateway 59.x.x.x (this is IP of eth1)
eth1 using Ip 59.x.x.x
Netmask 255.255.255.240
Gateway 59.x.x.129

Client M/c’s ping to IP of eth0, also ping to gateway of eth0 & ip of eth1. But not able to ping Gateway of eth1-59.x.x.129
so they are not able to connect to the internet.
So plz give me the solution for this.

Reply

69 Nandkishor March 30, 2007 at 11:57 am

Hi,
I have configured the transperant proxy with dhcp server. How I block the files for downloading like *.dll & *.mp3 &*.mp4 etc. for a specific time.

Reply

70 nixCraft March 30, 2007 at 5:25 pm

Nandkishor,

Please see this article

Reply

71 xaviero March 30, 2007 at 6:13 pm

how about if i use another PC for router & gateway, then use another PC (SLES installed) just for transparent proxy (DMZ).

the proxy already worked, but its not transparent. what should i do with the iptable ?

advice plz

Reply

72 Nandkishor April 3, 2007 at 6:20 am

Hi,
I have configured the many virtual hosts at one server and added same big file in that all virtual hosts. But because of this big file more size is required.
So it is posible to me create one folder on that server, put that file & give the path of that folder in the all virtual hosts.
But How it is possible? Plz give me the solution for this.

Reply

73 Nandkishor April 3, 2007 at 9:46 am

Hi,
I have see the article for blocking of the .dll, .mp3 ,mp4, .exe & many files downloades, & do the configuration.
But this is not working to block the files downloading. Plz give me the solution for this.

Reply

74 Gurpinder Singh April 7, 2007 at 10:34 am

hello everybody

i want to configure a squid server on fedora core 5. i want to that range of ip address is 192.168.1.1 – 192.168.1.60, and 192.168.1.101-192.168.1.160 . internet is running on this client machines. not running internet on others ip address i.e 192.168.1.61 – 192.168.1.100. please urgent reply me on my mail address.

Gurpinder Singh

Reply

75 Alex Ling April 10, 2007 at 3:43 am

Hi all

i would like to know how to forward HTTP request to others proxy (like privoxy).

Thanks.

Reply

76 mark April 26, 2007 at 10:44 am

Good day. I’m currently running squid 2.5 on my centOS server… I needed authentication for my users before accessing the internet (80, 21, 443, etc) so I configured it correspondingly. However, one of my clients needs to access an ftp server which enforces a username and password authentication. Squid tries to connect using an anonymous user rather than prompting for a password…
My question being: How could I enable user authentication to public ftp servers if my machine is behind a squid proxy server?
I’d appreciate your best effort. Thanks in advance.

Reply

77 pankaj chauhan April 28, 2007 at 9:54 am

hello every body,
i have a squid proxy server
my server ip is 192.168.0.1
my client ip is 192.168.0.2 to 192.168.0.240
internet is working proper on client
can it possible that first 30 client (192.168.0.2-192.168.0.30) get more bandwith than rest client
plz told me wat change will do on squid.conf file for it.

Reply

78 Tapan May 3, 2007 at 4:48 am

how to prevent bypassing sarg and dansguardian

Reply

79 tushar May 9, 2007 at 10:59 am

Hi All
My name is tushar and i want to make proejct on squid proxy server, because I want to submit the complet project on squid proxy server.
Thanks.
Tushar Raut

Reply

80 Frank May 10, 2007 at 4:41 pm

Is there any indication to use some sort of virus/malware filter in this setup, aka, HAVP – HTTP. http://www.server-side.de/

Cheers!

Frank

Reply

81 chandrakant May 24, 2007 at 7:20 am

Hi
Thanks for the fw.proxy file.
after enableing this file i’m able to run my system as router and proxy server.
But after restart server I’m reciveing so many logs messages.
Please have look and tel me how can block them.
Due to this my server responding slovely…
System log:-

May 24 12:45:06 pune dbus: Can’t send to audit system: USER_AVC pid=2658 uid=81 loginuid=-1 message=avc: denied { send_msg } for scontext=root:system_r:unconfined_t tcontext=user_u:system_r:initrc_t tclass=dbus

May 24 11:28:21 pune kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:64:d7:3e:08:00 SRC=10.20.204.70 DST=10.20.255.255 LEN=78 TOS=0×00 PREC=0×00 TTL=128 ID=29613 PROTO=UDP SPT=137 DPT=137 LEN=58
May 24 11:28:22 pune kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:64:d7:3e:08:00 SRC=10.20.204.70 DST=10.20.255.255 LEN=78 TOS=0×00 PREC=0×00 TTL=128 ID=29615 PROTO=UDP SPT=137 DPT=137 LEN=58
May 24 11:28:23 pune kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:64:d7:3e:08:00 SRC=10.20.204.70 DST=10.20.255.255 LEN=78 TOS=0×00 PREC=0×00 TTL=128 ID=29616 PROTO=UDP SPT=137 DPT=137 LEN=58

Regards,
Chandrakant

Reply

82 csbot May 24, 2007 at 9:57 am

chandrakant,

Remove last line:
iptables -A INPUT -j LOG

BTW, log will not slow down your server.

Reply

83 cedric May 27, 2007 at 11:17 pm

your instructions work good but i can’t connect to my network printer and another server on my lan. also having problem setting up static ip for eth0. i followed the instruction from the link you gave. i tried to do it several times and always had to go back to using dhcp. i need some help and what gateway would i use for eth0?

Reply

84 Chandrakant May 31, 2007 at 12:31 pm

Hi,

One more problem i am facing with above configuration.
I am not able to use web access of exchange 2003 server. and office scan http url

can any buddy help me resolve this.

Chandrakant

Reply

85 bhupesh karankar June 1, 2007 at 10:07 am

Hello Friend,
i am bhupesh karankar, i have problem in squid.
as above, i have implement squid in my server. but still my client not able to access mail via outlook with squid.
wating for ur reply
i have same configuration as above.
wating for ur reply,
need help

Bhupesh Karankar
bkarankar@gmail.com
0998110488

Reply

86 Brent June 1, 2007 at 5:42 pm

Thanks for posting the transparent proxy script. It works very well. I like the way you choose to close everything and only open what you need. I do need to open a few ports, like https (443) and possibly one or two more (ssh). Can you post how you would do this? Thanks.

Reply

87 nixCraft June 1, 2007 at 9:03 pm

Find line
# DROP everything and Log it

Add your iptables rules before that line. Remember you must deal with eth0 and eth1, otherwise you will create a new security issue.

Reply

88 bhupesh karankar June 2, 2007 at 9:39 am

hello,
this is nice script.
but when i use this, it blocked smb and squid and my web server,
what to do.
wating for reply
bkarankar@gmail.com
bhupesh karankar

Reply

89 nixCraft June 2, 2007 at 10:14 am

bhupesh,

Open those port using iptables rules as this script locks down eveything. read my comment # 82. If you have more questions please post to our forum.

Reply

90 Maroon Ibrahim June 11, 2007 at 6:16 am

Prashant!!!

allow access for ICP

Regards

Reply

91 Nandkishor June 11, 2007 at 6:35 am

Hi,
I configured the transperant proxy & also set the IPtables. This is working fine. But recentaly I trust by a trouble. If I try to open any site like gmail.com or any other sites. Some time that are works but some time they give follwing error.

The requested URL could not be retrieved

While trying to retrieve the URL: http://gmail.com/

The following error was encountered:

Unable to determine IP address from host name for gmail.com

The dnsserver returned:

Refused: The name server refuses to perform the specified operation.

This means that:

The cache was not able to resolve the hostname presented in the URL.
Check if the address is correct.

Your cache administrator is root.

Pleas give me the solution for this.

Regards,
Nandkishor

Reply

92 Linuxnewbie June 11, 2007 at 11:19 am

Hi,
I need to install transparent proxy with squid caching, but my eth0 is connected using DHCP, so what all changes need to be done ? Thank you for publishing your experiences and configurations…

Regards

Reply

93 nixCraft June 11, 2007 at 3:16 pm

Hi Linuxnewbie,

Make sure eth0 always get same IP using eth0, if not possible modify a script to obtain IP address using following statement:
ifconfig eth0 | grep 'inet addr:' | cut -d':' -f2 | awk '{ print $1}'

Set SQUID_SERVER as follows:
SQUID_SERVER=$(ifconfig eth0 | grep 'inet addr:' | cut -d':' -f2 | awk '{ print $1}')

NOTE: you only need to use above, if SQUID_SERVER ip is dynamic; otherwise it should work out of box.

HTH

Reply

94 linxnewbie June 12, 2007 at 7:22 am

Thanks for the reply…so no need to make any changes in the IPTABLES, right ?

Reply

95 chandar June 25, 2007 at 1:53 pm

Hi Vivek,
I configured squid/2.6.STABLE12 with the help of your script file. below is my N/W scenario
client–> Squid + Router –> pix–> Router–> Internet.

In this case everything is working very fine. For few minutes. After sometime client not able to ping gateway that is my squid server. But client able to ping next hope ip I’s Pix ip or router ip. This problem is resolved when I restart network service of Linux machine.
and it’s happened every time.
Please find below linux machine iptables snap.

# squid server IP
SQUID_SERVER=”10.30.200.1″
# Interface connected to Internet
INTERNET=”eth0″
# Interface connected to LAN
LAN_IN=”eth1″
# Squid port
SQUID_PORT=”3128″

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Reply

96 permittivity March 6, 2011 at 3:37 am

check /etc/resolv.conf on the gateway and squid while the network is working fine, then when it’s not working fine, check it again

Reply

97 chandar June 25, 2007 at 1:54 pm

Hi Vivek,
I configured squid/2.6.STABLE12 with the help of your script file. below is my N/W scenario

client–> Squid + Router –> pix–> Router–> Internet.

In this case everything is working very fine. For few minutes. After sometime client not able to ping gateway that is my squid server. But client able to ping next hope ip I’s Pix ip or router ip. This problem is resolved when I restart network service of Linux machine.
and it’s happened every time.

Please help me to resolve this issue.

Regards,
Chandru

Reply

98 shellyacs June 27, 2007 at 4:03 pm

Need help. I have read the forum on transparent proxy. I have followed it to the letter. A cannot get it to work. I am using Suse linux 10.2. I can get to the internet from the workstations, but only if I setup the squid server as a proxy in IE. Any help would be greatly appreciated. Thanks

Reply

99 Amrendra July 6, 2007 at 10:00 am

I have used above kind of firewall (IPTABLE), I don’t want to use transparent proxy because we need to use authentication, and if I am allowing forward and unlimited access to LAN then they are also able to bypass the proxy to use internet,
So can anyone give me solution that, for accessing websites ( http/https) people must go through Proxy and its authentication, and rest for everything they should be allowed from the LAN rest everything includes (FTP , DNS ) respose.
Thanks
Amrendra.

Reply

100 forweb July 9, 2007 at 3:32 am

I had got some errors when I used the instructions above, 400 something like syntax of the request was wrong…
The script above works great but this is what I have to add to get it to work on my ubuntu 7.04
squid.conf:
http_port 80
http_port 192.168.1.9:3128 transparent
(this is NIC connected to internet)
acl jamal_net src 192.168.2.0/24
(this LAN Nic)
http_access allow jamal_net
http_access allow localhost

Change your IP’s to comply with you above script.
start your squid.conf
start your fw-proxy
add it to rc.local so it will boot at startup.

Reply

101 oj July 16, 2007 at 10:20 am

Execellent write-up.Very helpful to me

Reply

102 Slavko July 26, 2007 at 7:08 pm

From SquidFaq

For Squid-2.6 and Squid-3.0 you simply need to add the keyword transparent on the http_port that your proxy will receive the redirected requests on as the above directives are not necessary and in fact have been removed in those releases:

http_port 3128 transparent

Reply

103 eq1425 July 29, 2007 at 2:49 am

hi all,

will this shel script work even if i install a redirector program(i.e squidguard)on squid?and how??

thanks

Reply

104 John August 5, 2007 at 12:40 am

I work in a public library and we provide wireless access to our patrons. No configuration is required on their laptops because transparent proxying is in effect, via a rule in SUSE Firewall.

