Transparent Proxy mini-HOWTO <subtitle>v0.3</subtitle>

Transparent Proxy mini-HOWTO <subtitle>v0.3</subtitle> Fredrik Rambris, Sep 19, 1999 Describing briefly how to configure squid and ipchains to make a proxy and optionally make it transparent. Introduction

In this chapter I'll go through a few basic stuff. If you know all about the theories behind proxies and transparent proxies you can skip to the last section in this chapter.

What is a proxy?

When several people in a network want to see the same web page it normally gets downloaded at least one time per client. This is waste of bandwidth. A proxy lies as a way between the clients and the server. The clients tell the proxy to give them a certain page, the proxy gets it and hands it over to the client.

Many proxies have a caching function which makes it only necessary to download it once until it changes. This way if everyone on the local network uses a local proxy which fetches all pages and caches them. The next time someone requests a page someone else already has requested the caching proxy gets it from it local cache and it doesn't need to be downloaded again. Often the local net is faster than the connection to Internet.

Transparent Proxy?!

One drawback with proxy usage is that it has to be configured in every client. Every client has to know which host and on which port so send the requests. Say you have 2000 clients to configure. I don't know about you but I don't find it very amusing doing repetitive work. This is where transparent proxy comes in.

By telling the firewall to secretly redirect all packets that is destined to port 80 somewhere to our local proxy. This would trick everyone into using the proxy whether or not they want to or not, without making a single change to the clients.

The computer with a transparent proxy has to be in your default route. I.e. the computer all packets passes on the way out of the network. This may be the computer you have selected as default gateway.

Products used

In our scenario we're using to do the proxying and kernel 2.2 with ipchains to do the redirection.

I tested this on some machines with Red Hat 6.0.50 (Lorax), Red Hat 6.1 (Cartman) and Mandrake 6.1 (Helios). Packages needed except base stuff were: ipchains and squid.

Configuring

In this chapter I'll go through the different steps towards a working transparent proxy. Much of the information was gathered from the Squid-FAQ.

Squid

All squid configuring is made in the /etc/squid/squid.conf file (may be at another location in your system). This is a normal textfile and may be edited with the editor of your choice. The example config that is delivered with Squid2 has a lot of comments to guide you through it. This document is assuming you have the default example config installed.

Basic settings

http_port 3128Port where Squid will listen for requests. For some reason the makers of Squid has chosen port 3128 as default. Other ports I've seen to be used for proxies are: 8080, 8888, 1080 and 80. I recommend you leave it at 3128 as this is OK for the majority. You are however free to use any port you want as long as it's vacant etc.

Access settings

About midways in the configfile you'll find ACCESS CONTROLS. This is the section where who gets to do what and when is configured.

This is done by first describing the group to be affected with an ACL (Access List) item, and then allowing or denying access to different actions.

F.ex. acl localnet src 192.168.1.0/255.255.255.0Defines my local network 192.168.1.0 with netmask 255.255.255.0 as the name localnet. You should ofcause use the address and netmask of your local network.

And then allowing it access with http_access allow localnetWhich basicly tells Squid that all hosts defined as localnet is granted http access. Now this is kind of tricky as the order of the access rules counts. Squid reads the access lines from top to bottom and stops at the first one that applies. Therefor you have to put the narrowest first and the widest last (deny all is pretty wide). Insert your access line right above http_access allow localhost.

Preparing Squid for transparency

After restarting Squid you now should have a perfectly working proxy. If this is just what you want you can start to configure your clients as usual. If you however want to make it transparent you may want to read on.

Seek down to the section HTTPD-ACCELERATOR OPTIONS in the squid.conf file. I'm not too experienced with this section and simply tell you what the Squid-FAQ sais. We use the httpd-accelerator functions in Squid to achive a transparent proxy. Uncomment and change the following lines as follows: httpd_accel_host virtualHaven't really figured this one out yet. It is used when you have a proxy-accelerator with virtual hosts (i.e. several domains/ip-adresses on the same server). httpd_accel_port 80The port where to send requests. httpd_accel_with_proxy onWill make Squid function both as an accelerator and a normal proxy at the same time. We want this. httpd_accel_uses_host_header onThe comments tell us that we need this for transparent proxy.

