How to set up transparent proxy _unix Linux in Linux

Source: Internet
Author: User
Tags ftp protocol squid proxy

1. What is a transparent agent?

If you ask: how can I make it possible for a user's browser to use my Squid cache proxy server to surf the Internet without any proxy settings? You will need to use a transparent proxy at this point. The transparent proxy lets your client not set any proxy, when the packet passes through the proxy server is actually redirected to the Squid proxy proxy port (such as 8080), that is, the local proxy server outward request the required data and then copy to the client.
2. What kind of environment do I need to achieve transparent proxy?

A. Client's Windows PC gateway must be set to Squid Proxy server, because since you do not have any proxy settings in the browser, you have to visit a site, the package must pass through the Squid Proxy server can be redirected, so this is the most basic condition.

B. The client must set up the DNS server correctly. Because now you don't have to set any agents. DNS must be resolved by browser, which is the DNS server set up in TCP/IP in the client's PC to correctly resolve the IP address of a site.

C. server-side can install Squid Proxy server, 1.x or 2.x version can be.

3. Configure Squid agent, start transparent agent function

Squid-2

Add the following line to your/etc/squid/squid.conf.

Http_port 8080
Httpd_accel_host Virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on

Squid-1.1

Add the following line to/etc/squid.conf


Http_port 8080
Httpd_accel Virtual 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on

4. Heavy start squid. Use the following command:

#/usr/sbin/squid-k Reconfigure

If prompted, the kernel does not support transparent proxies. Then you need to recompile the kernel to enable transparent proxy support.

Here are the kernel projects you need to start:

[*] Network firewalls
[] Socket filtering
[*] Unix domain sockets
[*] TCP/IP Networking
[] Ip:multicasting
[] ip:advanced Router
[] Ip:kernel level Autoconfiguration
[*] Ip:firewalling
[] Ip:firewall packet NetLink device
[*] Ip:always defragment (required for masquerading)

[*] Ip:transparent Proxy Support


5. The following command is for the Linux 2.2.x kernel:

# Accept all on Lookback
/sbin/ipchains-a Input-j accept-i Lo
#Accept my own IP, to prevent loops (repeat for each interface/alias)
/sbin/ipchains-a input-j accept-p tcp-d 192.168.11.1/32 80
#Send all traffic destined to port-Squid on port 80
/sbin/ipchains-a input-j REDIRECT 8080-p tcp-s 192.168.11.0/24-d 0/0 80


The following command is for the Linux 2.0.x kernel:

# Accept all on loopback
Ipfwadm-i-A accept-w lo
# Accept my own IP, to prevent loops (repeat for each interface/alias)
Ipfwadm-i-a accept-p tcp-d 192.168.11.1/32 80
# Send all traffic destined to port to Squid on port 3128
Ipfwadm-i-a accept-p tcp-s 192.168.11.0/24-d 0/0 80-r 8080

6. Issues to be noted:

A. This transparent proxy is only for HTTP protocol, not for FTP protocol
B. PC's default gateway should be set to Squid Proxy server
C. Firewall redirection rules in front of other input rules, pay attention to the order.

Such as:

/etc/rc.d/rc.firewall:


#!/bin/sh
# Rc.firewall Linux Kernel firewalling rules
Fw=/sbin/ipfwadm

# Flush rules, for testing purposes
For i in I O F # A # If We are enabled accounting too
Todo
${FW}-$i-F
Done

# Default Policies:
${FW}-i-p Rej # incoming Policy:reject (quick error)
${FW}-o-p ACC # Output Policy:accept
${FW}-f-p den # forwarding Policy:deny

# Input Rules:


# loopback-interface (local access, eg, to local nameserver):
${FW}-i-a acc-s localhost/32-d localhost/32

# local Ethernet-interface:

# Redirect to Squid Proxy server:
${FW}-i-a acc-p tcp-d default/0 80-r 8080

# Accept packets from the local network:
${FW}-i-a acc-p all-s localnet/8-D default/0-W eth0

# only required for the other types of traffic (FTP, Telnet):

# Forward LocalNet with masquerading (UDP and TCP, no icmp!):
${FW}-f-a m-p tcp-s localnet/8-D default/0
${FW}-f-a m-p udp-s localnet/8-D default/0

Here are all traffic the "local LAN" with any destination gets redirected to the
Local port 8080. Rules can be viewed like this:

IP Firewall input rules, default Policy:reject
Type prot Source Destination ports
ACC all 127.0.0.1 127.0.0.1 N/A
ACC/R TCP 10.0.0.0/8 0.0.0.0/0 *-> => 8080
ACC all 10.0.0.0/8 0.0.0.0/0 N/A
ACC TCP 0.0.0.0/0 0.0.0.0/0 *-> *

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.