Simple Squid Transparent Proxy

Recipe # | posted in Howto | Comments

1 – Problem Description

Need to filter http access on my lan using a whitelist.

2 – Solution

Install squid with your distro’s package manager (squid should be on every distro’s repositories)

Copy and paste the following lines to your squid.conf file, overwriting yours:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 8080  563     # https, snews
acl SSL_ports port 873               # rsync
acl Safe_ports port 80               # http
acl Safe_ports port 21               # ftp
acl Safe_ports port 443 8080 563     # https, snews
acl Safe_ports port 70               # gopher
acl Safe_ports port 210              # wais
acl Safe_ports port 1025-65535       # unregistered ports
acl Safe_ports port 280              # http-mgmt
acl Safe_ports port 488              # gss-http
acl Safe_ports port 591              # filemaker
acl Safe_ports port 777              # multiling http
acl Safe_ports port 631              # cups
acl Safe_ports port 873              # rsync
acl Safe_ports port 901              # SWAT
acl Safe_ports port 8088
acl whitelist dstdomain "/path/to/yourWhitelistFile"
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl lan src x.x.x.x/x
http_access allow localhost
http_access allow lan whitelist
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname localhost
always_direct allow all
coredump_dir /var/spool/squid

In line 31, you should add the path of your whitelist file. In line 42, you should add the ip/cidr of your lan e.g. 192.168.0.0/16

Install iptables and add the following rule:

1
iptables -t nat -A PREROUTING -i ethx -p tcp --dport 80 -j REDIRECT --to-port 3128

This rule redirects network traffic from port 80 (default http) to 3128, which is the listening port of squid (see line 01). Be careful with network interface ethx.

Enable ip forwarding:

1
echo 1 > /proc/sys/net/ipv4/ip_forward

Add urls in your whitelist file, to permit access. This file is just a simple list of websites that will be allowed. The one thing of which to be aware is the fact that your entries need to lead with a dot, e.g.

1
2
.youjizz.com
.youporn.com

:P

You are ready! Just add any pc that you need to filter its content to your local network and change its gateway to point to squid box’s ip.

3 – References

[1] CIDR, Wikipedia

[2] Squid

[3] Iptables

[4] IP Forwarding

Comments