I’m using SUSE 10.2, SQUID, Dansguardian, and the SUSE2 Firewall.

Is it possible with my existing setup to also forward users to a custom home page that I have set up? This page will have our wireless policy, etc. on it. If so, how exactly would this be done?

Thanks!

Reply

105 ankush August 7, 2007 at 5:13 am

how configure best squid server on RHEL 5
i have create in RHEL 4
but i have problem about RHEL 5

Reply

106 Mani August 8, 2007 at 5:57 am

Hi,

when i execute squid -z.the following error is appear.

FATAL: Could not determine fully qualified hostname. Please set ‘visible_hostname’

Squid Cache (Version 2.6.STABLE13): Terminated abnormally.
CPU Usage: 0.004 seconds = 0.004 user + 0.000 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
Aborted

but i configure visible_hostname myhostname in my squid.conf file.still the same error comming again.what can i do?

Reply

107 IRFAN August 13, 2007 at 7:44 am

any one have squid configaration than can use any where

Reply

108 Mark Ng August 15, 2007 at 10:23 am

I have a box running public IP on eth0 and private IP on eth1.
Everything seems to be working but my sites running apache can’t be accessed via their Public IP anymore. However I can still access them via eth1. Any help is appreciated.

Reply

109 Abdul Latif August 17, 2007 at 6:20 am

Sir,

is there any solution regarding linux Squid Proxy which responsible to handle two ADSL internet connection. combining bandwidth, Provide loadsharing, feed back if one connection goes down.

Reply

110 Elliott August 20, 2007 at 9:24 am

Thanks for your excellent site.
I have followed your guide and set this up successfully.
I will recommend this guide to anyone setting up a squid server.

Elliott
Systems Administrator

Reply

111 Rith November 21, 2011 at 7:19 am

Hi ALL ,

i want to allow window 7 can activated by using internet proxy server. but i can’t do it
Please give me some advice ?

THANKS.

Reply

112 Chris August 26, 2007 at 6:29 pm

What about setting this up using the latest version of Squid?

Fedora 6 comes with squid but the parameters mentioned above are not there. They have been updated.

Any help?

Reply

113 Chris August 26, 2007 at 6:32 pm

DUH, i see the post explaining it. Disregard my last post

Reply

114 vijay August 30, 2007 at 11:39 am

I like to know how to configure ftp and proxy for my internal use and external( internet) ftp with proxy.
Please help

Reply

115 king of the internet September 18, 2007 at 6:16 pm

You said allowing port 443 out solves your problems, but in fact it creates more. Now users can simply use SSL-based web proxies to tunnel past your proxy. This means no logging, control, nothing. For example, try https://vtunnel.com/

Reply

116 nixCraft September 19, 2007 at 11:05 am

King,

You cannot redirect port 443 with a transparent proxy and this the only solution. Other option is disable a transparent proxy and use port such as 3128.

HTH

Reply

117 Saji Alexander October 22, 2007 at 8:11 am

Hi,

I had gone thru your notes. It is very good and interesting. I have 2 network cards in my squid proxy server on centos.

I need all the users to access only certain sites during the office hours and after office hours they can access anysites as they wish. This should not be applicable for managers who can access anysite at anytime.

This I made it but when I configured squid I had given the port 8080 instead of 3128 the default port.

The end users if the remove the proxy (ip of squid server) then they can access any site during the office hours. How to disable this ????

Something to do with firewall. I tried but I failed. I am pasting it can you correct it.

$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT

squid_server has two network card. One is having internal ip and the other external ip.

I had give external ip for SQUID_SERVER.

SQUID_PORT is 8080

Thanks and Regards,

Saji Alexander.

Reply

118 Wolfox October 25, 2007 at 12:08 am

Anyone knows how to get this instructions working on SuSe 9 Enterprise Edition…. It looks like some of the syntax doesn’t work.

Because in my case I cannot get it to work. Please help, I’m a newbie that is very eager to learn about proxying.

Please Help…

Thanks in advance

Reply

119 hanz October 25, 2007 at 4:58 am

I have read your instruction but I have the same question as Saji ALexander.

I have been trying to figure this out but failed.

Is it possible to force all browser on a server running transparent proxy to use its proxy service for its web traffic? The server has dual interface.

Thanks
hanz

Reply

120 nixCraft October 25, 2007 at 10:11 am

@Saji, You have to define TIME based ACL for squid to put time based restrictions.

@hanz, yup, this config force all http traffic via squid.

Reply

121 harish November 24, 2007 at 10:33 am

Hi Dear,

Thanks or very simple steps.

Harish

Reply

122 fmstereo November 28, 2007 at 9:42 pm

I have configured the transparent proxy but not all users are able to use it. Most of them must have the proxy in their browsers, just a few are able to conect without having to configure. And is very slow with transparent proxy. Any sugestions?

Reply

123 Babu Ram Dawadi December 12, 2007 at 2:52 am

thanks for ur three steps to create transparent proxy but i am not sure it works with squid 2.6 stables 13. because i tried ur step on this squid 2.6. may be this article suit to squid 2.5. :)

hi fmstereo>>i think u have to enable one options on ur proxy which is previously off like the following
httpd_accel_no_pmtu_disc off
change it to
httpd_accel_no_pmtu_disc on

Reply

124 Atman December 12, 2007 at 10:45 pm

Why not use only one utility to filter out comments and empty lines when going through squid.conf:

grep -v ^# /etc/squid/squid.conf | grep -v ^$

or if you prefer sed:

sed ‘/ *#/d; /^ *$/d’ < /etc/squid/squid.conf

Reply

125 arun December 13, 2007 at 8:06 am

give me a step of linux centos proxy setting and iptables confige and many more service starting

Reply

126 Vijay Godiyal December 20, 2007 at 12:58 pm

Hello Friends,

Need help from you…

I had configured my squid server, squid+dansguardian with Linux RHCL-4 .. its working for a hrs abustaly fine but abt 1 hrs its getting slow and get stoped work .. i m not able to understand the problem. normail proxy is working fine… but when it get started with dansguardian then problenm comes….

can someone help me out on this i have squid version squid-2.5.STABLE6-3.4E.11 and dansG is dansguardian-2.8.0.6-1.2.el4.rf

following is the conf file …
dansguardian….
#################################################
DansGuardian config file for version 2.8.0

# **NOTE** as of version 2.7.5 most of the list files are now in dansguardianf1.conf

# Web Access Denied Reporting (does not affect logging)
#
# -1 = log, but do not block – Stealth mode
# 0 = just say ‘Access Denied’
# 1 = report why but not what denied phrase
# 2 = report fully
# 3 = use HTML template file (accessdeniedaddress ignored) – recommended
#
reportinglevel = 3

# Language dir where languages are stored for internationalisation.
# The HTML template within this dir is only used when reportinglevel
# is set to 3. When used, DansGuardian will display the HTML file instead of
# using the perl cgi script. This option is faster, cleaner
# and easier to customise the access denied page.
# The language file is used no matter what setting however.
#
languagedir = ‘/etc/dansguardian/languages’

# language to use from languagedir.
language = ‘ukenglish’

# Logging Settings
# 0 = none 1 = just denied 2 = all text based 3 = all requests
loglevel = 2

# Log Exception Hits
# Log if an exception (user, ip, URL, phrase) is matched and so
# the page gets let through. Can be useful for diagnosing
# why a site gets through the filter. on | off
logexceptionhits = on

# Log File Format
# 1 = DansGuardian format 2 = CSV-style format
# 3 = Squid Log File Format 4 = Tab delimited
logfileformat = 1

# Log file location
#
# Defines the log directory and filename.
#loglocation = ‘/var/log/dansguardian/access.log’

# Network Settings
#
# the IP that DansGuardian listens on. If left blank DansGuardian will
# listen on all IPs. That would include all NICs, loopback, modem, etc.
# Normally you would have your firewall protecting this, but if you want
# you can limit it to only 1 IP. Yes only one.
filterip =
# the port that DansGuardian listens to.
filterport = 3128

# the ip of the proxy (default is the loopback – i.e. this server)
proxyip = 172.16.24.12

# the port DansGuardian connects to proxy on
proxyport = 8080

# accessdeniedaddress is the address of your web server to which the cgi
# dansguardian reporting script was copied
# Do NOT change from the default if you are not using the cgi.
#
accessdeniedaddress = ‘http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl’

# Non standard delimiter (only used with accessdeniedaddress)
# Default is enabled but to go back to the original standard mode dissable it.
nonstandarddelimiter = on

# Banned image replacement
# Images that are banned due to domain/url/etc reasons including those
# in the adverts blacklists can be replaced by an image. This will,
# for example, hide images from advert sites and remove broken image
# icons from banned domains.
# 0 = off
# 1 = on (default)
usecustombannedimage = 1
filtergroupslist = ‘/etc/dansguardian/filtergroupslist’

# Authentication files location
bannediplist = ‘/etc/dansguardian/bannediplist’
exceptioniplist = ‘/etc/dansguardian/exceptioniplist’
banneduserlist = ‘/etc/dansguardian/banneduserlist’
exceptionuserlist = ‘/etc/dansguardian/exceptionuserlist’

# Show weighted phrases found
# If enabled then the phrases found that made up the total which excedes
# the naughtyness limit will be logged and, if the reporting level is
# high enough, reported. on | off
showweightedfound = on

# Weighted phrase mode
# There are 3 possible modes of operation:
# 0 = off = do not use the weighted phrase feature.
# 1 = on, normal = normal weighted phrase operation.
# 2 = on, singular = each weighted phrase found only counts once on a page.
#
weightedphrasemode = 2
# Positive result caching for text URLs
# Caches good pages so they don’t need to be scanned again
# 0 = off (recommended for ISPs with users with disimilar browsing)
# 1000 = recommended for most users
# 5000 = suggested max upper limit
urlcachenumber = 5000
#
# Age before they are stale and should be ignored in seconds
# 0 = never
# 900 = recommended = 15 mins
urlcacheage = 9000

# Smart and Raw phrase content filtering options
# Smart is where the multiple spaces and HTML are removed before phrase filtering
# Raw is where the raw HTML including meta tags are phrase filtered
# CPU usage can be effectively halved by using setting 0 or 1
# 0 = raw only
# 1 = smart only
# 2 = both (default)
phrasefiltermode = 2

# Lower casing options
# When a document is scanned the uppercase letters are converted to lower case
# in order to compare them with the phrases. However this can break Big5 and
# other 16-bit texts. If needed preserve the case. As of version 2.7.0 accented
# characters are supported.
# 0 = force lower case (default)
# 1 = do not change case
preservecase = 0

# Hex decoding options
# When a document is scanned it can optionally convert %XX to chars.
# If you find documents are getting past the phrase filtering due to encoding
# then enable. However this can break Big5 and other 16-bit texts.
# 0 = disabled (default)
# 1 = enabled
hexdecodecontent = 0

# Force Quick Search rather than DFA search algorithm
# The current DFA implementation is not totally 16-bit character compatible
# but is used by default as it handles large phrase lists much faster.
# If you wish to use a large number of 16-bit character phrases then
# enable this option.
# 0 = off (default)
# 1 = on (Big5 compatible)
forcequicksearch = 0
# Reverse lookups for banned site and URLs.
# If set to on, DansGuardian will look up the forward DNS for an IP URL
# address and search for both in the banned site and URL lists. This would
# prevent a user from simply entering the IP for a banned address.
# It will reduce searching speed somewhat so unless you have a local caching
# DNS server, leave it off and use the Blanket IP Block option in the
# bannedsitelist file instead.
reverseaddresslookups = off

# Reverse lookups for banned and exception IP lists.
# If set to on, DansGuardian will look up the forward DNS for the IP
# of the connecting computer. This means you can put in hostnames in
# the exceptioniplist and bannediplist.
# It will reduce searching speed somewhat so unless you have a local DNS server,
# leave it off.
reverseclientiplookups = off

