1. What is a transparent agent?
If you ask: how can I make it possible for a user's browser to use my Squid cache proxy server to surf the Internet without any proxy settings? You will need to use a transparent proxy at this point. The transparent proxy lets your client not set any proxy, when the packet passes through the proxy server is actually redirected to the Squid proxy proxy port (such as 8080), that is, the local proxy server outward request the required data and then copy to the client.
2. What kind of environment do I need to achieve transparent proxy?
A. Client's Windows PC gateway must be set to Squid Proxy server, because since you do not have any proxy settings in the browser, you have to visit a site, the package must pass through the Squid Proxy server can be redirected, so this is the most basic condition.
B. The client must set up the DNS server correctly. Because now you don't have to set any agents. DNS must be resolved by browser, which is the DNS server set up in TCP/IP in the client's PC to correctly resolve the IP address of a site.
C. server-side can install Squid Proxy server, 1.x or 2.x version can be.
3. Configure Squid agent, start transparent agent function
Squid-2
Add the following line to your/etc/squid/squid.conf.
Http_port 8080
Httpd_accel_host Virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on
Squid-1.1
Add the following line to/etc/squid.conf
Http_port 8080
Httpd_accel Virtual 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on
4. Heavy start squid. Use the following command:
#/usr/sbin/squid-k Reconfigure
If prompted, the kernel does not support transparent proxies. Then you need to recompile the kernel to enable transparent proxy support.
Here are the kernel projects you need to start:
[*] Network firewalls
[] Socket filtering
[*] Unix domain sockets
[*] TCP/IP Networking
[] Ip:multicasting
[] ip:advanced Router
[] Ip:kernel level Autoconfiguration
[*] Ip:firewalling
[] Ip:firewall packet NetLink device
[*] Ip:always defragment (required for masquerading)
[*] Ip:transparent Proxy Support
5. The following command is for the Linux 2.2.x kernel:
# Accept all on Lookback
/sbin/ipchains-a Input-j accept-i Lo
#Accept my own IP, to prevent loops (repeat for each interface/alias)
/sbin/ipchains-a input-j accept-p tcp-d 192.168.11.1/32 80
#Send all traffic destined to port-Squid on port 80
/sbin/ipchains-a input-j REDIRECT 8080-p tcp-s 192.168.11.0/24-d 0/0 80
The following command is for the Linux 2.0.x kernel:
# Accept all on loopback
Ipfwadm-i-A accept-w lo
# Accept my own IP, to prevent loops (repeat for each interface/alias)
Ipfwadm-i-a accept-p tcp-d 192.168.11.1/32 80
# Send all traffic destined to port to Squid on port 3128
Ipfwadm-i-a accept-p tcp-s 192.168.11.0/24-d 0/0 80-r 8080
6. Issues to be noted:
A. This transparent proxy is only for HTTP protocol, not for FTP protocol
B. PC's default gateway should be set to Squid Proxy server
C. Firewall redirection rules in front of other input rules, pay attention to the order.
Such as:
/etc/rc.d/rc.firewall:
#!/bin/sh
# Rc.firewall Linux Kernel firewalling rules
Fw=/sbin/ipfwadm
# Flush rules, for testing purposes
For i in I O F # A # If We are enabled accounting too
Todo
${FW}-$i-F
Done
# Default Policies:
${FW}-i-p Rej # incoming Policy:reject (quick error)
${FW}-o-p ACC # Output Policy:accept
${FW}-f-p den # forwarding Policy:deny
# Input Rules:
# loopback-interface (local access, eg, to local nameserver):
${FW}-i-a acc-s localhost/32-d localhost/32
# local Ethernet-interface:
# Redirect to Squid Proxy server:
${FW}-i-a acc-p tcp-d default/0 80-r 8080
# Accept packets from the local network:
${FW}-i-a acc-p all-s localnet/8-D default/0-W eth0
# only required for the other types of traffic (FTP, Telnet):
# Forward LocalNet with masquerading (UDP and TCP, no icmp!):
${FW}-f-a m-p tcp-s localnet/8-D default/0
${FW}-f-a m-p udp-s localnet/8-D default/0
Here are all traffic the "local LAN" with any destination gets redirected to the
Local port 8080. Rules can be viewed like this:
IP Firewall input rules, default Policy:reject
Type prot Source Destination ports
ACC all 127.0.0.1 127.0.0.1 N/A
ACC/R TCP 10.0.0.0/8 0.0.0.0/0 *-> => 8080
ACC all 10.0.0.0/8 0.0.0.0/0 N/A
ACC TCP 0.0.0.0/0 0.0.0.0/0 *-> *