Transparent Proxy on Linux kernel configuration, LAN sharing ADSL Internet

Author : Seraphim
Mail : Seraphim@itpub.net
Date : 2003.08

Environment :
Server : SuSE Linux 8.2 + ADSL
Client : Windows 2000
I 10-100M 8 : LAN hub connecting SuSE (192.168.1.3), Windows (192.168.1.5), ADSL (192.168.1.1)

Squid+iptables use, most from the experience Www.linuxaid.com Be just summarize here.

A detailed description of the gateway, a look :
IPTABLES HOWTO

On iptables configuration tools, look :
Knetfilter
G-Shield

Optimization of proxy, a look :
Optimization Manual proxy 1
Optimization Manual proxy 2

On the gateway firewall configuration, look :
Packet excessive use iptales Firewall (1)
Packet excessive use iptales Firewall (2)


, Started the distribution below

First to explain why the distribution of transparent proxy.
Acting proxy configuration can be achieved only functional, but the client, it is necessary to set up proxy server in the browser and other tools, such as Tips, CuteFTP, etc., must be set up on January 1, which is very difficult. However, the installation of transparent proxy, the client need only installed in the network configuration can be a gateway, any other procedures are not set up separately. This is the most transparent proxy installed temptation, of course, this is just for me, actually a more powerful gateway firewall functions, it is the largest utility. However, this configuration does not involve a firewall, if interested look at the iptables posted howto.

1. We will assume that the Linux firewall already translated into support option, which can be released into the Kernel source, and make menuconfig confirmed.

2. Linux installed, the general release version of Linux for all, the installation should have been installed completely over, of course, can also be downloaded from the following address : Installation
Http://www.squid-cache.org/

3. Re-installation of the system or whether there is the original, possibly because all proxy issue, the location of the configuration file is not the same, and find the exact location of the order confirmation squid.conf documents. If rpm installed, can also be used to confirm an order rpm rpm -ql [squidrpmname.rpm] | grep squid.conf :

4. Squid.conf document editing to ensure that there is the following :
Httpd_accel_host virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on
Cache_effective_user nobody
Cache_effective_group nobody
Http_access allow all
Cache_dir ufs /usr/local/squid/cache 100 16 256
Note : The last sentence of cache catalog, the need to create below, you can read the list of where the plane proxy. The penultimate sentence, we allow all of the requests, it is very safe, he could create a group and then allow the group and deny all, the specific provision on a careful look at squid.conf, very detailed explanation and examples

5. Contents create cache (if any), to revise the list of owners for nobody
Chown nobody:nobody /pathname/cache

6. Check the configuration file tacit log catalog, which will be nobody to amend the list of owners to ensure that the log can be included

7. Z create proxy cache :

8. D : proxy proxy launched
Maintaining a very detailed proxy by the end of the FAQ, basically you need to have answers to the questions, for instance You can use a proxy to -NCd1 Debug mode, with such errors will be reported if, in general, if the customer is ADSL, Well, no dial-up before the start of the proxy is to be wrong, then the (FATAL : ipcache_init : DNS name lookup tests failed), will start the proxy used to check some of the DNS. But when you do not access the internet, naturally wrong, we do not need to start the DNS checks, which require add-D option to initiate proxy

9. After the successful launch, we can go to the client browser to see if they contain a proxy if they can access the internet, even set up successful proxy

10. Another follow-up work is to confirm the proxy is not switched on automatically activated, which generally has boomed in /etc/init.d script, and we need to do it is to the appropriate ln rc.d catalog, such acquiescence runlevel5 I started, then I would implement :
Ln-s /etc/init.d/squid /etc/init.d/rc5.d/S99squid
Ln-s /etc/init.d/squid /etc/init.d/rc5.d/K01squid
Now it is SuSE, RedHat if, in /etc rc.d list below, rather than /etc/init.d below.

OK, end of a proxy set up, we started following the distribution of Iptables

Configuration tools can be mentioned previously, but I have not tried to do so is the direct iptables orders.
Man iptables can help to detect

We set up the gateway to the order there is a script file, the script file named firewall assumptions, and then stored in /etc/init.d this document, and the paper started running this script. Following operational steps

1. Touch /etc/init.d

2. Vi /etc/init.d
Add the following :

Code :

--> #!/bin/sh
Echo "Enabling IP Forwarding. . . "
Echo 1 "/proc/sys/net/ipv4/ip_forward
Echo "Starting iptables rules. . . "
#Refresh All chains
/sbin/iptables F-t Senat
Iptables-t Senat A PREROUTING -i eth0-p tcp-m tcp
--dport 80 -j REDIRECT --to-ports 3128

Iptables-t Senat A POSTROUTING-s 192.168.1.0/24 -o
Ppp0 -j MASQUERADE -->

For these orders are explained as follows :
/proc/sys/net/ipv4/ip_forward Be set up for 1 (acquiescence 0) can use the routing function.
/sbin/iptables F-t Senat will Senat table emptied of all existing rules.
Eth0 : Linux machines for the card.
3128 : acquiescence to the proxy which monitor port.
Ppp0 : ADSL equipment for the Linux (SuSE for ppp0, which may be dsl0 redhat).
MASQUERADE : apply to the dial-up Internet servers, because no static IP address, a static IP server can be used to replace the SNAT --to-source ipadress.

Note : The order did not mention the firewall, please refer to the allocation of these orders have not delete filter rules of the table, that is, if the past is over firewall, will not be affected.

3. Chmod u+x firewall, changing document attributes, it can be implemented

4. Editor /etc/init.d/boot.local document, in the last sentence with /etc/init.d/firewall ensure that switched on the implementation of this script.
Note : SuSE is boot.local, redhat, the need for editorial /etc/rc.d/rc.local documents.

5. Operation firewall, the rules take immediate effect.

End, all the distribution end.

If there's a problem, please keep abreast of, or Mail to:seraphim@itpub.net.

Using iptables Senat can also eliminate the need for the agents can access, I do not see any advantage proxy transparent proxy?

Linux is a proxy, caching can improve the speed of the Internet. This is a good proxy. Iptables is the firewall function and

Thank you share!

Iptables-t Senat A PREROUTING -i eth0-p tcp-m tcp
--dport 80 -j REDIRECT --to-ports 3128

Iptables-t Senat A POSTROUTING-s 192.168.1.0/24 -o
Ppp0 -j MASQUERADE


These two can really achieve transparent proxy?
Try something that you put linux relations, the client still can upswing! But I have done, the investigation about the size of the cache, there is not the slightest increase!

Precise :
Iptables-t Senat A PREROUTING -i eth0-p tcp-m tcp
--dport 80 -j REDIRECT --to-ports 3128

To achieve transparent agent?

Port 80 is for all purposes at the request of the plane were transferred to the port 3128 and 3128 is the port boomed wiretapping, you are not making use of the proxy?

Proxy addresses should also be limited proxy.

Quote :

--> Originally published by nobody_am Proxy addresses should also be limited proxy. -->

Do not understand that clearly?