# Build bannedsitelist and bannedurllist cache files.
# This will compare the date stamp of the list file with the date stamp of
# the cache file and will recreate as needed.
# If a bsl or bul .processed file exists, then that will be used instead.
# It will increase process start speed by 300%. On slow computers this will
# be significant. Fast computers do not need this option. on | off
createlistcachefiles = on
# POST protection (web upload and forms)
# does not block forms without any file upload, i.e. this is just for
# blocking or limiting uploads
# measured in kibibytes after MIME encoding and header bumph
# use 0 for a complete block
# use higher (e.g. 512 = 512Kbytes) for limiting
# use -1 for no blocking
#maxuploadsize = 512
#maxuploadsize = 0
maxuploadsize = -1

# Max content filter page size
# Sometimes web servers label binary files as text which can be very
# large which causes a huge drain on memory and cpu resources.
# To counter this, you can limit the size of the document to be
# filtered and get it to just pass it straight through.
# This setting also applies to content regular expression modification.
# The size is in Kibibytes – eg 2048 = 2Mb
# use 0 for no limit
maxcontentfiltersize = 256

# Username identification methods (used in logging)
# You can have as many methods as you want and not just one. The first one
# will be used then if no username is found, the next will be used.
# * proxyauth is for when basic proxy authentication is used (no good for
# transparent proxying).
# * ntlm is for when the proxy supports the MS NTLM authentication
# protocol. (Only works with IE5.5 sp1 and later). **NOT IMPLEMENTED**
# * ident is for when the others don’t work. It will contact the computer
# that the connection came from and try to connect to an identd server
# and query it for the user owner of the connection.
usernameidmethodproxyauth = on
usernameidmethodntlm = off # **NOT IMPLEMENTED**
usernameidmethodident = off

# Preemptive banning – this means that if you have proxy auth enabled and a user accesses
# a site banned by URL for example they will be denied straight away without a request
# for their user and pass. This has the effect of requiring the user to visit a clean
# site first before it knows who they are and thus maybe an admin user.
# This is how DansGuardian has always worked but in some situations it is less than
# ideal. So you can optionally disable it. Default is on.
# As a side effect disabling this makes AD image replacement work better as the mime
# type is know.
preemptivebanning = on
# Misc settings

# if on it adds an X-Forwarded-For: to the HTTP request
# header. This may help solve some problem sites that need to know the
# source ip. on | off
forwardedfor = off

# if on it uses the X-Forwarded-For: to determine the client
# IP. This is for when you have squid between the clients and DansGuardian.
# Warning – headers are easily spoofed. on | off
usexforwardedfor = off

# if on it logs some debug info regarding fork()ing and accept()ing which
# can usually be ignored. These are logged by syslog. It is safe to leave
# it on or off
logconnectionhandlingerrors = on

# Fork pool options

# sets the maximum number of processes to sporn to handle the incomming
# connections. Max value usually 250 depending on OS.
# On large sites you might want to try 180.
maxchildren = 120
# sets the minimum number of processes to sporn to handle the incomming connections.
# On large sites you might want to try 32.
minchildren = 8

# sets the minimum number of processes to be kept ready to handle connections.
# On large sites you might want to try 8.
minsparechildren = 4

# sets the minimum number of processes to sporn when it runs out
# On large sites you might want to try 10.
preforkchildren = 6

# sets the maximum number of processes to have doing nothing.
# When this many are spare it will cull some of them.
# On large sites you might want to try 64.
maxsparechildren = 32

# sets the maximum age of a child process before it croaks it.
# This is the number of connections they handle before exiting.
# On large sites you might want to try 10000.
maxagechildren = 500
# Process options
# (Change these only if you really know what you are doing).
# These options allow you to run multiple instances of DansGuardian on a single machine.
# Remember to edit the log file path above also if that is your intention.

# IPC filename
#
# Defines IPC server directory and filename used to communicate with the log process.
ipcfilename = ‘/tmp/.dguardianipc’

# URL list IPC filename
#
# Defines URL list IPC server directory and filename used to communicate with the URL
# cache process.
urlipcfilename = ‘/tmp/.dguardianurlipc’

# PID filename
#
# Defines process id directory and filename.
#pidfilename = ‘/var/run/dansguardian.pid’

# Disable daemoning
# If enabled the process will not fork into the background.
# It is not usually advantageous to do this.
# on|off ( defaults to off )
nodaemon = off

# Disable logging process
# on|off ( defaults to off )
nologger = off

# Daemon runas user and group
# This is the user that DansGuardian runs as. Normally the user/group nobody.
# Uncomment to use. Defaults to the user set at compile time.
# daemonuser = ‘nobody’
# daemongroup = ‘nobody’

# Soft restart
# When on this disables the forced killing off all processes in the process group.
# This is not to be confused with the -g run time option – they are not related.
# on|off ( defaults to off )
softrestart = off

Reply

127 Robert December 22, 2007 at 1:00 am

I am building a rather unique Proxy server
I need to be able to forward requests by maching the destintaions to 3 lists:
- blacklist -> Block,
- freelist -> Forward to upstreem Proxy with Spesified username and password same for all,
- DirrectAccesslist – Retreve directly,
What ever is remaining is forward to the upstreem proxy which will request username and password for charging purposes.

The AD and charging Side of this I will work out later, it is the routeing with creds by list lookup that I have no idea where to start..

Site info
300 computers, 1000 users, 40M internet link
I have a Dual Xeon 1.6 with 2G ram SCSI HW Raid HDD Server for the task (retired Ms Server)

Ideas?

Thanks

Reply

128 Sai Wunna Aung January 5, 2008 at 11:20 am

hello all friends,

pls help me. now i created squid 2.6 server on windows server 2003. but our ISP is burnned some websites.e.g http://mail.yahoo.com, https://mail.google.com .so, i want to open that web site and other to squid’s redirect setting.
i want to know http redirect setting of squid 2.6.

best reguards,
Sai Wunna Aung
Network Technician

Reply

129 Ali Bhai January 8, 2008 at 9:28 am

hey, nice work. I appreciate the way u spread your knowledge just alike a teacher spreads to new bie’s. Thx Again

Reply

130 Ambot January 11, 2008 at 12:17 am

Hey guys,

How do i able to open the ports in proxy? i have the problems on my network, in which i can’t able to view webcam and voice in the yahoo messenger…
As what i know 5000-5010 used for voice both tcp and udp while 5100 for video as tcp… I put it in Safe_ports but it seems not working…

And also i’m not able to upload files but good downloadings….

Reply

131 Sajid January 11, 2008 at 8:14 am

Hi,
Please help me to solve this problem.
i have four network cards in linux machine
3 NC for WAN
1 for local LAN
my squid is sending all the internet traffic to only on one network card other two are free
its is possible that squid bind three wan NC and combine the Internet.
thanks

Reply

132 Arulkumar January 19, 2008 at 10:40 am

how to manage users browsing time quotas by squid.

Example: Set a limit of 1 hour per day for the user

Reply

133 dennyhalim January 24, 2008 at 7:08 am

dual xeon with 8 gig ram?
how many (hundreds?) users this monster serve???

i’m using old refurbished p3 with 384meg ram serving 50+ heavy downloaders users with no problem.

and, with ipcop, it only takes TWO clicks to activate transparent proxy from its web gui.

off course, you learn nothing with ipcop. coz it’s simply usable and minimal learning curve.
you’ll learn a lot from getting dirty on cli.
:)

Reply

134 Mangal January 31, 2008 at 7:15 am

How can we block PC using Mac addresses ?
I tried by: – acl block arp 12:23:43:df:32:df

but my squid does not know keyword arp
for solving this i tried to rebuild it but i failed can u help me to rebuild ?

Reply

135 nixCraft January 31, 2008 at 7:49 am
136 Anas January 31, 2008 at 8:17 am

Dear all

Need Help ….

I have Squid 2.6 STABLE6
Actually when I add

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl Tiajri src 10.0.0.0/24
http_access allow localhost
http_access allow Tijari

and when I tried to Stop And Start Squid service
it gaves me Faild to start

Faild …. please help me

Reply

137 Pirkia.lt admin February 2, 2008 at 10:46 pm

Simple script to save your users from badware:

#!/bin/bash

URL0=http://www.mvps.org/winhelp2002/hosts.txt
URL1=http://everythingisnt.com/hosts

SQUIDBADWARE=/etc/squid/badware_list
BADWARESTATS=/etc/squid/badware_stats

wget $URL0 -O /tmp/SQUIDBADWARE0 -o /dev/null
wget $URL1 -O /tmp/SQUIDBADWARE1 -o /dev/null

BADWARE0=`cat /tmp/SQUIDBADWARE0`
echo "$BADWARE0" >> /tmp/SQUIDBADWARE1

cat /tmp/SQUIDBADWARE1 | grep 127.0.0.1 | sed 's/127.0.0.1 //g' > /tmp/SQUIDBADWARE2
cat /tmp/SQUIDBADWARE2 | grep -v localhost | cut -d "#" -f 1 > /tmp/SQUIDBADWARE3

rm $SQUIDBADWARE.backup
mv $SQUIDBADWARE $SQUIDBADWARE.backup
cp /tmp/SQUIDBADWARE3 $SQUIDBADWARE

SUM=`wc -l $SQUIDBADWARE`
DATE=`date +%Y-%m-%d`

echo "$DATE $SUM" >> $BADWARESTATS

rm /tmp/SQUIDBADWARE0 /tmp/SQUIDBADWARE1 /tmp/SQUIDBADWARE2 /tmp/SQUIDBADWARE3

/etc/init.d/squid reload > /dev/null

To squid.conf add/update following lines:

acl BADWARE_LIST_1 dstdomain url_regex -i "/etc/squid/badware_list"
deny_info ERR_BADWARE_ACCESS_DENIED BADWARE_LIST_1

…..

http_access deny BADWARE_LIST_1
http_access deny !Safe_ports BADWARE_LIST_1
http_access deny CONNECT !SSL_ports

Don’t forget add this script to your crontab


crontab –e

30 23 * * * /data/scripts/squidguard.sh

Reply

138 Faisal February 5, 2008 at 8:31 am

Dear I am using CentOS Linux server here I don’t need to define proxy in squid.conf.
kindly guide me how to use without ISP proxy. also i have 3 DSL modems connected in office and i need to configure all together if 1 is not working it switch to other automatically.

your quick response will be higly appreciative.
Best Regards.
Faisal

Reply

139 Santosh February 8, 2008 at 5:24 am

Hi,
This site is good with good comments.

can you help me. i am using the same config.
Pls clear my 2 doubts.

1.after making proxy transparent. the sites which are blocked in squid-block.acl does not works from client pc. (again if we use a proxy server then only it works).
2. how to block a website (such as http://www.youtube.com) using iptables.

regards,
Santosh

Reply

140 Santosh February 8, 2008 at 5:31 am

hello,

pls reply ASAP.

regards,
santosh

Reply

141 nandhakumar February 22, 2008 at 7:29 am

Hi all

I configured squid proxy in our office but problem is outlook express not working please help me out..
regards
nandha

Reply

142 vaibhavraj June 29, 2010 at 1:20 pm

Hi,

Just put IP of outlook machine as a acl in squid.conf.
It will work.

Regards,
Vaibhavraj

Reply

143 Sulman March 5, 2008 at 3:37 pm

Dear,
i have 3 NIC in Squid Proxy, One connect with Lan and other 2 connect with 2 DSL modems. I want to combine more than 1 DSL link speed togetehr. Kindly Helo me regarding this what will be need to configure in Linux. Halp me ASAP
Thanks

Reply

144 Jit March 13, 2008 at 9:07 am

Hi,

I’ve configured my Squid as par your guidence but am nt able to access any website from client nor I’m able to ping.

though I’m able to open some of websites from their IP and even able to open control panel of my ADSL Router!

I’ve no clue where things are wrong! :(
I wud highly be grateful to you help me to fix this issue!

here is the complete scenario of my network

[LAN] —> e1 [ SQUID ] e0 —-> [ADSL]

192.168.2.0 [LAN]
192.168.2.1 [e1 of squid]
192.168.1.2 [e0 of squid]
192.168.1.1 [adsl router ip]

waiting despreatly!