Summary of Squid

Save and restart Squid. We are now finished with the squid.conf file for now. Squid are very powerful and I really recommend you to take a look at it after we're done here. I have f.ex. denied access to doubleclick.net and ads.freshmeat.net. This has the nice effect of saving me from downloading a lot of banners. I did this by defining an ACL like this: acl banners dstdomain doubleclick.net ads.freshmeat.netYou can add more domains that you don't want the proxy users to download. F.ex. you could prevent known domain with adult content to be shown. http_access deny bannersPut this before you allow access to localhost.

The Firewall

We have to tell the firewall to hand all packets that is going to port 80 somewhere over to Squid. This is configured with ipchains. For that to work you have to have support for this in your kernel.

Kernel configuration

The kernel that came with my Red Hat/Linux 6.0.50 system already had this in it, and chances are that later versions of Red Hat/Linux also have support for this in their prebuilt kernels.

If you don't have support for routing, firewalling etc in your kernel make the following changes to your kernel config and recompile to include support in your kernel: # # Code maturity level options # CONFIG_EXPERIMENTAL=y # # Networking options # CONFIG_FIREWALL=y # CONFIG_NET_ALIAS is not set CONFIG_INET=y CONFIG_IP_FORWARD=y # CONFIG_IP_MULTICAST is not set CONFIG_IP_FIREWALL=y # CONFIG_IP_FIREWALL_VERBOSE is not set CONFIG_IP_MASQUERADE=y CONFIG_IP_TRANSPARENT_PROXY=y CONFIG_IP_ALWAYS_DEFRAG=y # CONFIG_IP_ACCT is not set CONFIG_IP_ROUTER=y When you're running with a kernel with this in we can start to configure the firewall to start redirecting packets.

You will also have to enable ip-forwarding at runtime by doing echo 1 >/proc/sys/net/ipv4/ip_forward or in RedHat based systems setting FORWARD_IPV4 to yes in /etc/sysconfig/network. If you have your computer as a router today you already have this fixed.

ipchains

Now it's time to enter some rules. Remember! Order counts. In my case the computer which is selected as transparent proxy also have a local webserver which I don't want to be "proxied" so we start out by telling the firewall that all trafic destined to 192.168.1.1 (my computer) and 127.0.0.1 on port 80 is accepted directly. This has to be done for each and every interface. F.ex. ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 -d 192.168.1.1/32 80 ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 -d 127.0.0.1/32 Or with some scripting: (on one line) ifconfig | grep "inet addr:" | awk -F':' '{ print $2 }' | awk '{ print "ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 -d " $1 "/32 80" }' | sh This is ofcause only of use to you if you too have a webserver on the same computer as the proxy.

Now we do the magic... making it redirect packages destined to port 80 somewhere to our own proxy port (in my case 3128). ipchains -A input -j REDIRECT 3128 -p tcp -s 192.168.1.0/24 -d 0.0.0.0/0 80

You should now have a transparent proxy!

Finale

Now we're almost done. A few things remain though...

Client configuration

Client hosts which have the proxy host as their default route (default gateway) don't have to do anything else. This is the whole reason why making a transparent proxy here.

For client hosts that don't have the proxy host as their default route have to configure the client software manually. Refeer to the about that.

Smoke test

When everything is running tailf the log (in my case /var/log/squid/access.log) and start loading pages at the clients and see that it pops up in the log.

If it don't, check the following: The clients' default gateway must be the address of the proxy-computer Double-check the firewall that it redirects properly with ipchains -L Is the proxy actually running? Try setting the proxy manually in f.ex. Netscape Navigator. Go through all settings once more (this will be an infinite loop if this doesn't work ;-) )

Last words from the author

This is just a this-worked-for-me-maybe-it-will-for-you-too-guide. So if you're in luck you will have a transparent proxy tonight.