1. What is transparent proxy?
If you ask: how can I enable the user's browser to access the Internet using my Squid cache proxy server without any proxy settings? In this case, you need to use a transparent proxy. Transparent proxy removes the need to set any proxy for your client. When the packet goes through the transparent server, it is actually redirected to the proxy port (such as 8080) of the Squid proxy server ), that is, the local proxy server requests the required data and copies the data to the client.
2. What kind of environment Do I Need To implement transparent proxy?
A. the gateway of the Windows PC client must be set to the Squid proxy server. Since no proxy settings are available in your browser, the package must pass through the Squid proxy server to be redirected. Therefore, this is the most basic condition.
B. The client must correctly set the DNS server. Because no proxy is required. The DNS must be parsed by browser, that is, the IP address of a site must be correctly resolved by the DNS server set in the TCP/IP in the PC of the client.
C. The Squid Proxy Server can be installed on the server, which can be 1.x or 2.x.
3. Configure the Squid proxy to enable the transparent proxy function.
Squid-2
Add the following lines to your/etc/squid. conf file.
Http_port 8080
Httpd_accel_host virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on
Squid-1.1
Add the following row to/etc/squid. conf.
Http_port 8080
Httpd_accel virtual 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on
4. Restart squid. Run the following command:
#/Usr/sbin/squid-K reconfigure
If the system prompts that the kernel does not support transparent proxy. Then you need to re-compile the kernel and enable transparent Proxy Support.
The following is the kernel project to be started:
[*] Network firewils
[] Socket Filtering
[*] Unix domain sockets
[*] TCP/IP networking
[] IP: Multicasting
[] IP: Advanced Router
[] IP: kernel level autoconfiguration
[*] IP: firewalling
[] IP: Firewall packet Netlink Device
[*] IP: Always defragment (required for masquerading)
[*] IP: transparent Proxy Support
5. The following command targets the Linux 2.2.x kernel:
# Accept all on lookback
/Sbin/ipchains-A input-J accept-I lo
# Accept my own IP, to prevent loops (Repeat for each interface/alias)
/Sbin/ipchains-A input-J accept-p tcp-D 192.168.11.1/32 80
# Send all traffic destined to port 80 to squid on port 80
/Sbin/ipchains-A input-J redirect 8080-p tcp-s 192.168.11.0/24-D 0/0 80
The following command targets the Linux 2.0.x kernel:
# Accept all on loopback
Ipfwadm-I-A accept-W Lo
# Accept my own IP, to prevent loops (Repeat for each interface/alias)
Ipfwadm-I-A accept-P TCP-D 192.168.11.1/32 80
# Send all traffic destined to port 80 to squid on port 3128
Ipfwadm-I-A accept-P TCP-s 192.168.11.0/24-D 0/0 80-r 8080
6. Notes:
A. This transparent proxy can only be used for HTTP and not for FTP.
B. The default gateway of the PC should be set to the Squid proxy server.
C. Firewall redirection rules are placed before other input rules. Pay attention to the order.
For example:
/Etc/rc. d/rc. Firewall:
#! /Bin/sh
# RC. Firewall Linux kernel firewalling rules
FW =/sbin/ipfwadm
# Flush rules, for testing purposes
For I in I o f # A # If we enabled accounting too
Do
$ {FW}-$ I-f
Done
# Default policies:
$ {FW}-I-P rej # incoming policy: reject (quick error)
$ {FW}-o-p ACC # output policy: accept
$ {FW}-F-P den # forwarding policy: deny
# Input rules:
# Loopback-interface (local access, eg, to local nameserver ):
$ {FW}-I-A acc-s localhost/32-D localhost/32
# Local Ethernet-interface:
# Redirect to Squid Proxy Server:
$ {FW}-I-A acc-P TCP-D default/0 80-r 8080
# Accept packets from local network:
$ {FW}-I-A acc-P all-s localnet/8-D default/0-W eth0
# Only required for other types of traffic (FTP, Telnet ):
# Forward localnet with masquerading (UDP and TCP, no ICMP !) :
$ {FW}-f-a m-p tcp-s localnet/8-D default/0
$ {FW}-f-a m-p udp-s localnet/8-D default/0
Here all traffic from the local LAN with any destination gets redirected to
Local port 8080. Rules can be viewed like this:
IP firewall input rules, default policy: Reject
Type prot source destination ports
ACC all 127.0.0.1 127.0.0.1 N/
ACC/r tcp 10.0.0.0/8 0.0.0.0/0 *-> 80 => 8080
ACC all 10.0.0.0/8 0.0.0.0/0 N/
Acc tcp 0.0.0.0/0 0.0.0.0/0 *-> *