Rock on
Jit

Reply

145 Yusuf March 15, 2008 at 1:27 pm

I have configured SQUID PROXY with TRANSPARENT using this site help

Thanks

Reply

146 gautam April 8, 2008 at 9:57 am

I had gone throug your notes. It is very good and interesting. I have 2 network cards in my squid proxy server on RHEL5.

I need all the users to access only certain sites during the office hours and after office hours they can access any sites as they wish. This should not be applicable for managers who can access any site at anytime.

This I made it but when I configured squid I had given the port 8080 instead of 3128 the default port.

The end users if the remove the proxy (ip of squid server) then they can access any site during the office hours. How to disable this ????

Something to do with firewall. I tried but I failed. I am pasting it can you correct it.

$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT

squid_server has two network card. One is having internal ip and the other external ip.

I had give external ip for SQUID_SERVER.

SQUID_PORT is 8080
Please help me.. It is very urgent.

Thanks and Regards,

Reply

147 flex April 11, 2008 at 11:39 am

I have a clarkconnect linux box am not that good in linux but can configure when given the example.

My network has layer three switch which does the routing for all Vlans. I have created a specia Vlan where all traffic fron the LAN Vlans is routed, coonected this node to CC box LAN interface. Also i have added the static routes on the CC box and all vlans can access the internet properly.

But i want to use proxy. WHEN I START THE SQUID PROCESS it block all outgoing traffic and gives me the ip and port to configure as proxy on brower settings , that i do but still cannt connect.

here is a file for my routes

Adding extra LANs on Clark Connect
#/etc/system/network file

EXTRALANS=”10.0.2.0/24 10.0.3.0/24 10.0.4.0/24 10.0.5.0/24 10.0.6.0/24 10.0.7.0/24 10.0.8.0/24 10.0.9.0/24 10.0.10.0/24 10.0.11.0/24 10.0.12.0/24 10.0.13.0/24 10.0.14.0/24 10.0.15.0/24 10.0.16.0/24 10.0.17.0/24 10.0.18.0/24 10.0.19.0/24 10.0.20.0/24 10.0.21.0/24 10.0.22.0/24 10.0.23.0/24 10.0.24.0/24 10.0.25.0/24 10.0.26.0/24 10.0.27.0/24 10.0.28.0/24 10.0.29.0/24 10.0.30.0/24 10.0.31.0/24 10.0.32.0/24 10.0.33.0/24 10.0.34.0/24 10.0.35.0/24 10.0.36.0/24 10.0.37.0/24 10.0.38.0/24 10.0.39.0/24″

#Adding Static routes to Clark Connect for Vlans to work with proxy
#This should work
#/etc/sysconfig/network-scripts/route-eth1

10.0.2.0/24 via 10.2.56.2
10.0.3.0/24 via 10.2.56.2
10.0.4.0/24 via 10.2.56.2
10.0.5.0/24 via 10.2.56.2
10.0.6.0/24 via 10.2.56.2
10.0.7.0/24 via 10.2.56.2
10.0.8.0/24 via 10.2.56.2
10.0.9.0/24 via 10.2.56.2
10.0.10.0/24 via 10.2.56.2
10.0.11.0/24 via 10.2.56.2
10.0.12.0/24 via 10.2.56.2
10.0.13.0/24 via 10.2.56.2
10.0.14.0/24 via 10.2.56.2
10.0.15.0/24 via 10.2.56.2
10.0.16.0/24 via 10.2.56.2
10.0.17.0/24 via 10.2.56.2
10.0.18.0/24 via 10.2.56.2
10.0.19.0/24 via 10.2.56.2
10.0.20.0/24 via 10.2.56.2
10.0.21.0/24 via 10.2.56.2
10.0.22.0/24 via 10.2.56.2
10.0.23.0/24 via 10.2.56.2
10.0.24.0/24 via 10.2.56.2
10.0.25.0/24 via 10.2.56.2
10.0.26.0/24 via 10.2.56.2
10.0.27.0/24 via 10.2.56.2
10.0.28.0/24 via 10.2.56.2
10.0.29.0/24 via 10.2.56.2
10.0.30.0/24 via 10.2.56.2
10.0.31.0/24 via 10.2.56.2
10.0.32.0/24 via 10.2.56.2
10.0.33.0/24 via 10.2.56.2
10.0.34.0/24 via 10.2.56.2
10.0.35.0/24 via 10.2.56.2
10.0.36.0/24 via 10.2.56.2
10.0.37.0/24 via 10.2.56.2
10.0.38.0/24 via 10.2.56.2
10.0.39.0/24 via 10.2.56.2

which other file should i configure for web proxy to work
IP and port CC is giving for proxy is

10.2.56.2
8080 or 3128

but does not work

Reply

148 Sohbet April 27, 2008 at 5:35 pm

hey, nice work. I appreciate the way u spread your knowledge just alike a teacher spreads to new bie’s. Thx Again

Reply

149 Ye khaung May 8, 2008 at 4:56 pm

I just test smooth wall express with in built squid.
Not only in that squid but all, i can’t find where to put web server chaining i.e forward request to upstream proxy(isp’s proxy). Can any one explain me about following case.

My server have 2 NIC card.
Eth0 : 10.254.8.1.1 (internet)
Eth1 : 192.168.0.1 (Lan)

Subnet: 255.255.252.0
D.G : 10.254.8.1

My isp give their proxy ip and port.
203.81.71.148:9090
They prevent direct access.
In that case i want a proxy server in my own.
I want my clients computers to use proxy of mine but not ISP.
(i want them to put my server Eth1 no as a proxy ip and port 9090 in ther IE and fire fox)

Can any one give me a sample scripts?
Please help me out.
Our country is not very familiar with linux.

S.O.S

Ye Khaung
Burma

Reply

150 Peyman June 8, 2008 at 5:36 pm

Excellent! Simply it worked. But after running the iptables shell script I could not reach my server via SSH or VNC.
I had to comment these 4 lines of the script to get my remote access back.

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Is it no problem commenting those lines? my squid is working as I want ;)

Reply

151 Padani June 28, 2008 at 11:10 am

When i gave the above config to the squid on a VPS
(Debain).The following errors came.
I didn’t implement that iptable rules

root@x:/etc/squid# /etc/init.d/squid restart
Restarting Squid HTTP proxy: squid2008/06/28 11:02:10| parseConfigFile: unrecognized:
2008/06/28 11:02:10| parseConfigFile: line 44 unrecognized: ‘httpd_accel_host virtual’
2008/06/28 11:02:10| parseConfigFile: line 45 unrecognized: ‘httpd_accel_port 80′
2008/06/28 11:02:10| parseConfigFile: line 46 unrecognized: ‘httpd_accel_with_proxy on’
2008/06/28 11:02:10| parseConfigFile: line 47 unrecognized: ‘httpd_accel_uses_host_header on’
2008/06/28 11:02:10| WARNING cache_mem is larger than total disk cache space!
FATAL: No port defined
Squid Cache (Version 2.6.STABLE5): Terminated abnormally.
CPU Usage: 0.005 seconds = 0.000 user + 0.005 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
/etc/init.d/squid: line 74: 30103 Aborted start-stop-daemon –quiet –start –pidfile $PIDFILE –chuid $CHUID –exec $DAEMON — $SQUID_ARGS </dev/null

Reply

152 ramesh July 25, 2008 at 5:29 am

Hi,

I have a problem
I configured Transparent proxy it is working fine. problem with web server wheni tried to access the web page from external network.
Error message :
ERROR
The requested URL could not be retrieved
Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect

Reply

153 nazrin July 29, 2008 at 9:57 am

dear guys,

is there anyway of doing proxy on port 25 and 110. i wanted to test it with spamassassin checking on that port using transparent proxy.

thanks,
nazrin.

Reply

154 Khalid August 2, 2008 at 12:02 am

I am running FC6, 2.6.STABLE13 and I need help

2 network cards:
eth0 on a local LAN address 10.6.9.171
eth1 190.2.168.0.0/24
my server is running DHCP and assigning addresses to local clients

But Squid is giving me a headache
I did follow the stpes in this tutorial, and my Squid FAILS to start everytime

Firt it gave me this error
ACL name ‘Safe_ports’ not defined!
FATAL: Bungled squid.conf line 19: http_access deny !Safe_ports
Squid Cache (Version 2.6.STABLE13): Terminated abnormally.

Then when I defiene Safe_ports by adding definitions that I got from another website is does not like the added lines and it asks for a hostname

2008/08/01 16:08:53| parseConfigFile: line 36 unrecognized: ‘http_accel_host virtual’
2008/08/01 16:08:53| parseConfigFile: line 37 unrecognized: ‘http_accel_port 80′
2008/08/01 16:08:53| parseConfigFile: line 38 unrecognized: ‘http_accel_with_proxy on’
2008/08/01 16:08:53| parseConfigFile: line 39 unrecognized: ‘http_accel_uses_host_header on’
FATAL: Could not determine fully qualified hostname. Please set ‘visible_hostname’

Can someone please direct me on what I’m missing here

=======================
here is my config file:

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 10.6.9.177 192.168.0.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname proxytest
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid
================================


Khalid

Reply

155 Seymur November 7, 2010 at 12:47 pm

remove
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Reply

156 Jakykong August 7, 2008 at 7:40 am

I thought I would mention that newer Squid versions (or maybe it’s older ones… I use 2.7) don’t accept the httpd_accel_* entries. Another way to do the same thing, which seems to work the same way, is to use the http_port entry.
When you set the port (3128 by default), you can add “transparent” to the end of the line to make the proxy transparent.

Reply

157 shantanu August 7, 2008 at 8:08 pm

hiii, i know very less abt squid and linux, m in a college and my isp has blocked many of the sites and downloads , i need to unblock those sites as want to see my favourite football matches, so plz will anyone guide me how to unblock these sites and see streaming videos, my isp uses squid/2.6.STABLE6, plz reply……………..

Reply

158 shantanu August 12, 2008 at 6:31 pm

if any one knows plz tell me e mail id is gupta.shaan5@gmail.com
!!!

Reply

159 Baku August 27, 2008 at 12:36 am

Excellent article. The firewall script works fine in my GNU/Linux Debian Etch. However, the squid.conf should be update to squid 2.6 a later versions, which have the specific ‘transparent’ parameter. In addition, should be convenient add a fourth step: configure named daemon on squid host.

Best regards

Baku

Reply

160 we3cares September 2, 2008 at 9:12 am

Very Good Work… :) But, I can tell a small easier step instead of

grep -v “^#” /etc/squid/squid.conf | sed -e ‘/^$/d’

Use:
# grep -v “^#” /etc/squid/squid.conf | cat -s

Reply

161 Umer August 5, 2010 at 6:57 am

Gud .. Its working now

Reply

162 MikeC September 25, 2008 at 7:24 pm

Good write up…question though. After setting everything up I get the following error when I try to access a site:

While trying to retrieve the URL: /

The following error was encountered:

* Invalid URL

Some aspect of the requested URL is incorrect. Possible problems:

* Missing or incorrect access protocol (should be `http://” or similar)
* Missing hostname
* Illegal double-escape in the URL-Path
* Illegal character in hostname; underscores are not allowed

Any ideas would be appreciated!

Reply

163 Muhammad Suleman Hasib October 22, 2011 at 9:19 pm

just add “transparent” at the end of http_port. if you are using 3128 port then it should look as follows:

http_port 3128 transparent

Reply

164 Nandkishor September 26, 2008 at 5:40 am

Hi vivek,
I have configured the transperant proxy & also Blocked the downloading of movies & songs. But some peoples are downloads by using the torrent or utorrent. Can u tell me how to blocked this torrent downloading by using squid or pear to pear?

Reply

165 Rizwan Ahmed October 24, 2008 at 6:42 am

nice help

Reply

166 cpyd October 26, 2008 at 4:37 pm

this is funny. okay first of all, thanks vivek, thanks a ton for your fantabulous article. I setup two servers using your script and it works great. save one freak stuff.. while i see everyone running around saying they cant accept anything except port 80, my problem is exact opposite! ie.. it seems my firewall is allowing every damn traffic through itself, and no, i dint change a thing in the script except, ofcourse the variables in beginning. the iptables -L command gives this :-


Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level debug prefix `LOG_DROP '
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

i commented out the unlimited LAN access line, and i was completely blocked out, including the webserver running on the same machine.

