The basic steps are as follows in Fedora 8 to configure that as a firewall router with a transparent proxy.
1. Install fedora with web server feature enabled and go to its sub items and make sure Squid 2.6 is selected.
2. Take the terminal window and edit the file squid.conf file using the command
3. Find out the following lines in squid.conf file and remove ‘#’ from the beginning of files and edit those lines as follows
http_access allow all
cache_mem 8 MB
cache_dir ufs /usr/local/squid/var/cache 100 16 256
http_port 192.168.10.1:3128 transparent
# Assumes that 192.168.10.1 is the ip addresses of your LAN Ethernet interface
always_direct allow all
4. Save the file & exit (by pressing ‘Esc’ + ‘:wq’)
5. To enable routing, edit the ‘sysctl.conf’ file as follows
net.ipv4.ip_forward = 1
6. Save the file & exit (by pressing ‘Esc’ + ‘:wq’)
7. Edit firewall rules by typing the following commands in the console (Assuming that eth0 is WAN and eth1 is your LAN interface)
iptables –t nat –F
iptables –t nat –X
iptables –t mangle –F
iptables –t mangle –X
iptables –P INPUT DROP
iptables –P OUTPUT ACCEPT
iptables –A INPUT –i lo –j ACCEPT
iptables –A OUTPUT –o lo –j ACCEPT
iptables –A FORWARD –i eth1 -j ACCEPT
iptables –A OUTPUT –o eth1 –j ACCEPT
iptables -A INPUT -p tcp -i eth1 -m tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables –t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables –t nat -A POSTROUTING -o eth0 -j MASQUERADE
8. Save iptables by ‘service iptables save’ command
9. Wonderful, our configuration is over.
10. Create Swap directories for squid by typing the command
‘/usr/sbin/squid -z’ in the console.
11. Start squid service by the command
‘service squid start’
12. Restart iptables by the command
‘service iptables restart’
The above configuration makes your Linux also secured router and only SSL is accessible through LAN and WAN as well as SQUID service is accessible through LAN.
You don’t need to do any proxy configuration in client.
You can see the performance for frequently accessed web pages and you don’t need to run and configure proxy on all the client machines you have. Remind the quote of Blue coat – “I Love Proxy”. Study more based on this document and Fine tune your product as productive as you can for your organization.
Note: This will cache request of http Web Pages only and proxy authentication won’t work with transparent proxy.