Monday, January 24, 2011

How to Set Up Transparent Proxy with Squid3 and dhcp3-server on Ubuntu Lucid

Squid is a very well known and vastly used cache proxy server for the common web protocols such as HTTP, HTTPS, FTP and more. It caches frequently accessed web pages and thus reduces bandwidth and response time. Squid is available for almost all the platforms including Windows. It is open source and available under GNU/GPL.

Advantages of setting up Squid as Transparent Proxy include the fact that you don't need to configure all the machines on your LAN to connect to Squid manually. All the traffic would be redirected to the Squid Listening Port automatically and your Ubuntu Box would act like a Router.

Follow these steps to set up a Transparent Proxy Server with Squid3 on Ubuntu Lucid (10.04).

1. Install Ubuntu Lucid Server or Desktop on your computer. Both Server and Desktop editions are capable of doing this job equally well.

2. Change your network interfaces from DHCP to Static.

sudo nano /etc/network/interfaces

Tip: You can also use gedit instead of nano if you are using Ubuntu Desktop.

Delete all the text and paste this text in your interfaces file:

auto eth0
iface eth0 inet static
address 192.168.1.100
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

post-up iptables-restore < /etc/iptables.up.rules

auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255

Where 192.168.1.100 is the IP address of your WAN interface and 192.168.2.1 is the IP address of your LAN interface.

3. Install squid3:

sudo apt-get install squid3

4. Make a backup of your squid.conf for future reference. Squid.conf has nearly all the options listed and it is recommended to go through that file to know more about squid options.

sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original

5. Configure squid3.

sudo nano /etc/squid3/squid.conf

Remove all the text and paste this text in your squid.conf file for a minimal configuration:

http_port 3128 transparent
acl LAN src 192.168.2.0/24
acl localnet src 127.0.0.1/255.255.255.255
http_access allow LAN
http_access allow localnet
cache_dir ufs /var/spool/squid3 20000 16 256

Where 192.168.2.0/24 is the range of your LAN interface.

The last line in that file is defining a cache directory for squid3 to use. Here, the first number denotes the size of cache in MB, 20 GB in this case.

Save and close this file.

6. Restart squid3:

sudo /etc/init.d/squid3 restart

7. Edit /etc/sysctl.conf:

sudo nano /etc/sysctl.conf

In this file, uncomment the lines that enable packet forwarding for IPv4 and IPv6:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Save and close this file.

8. Define IPTABLE rules for port forwarding.

sudo nano /etc/iptables.up.rules

Paste this text in the file that opens up:

*nat

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.1:3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
COMMIT

Save and close this file.

9. Edit /etc/rc.local:

sudo nano /etc/rc.local

Paste this text at the end of the file that opens up:

iptables -t nat -A POSTROUTING -s 192.168.2.0/24 –o eth0 -j MASQUERADE

Save and close this file.

10. Reboot your server.

If you don't want to go to each machine on your Network and configure it for a Static IP, you can use dhcp3-server to assign Dynamic IPs to all the computers on your LAN and make them forward all there internet traffic to your squid box.

11. Install dhcp3-server:

sudo apt-get install dhcp3-server

12. Edit /etc/default/dhcp3-server:

sudo nano /etc/default/dhcp3-server

Type eth1 in between the quotes in this line:

INTERFACES=""

Save and close this file.

13. Make a backup of your original /etc/dhcp3/dhcpd.conf:

sudo cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.original

14. Edit /etc/dhcp3/dhcpd.conf:

sudo nano /etc/dhcp3/dhcpd.conf

Delete all the text and paste this text in the file that opens up:

authoritative;

default-lease-time 3600;
max-lease-time 3600;

option subnet-mask 255.255.255.0;
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
option domain-name-servers 8.8.8.8, 8.8.8.4;
option domain-name "my.domain.name";

subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.3 192.168.2.253;
}

We are using Google DNS in this example. You can use your own DNS Server if you've configured one on your network.

Save and close this file.

Make sure all the cables on your network are plugged in and the devices are powered on.

15. Start dhcp3-server:

sudo service dhcp3-server start

16. Reboot your server and everything should be working as it should after that.

If you want to bind IP addresses permanently to the same machines, see here:

http://www.tuxgarage.com/2011/01/how-to-bind-ip-address-to-mac-address.html

Enjoy!

Related Posts:

Network , Server