Anyone out there who can point me in the right direction??

I want to allow only ports 25, 465, 110, 995, 443 and 80 through my proxy server..

thanks :)

Reply

167 jayarm December 7, 2008 at 9:50 am

I want to allow two prot which used for VOIP (port 8661 10500) how can enable the same
Please tell me with the example , i am using redhat
my ip is 172.21.100.10 (eth0) 192.168.103.10 (eth1)

Reply

168 Nick December 14, 2008 at 12:45 pm

Is it possible to set a machine with one ethernet adapter on the network as a transparent proxy?

So my machine (“machine2″) on 10.0.0.2 becomes my default gateway (in the DHCP config), which in turn either transparently proxies or sends the packet on to the ‘real’ default gateway at 10.0.0.1.

Machine2 would need to match incoming packets and if not destined for it, and not destined for port 80, forward them to the router.

Incoming packets not destined for the machine2, but are destined for port 80, forward to the squid proxy.

This would be neat, as it would simplify network layout, avoid having to have two subnets, and make bypassing the proxy a simple method of adding a static network config with a different default gateway.

Reply

169 bashir December 26, 2008 at 4:01 am

Hi
i m using squid 2.6 in Centos 5.1. But i found some errors:
1. arp 2. when i blocked the ip’s but even that allow

please helpd

bashir pakistan islamabad

Reply

170 khzied December 28, 2008 at 1:22 pm

Hi everybody,
I have a problem with squid..

In my network internet, i would like to have connection in the same time like this:
* some ip address connect to internet with authentification
* some ip address connect to internet without authentification

How can i do in squid configuration and iptables rules..

Thanks :)

Reply

171 khzied December 28, 2008 at 1:25 pm

with ipcop, i use the type “unrestricted user” that access internet without authentification.. Other user without type “unrestricted user” should connect by authentification..

How can i do?
Ps: I use squid 3.0

Thanks

Reply

172 brijesh January 10, 2009 at 7:33 am

dear sir
Sir i want to installation squitd proxy but not installedd
please give the setup and how do you installed

Reply

173 Ibru January 19, 2009 at 3:25 pm

Hi,

You have done an excellent work.

How can I run fw.proxy script every time when my computer starts.

Thanks
Ibrhaim PP

Reply

174 Bjornar January 28, 2009 at 12:18 pm

Hi.

When i load the script I get a error message:

iptables: No chain/target/match by that name

Someone know whats wrong?

im a noob (A)

Reply

175 needh January 29, 2009 at 6:19 pm

I use your squid on ubuntu 7.04. It complains no httpd_accel, etc. If I remove those lines in squid.conf, that’s no proxy at all. Nothing in access.log.

Reply

176 baxbixbux February 20, 2009 at 2:35 am

good … now i can setup squid

Reply

177 col February 23, 2009 at 9:59 am

Hi – thanks for the really useful information. I have now setup my main PC as a transparent proxy so can log and see all the websites that my family lan has been to. Is there a way to also log all MSN chat messages using squid?
(we have a policy of open internet access, with the responsibility of where they choose to go being on the child, with them knowing that occasion spot checks of the logs will be carried out).

Reply

178 iniabasi February 25, 2009 at 8:37 am

i have gone through all the comments here and I have done everything – configuring the squid 2.7 stable 13 and iptables in ubuntu 8.10. my problem is that i only browse when i fix the proxy in the explorer, the transparency does not work. when i add this line of code, i have errors:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on.
I am really at a loss on what to do.
This what my squid conf looks like
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl ECONOMICS src 10.0.0.0/24 # RFC1918 possible internal network
http_access allow ECONOMICS
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow ECONOMICS
icp_access deny all
http_port 80
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
visible_hostname EconnetServer
hosts_file /etc/hosts
coredump_dir /var/spool/squid

Please can someone help me.
Thanks.

Reply

179 manjunath February 25, 2009 at 1:02 pm

Hi,

I do have setup internet->router(cisco 2600)->firewall (506 E)->Cisco Switch (6500) no routing captability ->DHCP Server->Lan .

Planning to have Squid transparent proxy. Plz help me how to setup I am new
to Squid project.

Manjunath

Reply

180 Xavier February 27, 2009 at 2:20 am

Hi all,

My Squid server works fantastically with the script above if I only have 2 network adapters enabled.

I have an eth2 that I wish Apache to listen on as I was getting some oddities with it running on eth0 and eth1 which i am guessing is attributed to SQUID. I can configure Apache to listen on eth2 ok, the problem is as soon as I enable and start eth2 everything dies. eth0 and eth1 are unpingable and squid doesn’t work.

All I am doing is an out of the box version of squid with a very basic conf and the script above.

Any help?

Thanks,

Xavier.

Reply

181 hana March 5, 2009 at 12:37 pm

is it possible to implament transparent proxy using only one NIC?

Reply

182 kpm March 14, 2009 at 5:56 pm

We are using two ip numbers for accessing internet and intranet. The IP 172.16.0.0/24 is for accessing our Intranet application from our remote office. The IP 192.168.1.0/24 is local broadband connection used for accessing internet locally. I want to access both the connection in a single IP by configuring linux squid proxy sever. Can u please help me out how to do the settings.

Reply

183 Christofer March 17, 2009 at 10:41 am

Thanks cyberciti for the great tutorial, help me a lot.

Reply

184 vijay March 29, 2009 at 8:49 am

This setup can use in fedora 10

Reply

185 Tricky April 15, 2009 at 1:12 am

I like how you’ve built this post. The httpd entries don’t seem to work on my server however its not a particularly important function for me. I think perhaps it wasn’t built into the build I have from Arch Linux.

On a purely academic note, I often work with grep and sed and I recognised some even shorter ways to strip the squid.conf file. The shortest is still a combination:
grep . /etc/squid/squid.conf|sed '/ *#/d'
unless you want to actually strip it inline:
sed -i '/ *#/d; /^ *$/d' /etc/squid/squid.conf

Reply

186 Bruce Smith April 16, 2009 at 1:01 pm

I’m looking for help for a fix.
i work at a school. and im looking to run squid to speed up net access
i have 2 up stream proxy’s we use 1 for kids 1 for staff, and i want to bind them in to 1 proxy in school with 2 ports.

so port 8080 for students caching from upstream proxy student.proxy port 80
so port 8099 for staff caching from upstream proxy staff.proxy port 80

any one any clues ?

Reply

187 nichive April 26, 2009 at 10:21 pm

to da point, I need some help with this configuration

I’m running my squid on Ubuntu Server 8.10
with the transparent configuration applied, and the iptables script made, without any error on the start/restart part.

but my problem is, I can’t open anything through any web-browser that is installed on my Local Area Network
but if I try some ping command to any web-address, it works fine
pitty, not doing so with the web-browser

anyhelp would be appreciated :)

Reply

188 nichive April 26, 2009 at 10:37 pm

ignore my last question, I found out what my problem was..

my machine was a fresh installed one, didn’t have the masquerading method…
just run the following command and voila

$ sudo apt-get install ipmasq

Reply

189 dave love May 7, 2009 at 8:04 pm

I am using this setup but I am having trouble connecting to port 443. Any ideas? Do I need to tell it to use 443 and 80 in the squid.conf?

Reply

190 Md. Saidur Hasan May 10, 2009 at 11:49 am

hi boss,
it’s working but problem with the email. i can’s download my email in outlook.
my configuration is as follows
# cat /etc/squid/squid.conf | sed ‘/ *#/d; /^ *$/d’
Output
——————–
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 32 MB
access_log /var/log/squid/access.log squid
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 30
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
acl bad_sites dstdomain “/etc/squid/squid-block.acl”
http_access deny bad_sites
acl esl src 172.16.10.0/24
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow esl
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr ahmed.rahman@esl.com.bd
visible_hostname ESL-NNC
coredump_dir /var/spool/squid

please help me..

Reply

191 chrkc May 25, 2009 at 10:20 am

Hi,
I have three systems, my apache web server is running on 192.168.0.26 machine,
squid/proxy is running on 192.168.0.25 and my firewall/shorewall is running on 192.168.0.20
And there is a local network 192.168.0.X of systems with gateway mentioned as 192.168.0.20.
Can anyone tell me how do i manage in a way that all the http requests made are directed to the squid/proxy?
As the people in the local network through the browser direct connection are able to open sites that were restricted through the proxy settings.

Thanks

Reply

192 Wiki June 8, 2009 at 4:19 am

Where can i find or where should i paste the following commands? in line number?

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy
httpd_accel_uses_host_header on

Reply

193 Nand June 17, 2009 at 5:44 am

I have setup the squid using transperant proxy & in iptables I have chnge the polixy of filter table to DROP. Everything is working fine. But any idea how to block the torrent downloading? what iptables rules are want to setup?

Regards,
Nandkishor

Reply

194 Rashid Iqbal June 27, 2009 at 8:01 am

hi friends
I am new to linux. right now i am using the fedora… I configure the proxy and configure the iptables to forward the traffic Microsoft Outlook . now there is a problem that users are able to browse withoutt the client proxy settings…… although I only add the iptables script that forward the port 80 traffic to port 3128 that users should go through proxy…

secondly we are using the citrix server……… how to enable remote users to connect out db server through citrix server… using TCP 1494 and
UDP is 1600 to 1699…
and tcp is 80..
and how to restrict the wireless users that they should go thorugh proxy….
and finally I want that only some specific users to use the internet through client proxy settings and remaining will be blocked….

please help me in this regard……..I will be highly obliged..

Reply

195 Rashid Iqbal June 27, 2009 at 9:35 am

Friends I am new to squid

I want to configure the proxy server with squid but not with the transparent….
like that every used should put the ipaddress+port 3128…..
secondly I want to receive the emails on Microsoft Outlook… for this purpose I use the iptables now mail is working but user can bypass the proxy after putting the proxy address into the clients gateway..

please help me to solve this issue..

Reply

196 Anindya Banerjee July 6, 2009 at 8:52 am

How can I install and configure squid proxy in my red hat linux system.

Reply

197 Mohd Anas July 14, 2009 at 11:58 am

Hi,
Can someone suggest how can I configure my squid http proxy for FTP also.
And what are the settings for ftp client like filezilla.

Thanks

Reply

198 Gregory I Okumoro July 22, 2009 at 3:38 pm

Hi,
I am new to Linux but I like what you have to say about port 80 redirection to port 3128.
Currently, my website is unavailable online because the Cable Company (ISP) has blocked all the ports that I have to work except port 3128.
!. What is the directory of the firewalls to which I have to copy the “firewall” scripts?
2.What directory do I copy “fw.proxy” to?

Thanks,
Gregory Omkpokoro

Reply

199 Ajit Upadhyay August 4, 2009 at 10:28 am

Hi!

