B
B
BarakudaX7772018-12-29 11:44:39
iptables
BarakudaX777, 2018-12-29 11:44:39

How to set up a transparent proxy for Squid 3.5 via iptables?

Good afternoon. I'm just getting started with linux systems. It costs Ubuntu 18.04.
The task is to set up a proxy server. I configured squid on port 3128, when you specify the port, the Internet works.
SQUID set from the repository.
There was a moment that not all programs, especially console ones, are friendly with proxy settings.
Please help with advice on how to make these programs access the Internet?
I read about a transparent proxy, I don’t understand, in version 3.5 it is necessary to specify http_port 3128 transparent or is it still intercept? Or you don’t need to specify it at all, everything is done only through iptables ...
I read that it is necessary to forward port 80 to 3128. In all articles this is described in different ways, somewhere in one command, where there are many commands written in the script.
I tried different options, it will work, but not on all sites, like after one, then the machine stops working in general ...
Please help me figure it out.
squid settings

acl SSL_ports port 443 563 5190 5222 5223 6667-7000 10000
# БЕЗОПАСНЫЕ ПОРТЫ
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 25		# smtp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 26000	# wais
acl Safe_ports port 26062	# rustserver
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl lan src 192.168.30.1-192.168.30.255
acl CONNECT method CONNECT
#Файлы в каталогах cgi-bins кэшироваться не будут.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
# Список DNS серверов(IP адреса), которые будут использоваться вместо тех, что определены в /etc/resolv.conf файле
dns_nameservers  77.88.8.7  77.88.8.3 192.168.30.200 192.168.10.200 192.168.10.250

# Запретить доступ к портам, отсутствующим в списке выше
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
#открывет доступ всей подсети
http_access allow lan

http_port 3128 intercept
http_port 192.168.30.1:3128 transparent

# CACHE SETTINGS
cache_mem 4096 MB
maximum_object_size 64000 KB
#Максимальный размер объекта, сохраняемого в оперативной памяти
maximum_object_size_in_memory 512 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_dir ufs /var/spool/squid 32000 16 256
coredump_dir /var/spool/squid
#Нулевое время жизни для динамического контента
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

# TUNNUNG HHTP HEADERS
refresh_pattern -i	^http://thumbs.ebay.com                 2880    50%     43200   ignore-reload override-expire override-lastmod
refresh_pattern -i      ^http://include.ebaystatic.com          2880    50%     43200   ignore-reload override-expire override-lastmod
refresh_pattern -i      \.swf                                   2880    50%     43200   ignore-reload override-expire override-lastmod
refresh_pattern -i      \.(gif|jpeg|png|ico|zip|rar|arj|lha|lzh|cab|exe|wm[afv]|divx|avi|flv|fmv|rlv|r[ma]|mpeg|mp[234]|wav|mid|pdf|bz2|tgz|ppt|avc|klb|tar\.gz|tgz|tar\.bz2|tbz2)   2880    50%     43200   ignore-reload override-expire override-lastmod
refresh_pattern -i      \.(gif|jpe?g|png|ico|zip|rar|arj|lha|lzh|cab|exe|wm[afv]|divx|avi|r[ma]|mpe?g|mp[234]|wav|mid|pdf|bz2|tgz|ppt|avc|klb|tar\.gz|tgz|tar\.bz2|tbz2)       2880    50%     43200   override-expire override-lastmod
# LiveJournal
refresh_pattern         livejournal\.com/userpic/               3200    100%    43200   ignore-reload override-expire override-lastmod
refresh_pattern         stat\.livejournal\.com/         3200    100%    43200   ignore-reload override-expire override-lastmod
refresh_pattern         userpic\.livejournal\.com/              3200    100%    43200   ignore-reload override-expire override-lastmod
refresh_pattern         pics\.livejournal\.com/         21600   100%    43200   ignore-reload override-expire override-lastmod
# Fishki.net static content
refresh_pattern         ru\.fishki\.net/                21600   100%    43200   ignore-reload override-expire override-lastmod
refresh_pattern         de\.fishki\.net/                21600   100%    43200   ignore-reload override-expire override-lastmod
# Photofile.ru
refresh_pattern         photofile\.ru/photo/            21600   100%    43200   ignore-reload override-expire override-lastmod
refresh_pattern -i      mode=attach|MessagePart|/simg/          600000  50%     1200000
refresh_pattern -i      /top100\.cnt                            43200   100%    43200
refresh_pattern -i      /(counter|hit|erle\.cgi|bb\.cgi)$       43200   100%    43200
# Macromedia/Adobe Flash player
refresh_pattern         macromedia.com/.*\.(cab|exe|zip)$       43200   100%    43200
# Windows Update
refresh_pattern         windowsupdate.com/.*\.(cab|exe|zip|psf)$        43200   100%    43200
refresh_pattern         download.microsoft.com/.*\.(cab|exe|zip|psf)$   43200   100%    43200
refresh_pattern -i      \.(cgi|asp|php|fcgi|rbx|rhtml)          0       20%     60
# Google
# google maps/earth/etc = min 7 days
refresh_pattern -i      google\.com/(flatfile|kh|mt)\?          10080   50%     43200   ignore-reload override-expire override-lastmod
# VKontakte.ru                                                                  
refresh_pattern         vk.ru/.*\.(jpg|gif|flv|mp3)$     43200   50%    43200
refresh_pattern         ^ftp:                                   1440    20%     10080
refresh_pattern         ^gopher:                                1440    0%      1440
refresh_pattern         \?                                      0       20%     4320
refresh_pattern         .                                       5       20%     4320
# Fast shutdown
shutdown_lifetime 1 second

ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:3f:0b:b6:2b  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp3s1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 83.146.113.23  netmask 255.255.255.128  broadcast 83.146.113.127
        inet6 fe80::280:48ff:fe28:f20c  prefixlen 64  scopeid 0x20<link>
        ether 00:80:48:28:f2:0c  txqueuelen 1000  (Ethernet)
        RX packets 1113  bytes 593624 (593.6 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1450  bytes 647881 (647.8 KB)
        TX errors 0  dropped 0 overruns 4  carrier 0  collisions 0

enp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.30.1  netmask 255.255.0.0  broadcast 192.168.255.255
        inet6 fe80::922b:34ff:fe33:ba32  prefixlen 64  scopeid 0x20<link>
        ether 90:2b:34:33:ba:32  txqueuelen 1000  (Ethernet)
        RX packets 2096  bytes 192115 (192.1 KB)
        RX errors 0  dropped 193  overruns 0  frame 0
        TX packets 418  bytes 116467 (116.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 1  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 342  bytes 67368 (67.3 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 342  bytes 67368 (67.3 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Answer the question

In order to leave comments, you need to log in

2 answer(s)
D
Dmitry, 2018-12-29
@BarakudaX777

In squid config:

http_port 192.168.30.1:3128
http_port 192.168.30.1:3129 intercept

iptables:
for "transparent" HTTPS forwarding, you have to work a little more, yes ..

B
BarakudaX777, 2018-12-29
@BarakudaX777

I tried to do according to the article Creating a transparent proxy , iptables commands are not taken, swears
Bad argument `192.168.30.1'

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question