I have a server with eth0 (10.126.2.101) connected to my ISP (proxy 10.31.31.10:3128 with authentication ie. userid/pwd) and eth1 (192.168.1.1) connected to local network through a fast ethernet switch. The server is also a DHCP sever for local network (192.168.1.2 – 192.168.1.254). Now, I have configured squid on this server so that local netwrok PCs can access internet thorugh my server (which is behind ISP’s authenticated proxy). The detail of squid.conf is listed below:
——————–

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.1.1
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Saf_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl purge method PURGE
acl CONNECT method CONNECT
access_log /var/log/squid/access.log
acl plasma_net src 192.168.1.2
acl plasma_net src 192.168.1.3
acl plasma_net src 192.168.1.4
acl plasma_net src 192.168.1.5
http_access allow plasma_net
acl lan src 10.126.2.101 192.168.1.1
http_access allow localhost
http_access allow lan
http_access allow all
http_access allow localnet
http_access deny all
acl ftp proto FTP
http_access allow ftp
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_reply_access allow all
icp_access allow all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 192.168.1.1:3128 transparent
hierarchy_stoplist cgi-bin ?
cache_mem 8 MB
memory_replacement_policy lru
cache_replacement_policy lru
cache_dir ufs /var/cache/squid 100 16 256
minimum_object_size 0 KB
maximum_object_size 4096 KB
cache_swap_low 90
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log off
ftp_passive on
refresh_pattern ^ftp: 1440 20 10080
refresh_pattern ^gopher: 1440 0 1440
refresh_pattern (cgi-bin|\?) 0 0 0
refresh_pattern . 0 20 4320
always_direct allow all
connect_timeout 2 minutes
client_lifetime 1 days
cache_mgr webmaster
visible_hostname plasma1
icp_port 3130
error_directory /usr/share/squid/errors/English
coredump_dir /var/cache/squid
cache_swap_high 95

——————-

When any PC on network tries to use internet, I get following error in my access.log and
——————————————————
1249380227.459 10 192.168.1.4 TCP_REFRESH_UNMODIFIED/304 259 GET http://webmail1.cat.ernet.in/newmail/images/dotted_bullet.gif – DIRECT/10.11.100.123 -
1249380237.766 294 192.168.1.4 TCP_MISS/503 2419 GET http://www.google.com/ – DIRECT/209.85.231.104 text/html
1249380328.894 290 192.168.1.4 TCP_MISS/503 2468 GET http://www.google.com/ – DIRECT/209.85.231.104 text/html
1249380437.333 184 192.168.1.4 TCP_MISS/503 2350 GET http://www.yahoo.com/ – DIRECT/69.147.76.15 text/html
———————————————-
the user gets following error:
while trying to retrieve the URL http://www.yahoo.com/ The following error was encountered: Connection to 69.147.76.15 Failed. The system returned: (101) Network is unreachable

[whereas, i am able to access above url / ip from server]

PLEASE, HELP me resolve this issue.

Reply

200 Ajit Upadhyay August 4, 2009 at 10:33 am

Hi!

I have a server with eth0 (10.126.2.101) connected to my ISP (proxy 10.31.31.10:3128 with authentication ie. userid/pwd) and eth1 (192.168.1.1) connected to local network through a fast ethernet switch. The server is also a DHCP sever for local network (192.168.1.2 – 192.168.1.254). Now, I have configured squid on this server so that local netwrok PCs can access internet thorugh my server (which is behind ISP’s authenticated proxy). The detail of squid.conf is listed below:
——————–
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.1.1
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl purge method PURGE
acl CONNECT method CONNECT
access_log /var/log/squid/access.log
acl plasma_net src 192.168.1.2
acl plasma_net src 192.168.1.3
acl plasma_net src 192.168.1.4
acl plasma_net src 192.168.1.5
http_access allow plasma_net
acl lan src 10.126.2.101 192.168.1.1
http_access allow localhost
http_access allow lan
http_access allow all
http_access allow localnet
http_access deny all
acl ftp proto FTP
http_access allow ftp
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_reply_access allow all
icp_access allow all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 192.168.1.1:3128 transparent
hierarchy_stoplist cgi-bin ?
cache_mem 8 MB
memory_replacement_policy lru
cache_replacement_policy lru
cache_dir ufs /var/cache/squid 100 16 256
minimum_object_size 0 KB
maximum_object_size 4096 KB
cache_swap_low 90
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log off
ftp_passive on
refresh_pattern ^ftp: 1440 20 10080
refresh_pattern ^gopher: 1440 0 1440
refresh_pattern (cgi-bin|\?) 0 0 0
refresh_pattern . 0 20 4320
always_direct allow all
connect_timeout 2 minutes
client_lifetime 1 days
cache_mgr webmaster
visible_hostname plasma1
icp_port 3130
error_directory /usr/share/squid/errors/English
coredump_dir /var/cache/squid
cache_swap_high 95
——————-

When any PC on network tries to use internet, I get following error in my access.log and
——————————————————
1249380227.459 10 192.168.1.4 TCP_REFRESH_UNMODIFIED/304 259 GET webmail1…. – DIRECT/10.11.100.123 -
1249380237.766 294 192.168.1.4 TCP_MISS/503 2419 GET http://www…/ – DIRECT/209.85.231.104 text/html
1249380328.894 290 192.168.1.4 TCP_MISS/503 2468 GET http://www…./ – DIRECT/209.85.231.104 text/html
1249380437.333 184 192.168.1.4 TCP_MISS/503 2350 GET http://www…/ – DIRECT/69.147.76.15 text/html
———————————————-
the user gets following error:
while trying to retrieve the URL http://www…./ The following error was encountered: Connection to 69.147.76.15 Failed. The system returned: (101) Network is unreachable

[whereas, i am able to access above url / ip from server]

PLEASE, HELP me resolve this issue.

Reply

201 Ajit Upadhyay August 4, 2009 at 11:12 am

further info:
OS: openSuSE 11.0

Also, I have disabled firewall, as of now (MY ISP is highly secure / protected).

Reply

202 Ajit Upadhyay August 4, 2009 at 11:44 am

I have also set in squid.conf

———————–
cache_peer 10.31.31.10 parent 3128 0 no-query
prefer_direct off
———————–

where my ISP’s proxy is 10.31.31.10:3128

but the error still continues.

Reply

203 Javier August 17, 2009 at 9:11 pm

Hello worot exactly the script and got a problem I can not see my etho that connect with my local lan.
How I can delete this script

javier

Reply

204 Javier August 18, 2009 at 12:08 am

After I complete the script I got a problem I can see the eth0 that is connected to my local network

Reply

205 Marc August 18, 2009 at 6:59 am

Hello,
I’m using a transparent proxy bridge, and I noticed that a download never completes and it always cuts, as to connection to the server is reset !
I’m using these rules in the firewall :
ebtables -t broute -A BROUTING -p IPv4 –ip-protocol 6 –ip-destination-port 80 -j redirect –redirect-target ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 -j REDIRECT –to-port 8080

Where port 8080 is the dansguardian port for url filtering.
Any idea why the connection resets ? It’s like a tcp reset is being done.
Thanks.

Reply

206 jac August 18, 2009 at 3:35 pm

Ehy, pay attention kotnik’s sed trick delete ALL rows that CONTAIN a #, not just that START with #

Reply

207 John September 3, 2009 at 7:57 am

Hi,
I am running a transparent bridge with squid and dansguardian.
I noticed that a download can never complete and I get the message “The connection with the server was reset” as soon as the download starts.
Very small files ( < 1MB ) are hardly able to finish.
Browsing is fine, the problem is only with the downloads and they always cut.
Anybody's having a similar problem with a transparent bridge ?
Appreciate your help solving this critical matter.

Thanks.

John

Reply

208 theleftfoot September 3, 2009 at 9:44 am

hey guys,

i hope someone can help me out….i’ve got problems withe the following two steps:

Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on

Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on

it doesn’t work! got these error

test:/ # chmod +x /etc/fw.proxy
test:/ # /etc/fw.proxy
test:/ # service iptables save
[b]service: no such service iptables[/b]
test:/ #

can someone help me out?

cheers raffa

Reply

209 Anant Patel September 18, 2009 at 2:29 pm

hello!!!
my collage server blocked many ports like 3128,8822,3127,8125,8130…so i cant access net..i have to use only collage provided net…what can i do?? they stop also ports in utorrent…
plz help me..
thank u..

Reply

210 safdar azam September 24, 2009 at 9:47 am

hello. i am using Linux redhat version 3 and i have two lan port both are configured so
i want to share my internet connection to winbee thin client. tell me how can connect with thinclient.
plz i am witing

Reply

211 Stolz October 7, 2009 at 2:09 pm

AFAIK, the rule “iptables -A OUTPUT -o lo -j ACCEPT” is redundant because the default policy rule “iptables -P OUTPUT ACCEPT” already allows all outgoing traffic in all interfaces

Reply

212 Baswaraj Ramshette November 13, 2009 at 7:19 am

Hi,
I have followed whatever steps you have given in this article regarding transparent proxy configuration , I did everything according to your article
I am getting following error please help me
/etc/init.d/squid restart
Stopping squid: 2009/11/13 12:42:28| parseConfigFile: line 4519 unrecognized: ‘httpd_accel_host virtual’
2009/11/13 12:42:28| parseConfigFile: line 4520 unrecognized: ‘httpd_accel_port 80′
2009/11/13 12:42:28| parseConfigFile: line 4521 unrecognized: ‘httpd_accel_with_proxy on’
2009/11/13 12:42:28| parseConfigFile: line 4522 unrecognized: ‘httpd_accel_uses_host_header on’
. [ OK ]
Starting squid: . [ OK ]

On client side

The requested url could not be retrive .

Reply

213 Jeffry November 25, 2009 at 7:43 am

I need help, I use Ubuntu Jaunty 9.04, want to configure Squid, and everyting is okey, cause I took a proxy 1.1.1.1:3128 in every browser. but if i want to make the squid being transparent. i still get nothing. all i do is just put transparent next http_port 3128 . and few configuration like above. then put iptables like as usuall..
iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 3128
and in ubuntu, the iptables version is 1.1.4.1
please advice… my hair become “fall season” :`(

Reply

214 e December 9, 2009 at 5:30 pm

how do i get on myspace from school

Reply

215 Live December 15, 2009 at 2:26 am

Does anybody’s question ever get answered in this tutorial? This tutorial is obsolete in later versions of SQUID!

Reply

216 Sye MUshtaq Ahmed December 24, 2009 at 7:24 pm

Hello,

Really the guide is wonderful and it worked 100% for me and even the clients using it are amazed with its speed. But there is one problem now !!! When client access Email, like yahoo and hotmail any others in i.e: massege will show after few seconds this page can’t be dis[layed plz solve my problem ASAP
REGARDS

Reply

217 Sam December 31, 2009 at 8:49 am

Hello,
I facing a problem when setup the server as router. My client can ping to eth 1 and eth 0 succesfully. However the client can’t browse internet through proxy servy (eth 0). For your information, i setup the proxy server follow exactly what was writen hre. May i know what is the problem?

Thanks !

Reply

218 Devinka January 16, 2010 at 5:35 am

HI ,

Thanks for the howto . it works fine .

Reply

219 Lalit Kumar January 16, 2010 at 7:19 pm

Hi All,

i have a issue with my transparent squid server it is working transparet for it’s own subnet or vlan systems .

Like my sqy=uid server ip is 172.16.110.24 and it;s working fine for a system with ip 172.16.110.22 .

but it is not working transparently for other systems like 172.16.119.37 and 172.16.122.43
i add acl mynet src 172.16.110.0 /24 172.16.119.0/24
http_access allow mynet .

but it is working only for same vlan systems why ?

can anyone help me out in this issue

Reply

220 gopi chand January 19, 2010 at 12:42 pm

where can I add the following line in squid.conf . please help me anybody .the line are
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan

Reply

221 Kartik Vashishta February 4, 2010 at 5:33 pm

So I have to enable IP rotuing for this to work, what is the command to do that…tell eth0 to route to eth1?

Reply

222 bobzi February 12, 2010 at 6:19 pm

Dear LINUXTITLI
I configured Squid 2.5 with your configuration. Everything is fine but HTTPS sites don’t accept request. I’ve tried several times to open HTTPS (SSL Port) in iptables by some different commands, however I still have problem. On the other hands, when I set Proxy in Internet Option tab, clients can open Secure sites, when I erase the proxy setting only the secure site has a problem to login. And also I need setup clients without any setting in browser for some reasons.
Actually I have a serious problem in this setting. I need some help.
Could you please give a solution?! Dear LINUXTITLI or somebody else.
I will be grateful.
Many thanks

Reply

223 Fredl February 12, 2010 at 11:26 pm

Hi,
kotnik’s magic filter in posting #4 ignores the greediness of sed. His code will hide any lines containing a ‘#’ (and following comment) somewhere in them. This will reflect an uncomplete setup. Better use this grep-only command:
grep -vE ‘^#|^*$’ /etc/squid3/squid.conf

To all the help-seekers here: Better try a suitable forum for your questions, a blog like this one is far from being a perfect platform for helping with configuration mistakes.

Regards,
Fredl.

Reply

224 Fredl February 12, 2010 at 11:33 pm

NB:
Sorry, forgot to say “thank you” for the fine tutorial, LINUXTITLI!
:)

@Lalit Kumar: try
acl mynet src 172.16.110.0/24 172.16.119.0/24 172.16.122.0/24
or simplier (but less restrictive):
acl mynet src 172.16.0.0/16

Most of the others here have some typos, too…

Reply

225 Manoj February 15, 2010 at 11:20 am

I configured RHEL5 squid server as an proxy server in windows envirnoment, it give me an problem for outlook express & for Ms outlook that users on windows side are not able to send & recieve their e-mails. However i have open the safe ports & iptable rule’s.

Also, i want to configure an squid server as an proxy server in such way that some of the users are not able to access the specific web sites but some users are able to access same websites. While users get their IP’s from DHCP server.

Reply

226 saltio May 12, 2010 at 12:55 pm

outlook express & for Ms outlook that users on windows side are not able to send & recieve their e-mails. What are the commands to open the safe ports & iptable rule’s. Thanks for the setup – this will save alot of time.

Reply

227 vikram February 24, 2010 at 5:40 am

I have always noticed one thing, while going for transparent squid or IP MASQUERADING, i always have to keep by named service on. and specify the DNS ip settings in client. Is dns necessary. because we dont need that in normal squid (non-transparent). Kindly Guide

Reply

228 bezt March 4, 2010 at 3:04 pm

can U tell me how i configure my iptables to non-transparen proxy
Thx b4
regards

Reply

229 Sharon March 9, 2010 at 3:38 pm

Hi
i am very bad at Linux and failed many a time, but want to setup a similar system including web content filtering using dansgaurdian package. This system is intented for use in non-profit organisations with which i am associated. If somebody could spare some time to setup this system please mail me back at my email address sharon.joel77@gmail.com

Best Regards,
Sharon.

Reply

230 Anil March 19, 2010 at 10:22 am

I want to setup squid proxy servers ( three ) with one gateway server. I know it can be done by linux LVS. can somebody give me detailed howto or step by step guide to setup this.

Thanks in advance

Reply

231 Nick April 9, 2010 at 9:02 am

Please Help, i have installed and configured squid-3.1.1 on open suse 10.2 but and it starts well but for some reason client machines cant access internet through squid, I have one LAN port connected to the switch and i want all computers to use it as a proxy server with port 8080. Do i need to install Apache as well?..Below are the configurations

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
acl mrc src 10.0.1.0/24
acl localnet src 10.0.0.0/24 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access allow safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access allow mrc
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
http_port 3128
http_port 8080
hierarchy_stoplist cgi-bin ?
cache_dir ufs /usr/local/squid/var/cache 1000 16 256
access_log /usr/local/squid/var/logs/cache.log squid
cache_access_log /usr/local/squid/var/logs/access.log squid
cache_store_log /usr/local/squid/var/logs/store.log squid
cache_store_log /usr/local/squid/var/logs/store.log squid
coredump_dir /usr/local/squid/var/cache
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mgr root
visible_hostname mskproxy.mrcuganda.org
icp_port 3130
always_direct allow all
cache_effective_user squid
cache_effective_group squid
htcp_port 4827
cache_mgr it@mrcuganda.org

Reply

232 JAYGUPTA September 7, 2011 at 6:15 am

Sir
i want to make Transperent proxy but i don`t know where is edit (httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on ) this line in squid.conf !!!!!
plz help me

and thanks in advance !!!!

Reply

233 Saad Hammad October 10, 2011 at 9:38 am

did u change the acl localnet src 10.0.0.0/8 network to 10.0.0.0/24 yourself?
if you have give separate acl mrc
then no need to put the RFC1918 defination just put # sign before the above line

#10.0.0.0/8 # RFC1918 possible internal

and see if it works provided 10.0.0.0 is your internal network

Reply

234 ammar ali April 13, 2010 at 2:27 pm

i need all proxy seting

Reply

235 Sarmed Rahman April 18, 2010 at 11:09 am

a million thanks ^_^

Reply

236 Prasad May 13, 2010 at 12:36 pm

thanks for the info.
i was really in need of this.

Reply

237 hmtum01 May 19, 2010 at 11:12 pm

how can i block user according to the mac address filtering in trasparent squid proxy.
which is the version of that squid

Reply

238 rocky May 31, 2010 at 4:42 am

thanks

Reply

239 Alex Y. Telkov (Russia) June 2, 2010 at 4:51 am

Thank a lot! I have a problem with Total Commander
while users from local net try to access FTP resources.
I have classic architecture in local HQ lan “LAN — Linux-router — CISCO 871-k9 — Internet”. I apologize, You approach in solving FTP-port-error problem helps me
to solve my situation. If my “server-under-construction” be turned on at moment,
I start to emplement You solution remotely immideatly! :)

Reply

240 Pradip Raut Chhetri June 6, 2010 at 1:07 pm

I have done everything, 3 easy steps for transparent proxy but every time i restart the squid, i m gettin error regarding followin’:-

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Help me, Do i have to set up httpd server before configuring your “3 easy steps transparent proxy”.

Thank YOU

Reply

241 gbrane June 14, 2010 at 11:16 am

Important !!!!!
for Ubuntu users !!!
in /etc/sysctl.d/10-network-security.conf
must be comment !!
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
i lost one month to solve this problem !!!!!!

Reply

242 Lawrence Giam June 22, 2010 at 9:51 am

Hi All,

I am trying to install and configure transparent proxy but it doesn’t seem to work.

This is my setup:
Server #1 (Proxy Server)
eth0 IP : 10X.XXX.94.XX
eth0 IP : 10X.XXX.94.1
eth0:1 IP : 10.0.2.139
eth0:1 GW : No gateway specified

## /etc/squid/squid.conf ##
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT

acl lan src 10.0.2.0/24
http_access allow localhost
http_access allow lan
cache_mem 50 MB
http_port 3128 transparent
icp_port 3130

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl localnet src 10.0.2.0/24

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

icp_access allow localnet
icp_access deny all

hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320

acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT

hosts_file /etc/hosts

coredump_dir /var/spool/squid
##############################

## iptables rules ##
SQUID_SVR=”10.0.2.139″
SQUID_PORT=”3128″
INET_IFACE=”eth0″

INT_NET”10.0.2.0/24″

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INET_IFACE -m state –state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
iptables -A FORWARD -s $INT_NET -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -s $INT_NET -j ACCEPT
iptables -A OUTPUT -s $INT_NET -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -s $INT_NET -p tcp –dport 80 -j DNAT –to $SQUID_SVR:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INET_IFACE -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT

#open everything
iptables -A INPUT -i $INET_IFACE -j ACCEPT
iptables -A OUTPUT -o $INET_IFACE -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
###########################

Server #2 (Webserver)
eth0 IP : 10X.XXX.98.XXX
eth0 GW : 10X.XXX.98.1
eth0:1 IP : 10.0.2.191
eth0:1 GW : No gateway specified

## iptables rules ##
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to 10.0.2.139:3128
####################

To check if squid is been accessed, i tail /var/log/squid/access.log

Using curl httt://www.myservers.com
I get the response but there is no hit on the squid, mean that the request went out via the Server #2 gateway.

Can anyone advise if there is any other rule I need to add and on which machine?

Reply

243 DEEPAK June 30, 2010 at 7:41 am

any budy help for the linux firewall configure this is first time using please help how to configure give some link either commond send.

Reply

244 Vijith P A August 31, 2010 at 4:04 pm

Hai Guyz,
I Configured Proxy server with Transparent in above mentioned way expect this code httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

When i trying to access internet in client side it will showing error message “The following error was encountered while trying to retrieve the URL: /

Invalid URL” Actually i type http://www.google.com
Error message of /var/log/squid3/access.log file is
1283269708.780 0 192.168.1.121 NONE/400 1951 GET /firefox – NONE/- text/html

Reply

245 tendy September 9, 2010 at 4:00 pm

Will anyone ever give a solution to this problem???

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Help me, Do i have to set up httpd server before configuring your “3 easy steps transparent proxy”.

Reply

246 Anonymous September 20, 2010 at 9:54 pm

grep ^[^#] /etc/squid/squid.conf

Reply

247 pdk October 4, 2010 at 1:00 pm

It’s not at all working as a transparent proxy. I have rhel5.3 and squid3. Packets come to clients only after mentioning the port and gateway IP otherwise not.

Reply

248 wezt October 29, 2010 at 7:16 am

@vijith and tendy

AFAIK but CMIIW,

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header o its not for squid

all of above directives are not for squid-3.x version, only valid until squid-2.6

Reply

249 Bishal November 16, 2010 at 6:42 am

Hello all,

I have different scenario. I have linux firewall and squid installed in different server.
How can forward all lan clients to squid box from linux router, since forwarding from cisco router make squid box see all client coming from linux gateway ip. I want to see individual ip logs in squid box. How is it possible?

cisco router
|
|
Squid box rl0(172.160.10.2)—–|——-Linux router eth0(172.16.103)
|
eth1
|
LAN CLients (192.168.9.0/24)

Reply

250 sleiman December 18, 2010 at 11:19 pm

Hi all,
i want to make cashe server
any bady help me
no problem about money i can pay
plz send me email
thx all

Reply

251 sajeet January 24, 2011 at 11:08 am

hi,

nice script for transparent proxy server

in your script you uses 2 lan cards for proxy settings

but i have only one lan card on my squid proxy server ,this is working fine .
but i want to know how to configure Transparent proxy server using 1 LAN card.

i uses squid 2.5 Stable in Redhat 9
so pls help me, waiting for ur reply

Reply

252 aditya February 5, 2011 at 6:54 am

i have installed Red Hat Linux 5 Enterprises on one PC to make Web Proxy Server.
internet access on this machine is working ok. the other win XP PC’s not access the internet. i have cofigured squid as:
acl lab src 192.168.2.1-192.168.2.249/255.255.255.0

pl. help me

Reply

253 Volverin (Vivek) February 9, 2011 at 9:13 pm

ThANKS A LOADS for the information. Following you.

Reply

254 Bikash February 18, 2011 at 6:57 am

Hi frnds…
i have install linux 5.0 and configure squid but there is problem in transparent squid…
can anybody tell me how to transparent my linux to the clint desktop
My squid is working when i manually put the proxy address on internet browser..
I want to make transparent so there is no need to put the proxy on internet brower…
I have a broadband connection….

thanx

Reply

255 Atul M February 20, 2011 at 7:23 am

guys!!!

three hats to this article and people who has contributed everything before my opinion.

this is one if the EXCELLENT!!! web page on the internet.

I would say THE BEST

Reply

256 nikhil February 24, 2011 at 4:46 am

hi
can any one define that how to set the time limit in dansguardian.

thnks in advance

nikhil

Reply

257 Denie April 25, 2011 at 4:01 am

my squid server only 256MB RAM & P4 only and serving ~300clients… why do you need such big of RAM (8GB) for only 150 clients?

Reply

258 Wasim Sheikh April 26, 2011 at 10:27 am

that is not filtering https traffic the user can access the block sites via https………please sugess how to filter https traffic via transparent proxy.

Reply

259 Syed Mushtaq Ahmed April 27, 2011 at 4:22 pm

Hi,
I have configured the squid 2.6 Stable 6 server using Fedora core 6.It having 2 ethernet cards. eth0 is used intetnet (Lan) & eth1 is connceted to localArea.
eth0 using IP 192.x.x.x
Netmask 255.255.255.0
Gateway 192.168.x.x
Dns 203.x.x.x
Dns 203.x.x.x
eth1 using Ip 192.x.x.x
Netmask 255.255.255.0

When i run fw.proxy script and save iptable and restart squid then i ping to eth0 from client site its replying,and also ping to eth1 its not replying
So plz give me the solution for this.

Reply

260 turn the power on May 31, 2011 at 6:25 pm

grep -v “^#” /etc/squid/squid.conf | sed -e ‘/^$/d’
RRRRRIGHT !!!!! … sed is … FOR ?!? what EXACTLY ?!?
your personal pleasure or just to prove beyond any resonable doubt that you are really “PRO” ?

grep -ve ^# -ve ^$ /etc/squid/squid.conf
is the right line

but you really LOST ME when you PROVED BEYOND ANY REASONABLE DOUBT THAT YOU ARE RETARDED !

cat /etc/squid/squid.conf | sed ‘/ *#/d; /^ *$/d’
ignoring some cat that is for nothing sed ‘balabla’ file name does the same thing

and telling you, your beloved command is cutting any single thing with a # in it, so, it will TOTALLY CUT VALID DIRECTIVES, like this one:
acl Safe_ports port 80 # http

TURN THE POWER ON RETARD !!!!!

Reply

261 soumalya June 3, 2011 at 4:18 am

Sir

I have two lab in my college, one is 172.16.0.0 series and another is 192.168.10.0 series.
Now I want to allow both the labs to access internet through squid which has 172.16.0.10 ip address.

pls help.

Reply

262 Amos Jeffries June 3, 2011 at 9:42 am

This whole article is now 5 years old and the version it was written for is squid-2.5. Both Squid and iptables syntax have changed.

It needs to be removed from public distribution please. Current documentation can be found in the official Squid wiki website.

Reply

263 ericmilyon July 24, 2011 at 6:33 am

hi,

im a newbie for can i know if can use iptables using freebsd?

Thanks..

Reply

264 Muhammad Naveed July 27, 2011 at 12:47 pm

Hi i am using linux 5 and squid 2.6.STABLE21. my eth 0 ip is 77.0.0.4 & eth 1 is 192.168.0.3. i want to set 3128 my squid port. i am unable to add or modify the lines mentioned below. i dont know where to add these 4 lines.
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan

Reply

265 Iain August 11, 2011 at 7:44 pm

Hi,

I tried running your script and got the following error

FATAL: Error inserting nf_conntrack_ftp (/lib/modules/2.6.32-5-686/kernel/net/netfilter/nf_conntrack_ftp.ko): Cannot allocate memory

Reply

266 JAYGUPTA September 7, 2011 at 6:24 am

i am use squid 3.0 version and i want to make transperent proxy plz help me
i am edit one line in squid.conf and this line is
http_access 8080 i change it
“http_port 3128 intercept”
but it not work plz tell me why ??????

Reply

267 ben October 16, 2011 at 2:00 am

I live in europe, but I’d like for my xbox360 to connect to xbox live in the states.

Currently, I have the xbox go through my pc that is configured for the isa proxy. But I’d love a solution that doesn’t require my pc running!

Maybe a tiny bare bones linux machine (raspberry pi? chumby? modified dd-wrt/tomato router?) that is capable of connecting the xbox to the internet via a proxy or vpn.

Any suggestions?

Reply

268 jonasor October 24, 2011 at 8:57 pm

hi my question is:
How I can make a specific ip not pass through the proxy?
What would be the rule in IPtables?

Reply

269 abizar October 25, 2011 at 9:46 am

how i can configure Squid as transparent proxy in windows 7
i install squid 2.7stable8 in windows 7

Reply

270 LtPitt October 28, 2011 at 11:51 am

Hi all!

I have a lovely squid proxy working but my windows clients on the lan can’t access using outlook express our mail server (external —> on the internet).

What can I do to solve the problem?

Reply

271 Oleg November 26, 2011 at 12:22 am

Hi, I have the same probles of bobzi…………..

Everything is fine but HTTPS sites don’t accept request. When I set Proxy in Internet Option tab, clients can open Secure sites, when I erase the proxy setting only the secure site has a problem
Could you please give a solution?! Dear LINUXTITLI or somebody else.
I will be grateful.
Many thanks

Reply

272 arfie December 23, 2011 at 1:02 pm

Dear All,
how to disconnect a client connect by proxy squid?

Reply

273 Khuram Raza January 2, 2012 at 3:43 pm

excellent tip on transparent proxy,

but i want to configure parent proxy (cache_peer), any how can i do it with transparent proxy, so far when ever i ran your script my VPN (hamachi) stops working thus no connection to parent proxy

Reply

274 Thura Ko Ko March 15, 2012 at 8:58 pm

Hi ~ Khuram Raza . U should run NAT+SQUID .
1 . Service squid stop. #service squid stop
2. NAT Open. #iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#service iptables save
#service iptables restart
3. Test Connection .. Auto Detect in Firefox .. If Run .. Step Complete..
4. Squid restart # Service squid restart
5. Add Roll on iptables #iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to 192.168.1.254:3128
#iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-port 3128
#service iptables save
#service iptables restart

6.Startup Run #chkconfig squid on
#chkconfig iptables on

Reply

275 Thura Ko Ko March 15, 2012 at 9:05 pm

192.168.1.254:3218 is LAN IP and Port ( if u run to u r network port eg: 3218 Now)

Reply

276 David January 10, 2012 at 12:46 am

I want to setup online/cloud Transparent Proxy Server that will act as a gateway for all my clients PC’s internet connections with authentication (e.g; PC MAC, Username & Password.,) to connect with the Proxy Server.

Please how possible to setup this proxy server??

Reply

277 Y RCRAO January 22, 2012 at 5:35 am

Dear Sir,
Plz give the steps how to install squid.conf in RHEL-4 System.

Reply

278 saint February 22, 2012 at 3:25 pm

Hello everyone i need some help to setup a transparent proxy and gateway (firewall), i have a clean installation of my server centos 6.2 squid 3.1 and dansguardian working but my lan clients doesn´t have internet, just if manually configure the browser, it works, i need in transparent mode, please some one can help me, here the steps and configuration, i am newbie, Thank you for your help.

1. ip configuration
eth0:    10.0.0.2
            255.255.255.0
            10.0.0.1
Dns       8.8.8.8
             4.4.4.4
eth1: 192.168.30.254
         255.255.255.0
Dns    8.8.8.8
          4.4.4.4
Squid configuration
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.30.0/24	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128 intercept
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 3000 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
visible_hostname Aldebaran
2. Dansguardian configuration
i just modify this
# Network Settings
#
# the IP that DansGuardian listens on.  If left blank DansGuardian will
# listen on all IPs.  That would include all NICs, loopback, modem, etc.
# Normally you would have your firewall protecting this, but if you want
# you can limit it to a certain IP. To bind to multiple interfaces,
# specify each IP on an individual filterip line.
filterip =
# the port that DansGuardian listens to.
filterport = 8080
# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 192.168.30.254
# the port DansGuardian connects to proxy on
proxyport = 3128
3. enable nat support
echo 1 > /proc/sys/net/ipv4/ip_forward
4. Add the redirection rule on iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.30.254:8080
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
I complete this steps then save the iptables file with nano and restart the firewall with the following command and shows me the error.
[root@fw ~]# service iptables restart
 iptables: Flushing firewall rules:                           [  OK  ]
iptables: Setting chains to policy ACCEPT: filter     [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules: iptables-restore: line 8 failed [FAILED]

I don´t know what else to do, please help.

Reply

279 alex March 11, 2012 at 11:27 am

Hello guys , thank you very much for this how to guide.

I wanned to ask how can i restrict a single IP/client from my lan access to http port (internet browsing) or any other port.
My linux box is also a web server, dhcp server + proxy
i’ve changed the firewall script with nixcraft’s suggestions in this reply

Reply

280 pixel June 22, 2012 at 10:39 am

Is there anyway to do the same with SSH ?
I have a vpn network and want to allow all the clients who connect via ssh automatically forward to TOR

Reply

281 WIN July 11, 2012 at 4:27 am

sir,
how can i do,now i have proxy server and i need to connect directly with the router,
and i need all client pass by proxy server and then pass by router to internet
pls help

Reply

282 Javi July 31, 2012 at 12:45 pm

here’s another one …

grep ^\# file | grep .

;)

Reply

283 Zach August 8, 2012 at 8:56 pm

I was wondering if there was any helpful advice on turning the iptables command into config notes when running shorewall?
I use shorewall to manage all my firewall activities and since it’s a top-layer to iptables, I figure there must be a way to translate. I think that is the final piece I need in getting this to work.

Reply

284 Mushy September 8, 2012 at 2:26 pm

i am using squid transparent proxy server i want to block https request like facebook gmail. can any one tell me how is it possible.

Reply

285 Dentist September 30, 2012 at 9:18 am

Finally after reading dozens of instructions this one finally worked!

Reply

286 linuxsn October 17, 2012 at 10:05 pm

thanks for this document . i want to know how i can configure NAT if my eth0 is not directly connected to internet ?

Reply

287 LinkoVitch November 9, 2012 at 10:54 am

Simpler grep command for you:

grep -e “^[^#]” squid.conf

Reply

288 TunnelGuru November 27, 2012 at 1:41 pm

Transparent SSL Proxy Can be achievable using IPTABLES – libnefilter_queue.
Such a module is there in Tunnelguru Software to forward traffic .

Reply

289 Yogesh December 30, 2012 at 6:15 pm

Hi Vivek,
I am using Squid proxy (Non transparent), everything seems fine, but sometime I need to bypass some of my users to direct access the internet with proxy settings in browser.
For the same I do run the following command.
iptables -t nat -A POSTROUTING -s 192.168.1.200 -p tcp -m state –state NEW,ESTABLISHED -j SNAT –to-source 210.123.65.175
This will open everything for the IP address 192.1681.200.

But I don’t want to open everything except port 80. Can u please help me configuring the same.

Reply

290 Rakesh April 15, 2013 at 5:21 am

Does squid proxy works for tun interfaces in transparent mode?

Reply

291 srinivas April 26, 2013 at 11:43 am

I installed Squid ,it is working very slow if i browse any thing from client machines .

For server i inserted two NIC Cards, do i need to give same ip and Gateway for both or need to give different .

Please help me.
Thanks,
Srinivas

Reply

292 srinivas May 3, 2013 at 1:09 pm

now it was resolved

Reply

293 srinivas May 3, 2013 at 1:08 pm

I installed squid transparent proxy server in one system(eth0=192.168.1.203 ,eth1=192.168.3.5) I deployed one application in one system (proxy Client, eth0=192.168.3.60) .We have router with IP 192.168.1.1

Now i can access this application from lan (proxy server area 192.168.3.0/24) .But i am unable to access this application from 192.168.1.0/24 and External network.

Can you please help me how can i give remote access of app. of proxy client system.

Thanks, Srinivas

Reply

294 Arun June 7, 2013 at 8:20 am

Hiiii…i configured squid server on linux server and its working but when i use wifi through squid server then android apps not working only internet explorer working on my android mobile. so i just want to know that how can i run android apps on my mobile through (Wi-Fi) squid server……plz tell me…..thanx…..

Reply

295 Babin Lonston February 17, 2014 at 5:17 am

Just give your squid server’s IP as Default gateway to Mobile

Reply

296 Kris July 13, 2013 at 4:48 pm

You can also use grep to remove all commented or blank lines from a file:

egrep -v ‘^#|^$’ filename.txt

Reply

297 Bibekananda mIshra August 8, 2013 at 2:07 pm

Plz help me to configure the squid proxy server. i am new to Linux.I want to block the unwanted downloads from torrentz.com.& limit the bandwidth who is able to download from torrrentz.com.

Reply

298 derp derpson October 3, 2013 at 10:37 am

instead of
grep -v “^#” /etc/squid/squid.conf | sed -e ‘/^$/d’
you can
egrep -v “^#|^$” /etc/squid/squid.conf

Reply

299 vikas October 24, 2013 at 1:08 pm

Hi All,
I had configured the squid server by following this steps its working fine.
But my Thunderbird and outlook is not working in my system.
can any one help me out for this problem.

Thanks

Reply

300 venkat April 28, 2014 at 9:36 am

(client side windows server 2008 users AD users) how can i block internet sites through Linux squid proxy server it is possible please guide me

Reply

301 Ralph May 10, 2014 at 3:03 am

@venkat – you may see this forum http://nixcraft.com/showthread.php/16253-Squid-Proxy-Block-Facebook-com-amp-Orkut-com-Social-Networking-site

This is a very helpfull tutorial for squid server. Thank you very much.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , ,

Previous post:

Next post: