Articles / Configuring a Transparent P...

Configuring a Transparent Proxy/Webcache in a Bridge using Squid and ebtables

A proxy/Webcache is a computer which sits between your LAN and your Internet connection, usually in the gateway. Its job is to capture and save every Web page that the client machines in your LAN visit, so that the next time someone requests a page, the proxy/Webcache already has it and sends it to the client. This saves bandwidth and usually speeds Web navigation.

A bridge works exactly like a two-port switch. It passes everything from one port to the other, but if we have a Linux box acting like a switch, we can do wonderful things, because we actually "see" the traffic.

Why would I need a bridge with Squid?

There are some cases in which you do not have access to the gateway, or your gateway is a piece of dedicated hardware. Furthermore, if a bridge is used, you do not have to change anything in your network, just plug in the bridge and start working. If the Linux box acting as a proxy/Webcache is eaten by a big green monster, you can just reconnect the cables, and everything goes back to normal until you replace it.

Remember to document where in your network the bridge is. Bridges do not appear in traceroutes, and that may be a bit confusing and hard to locate in a big network.

Ok, let's start.

Setting up Squid

First, get squid running. There is a lot of documentation in the Squid distribution, so I won't cover basic configuration here. On my Fedora box, I just installed the rpm, and that was all.

Check that the following lines are present in /etc/squid/squid.conf:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Also check that your network appears in the ACLs section. For example, if your network is 192.168.1.0 netmask 255.255.255.0, use:

acl our_networks src 192.168.1.0/24

For testing, you may omit the "acl" line and just comment this:

http_access deny all

and use this instead:

http_access allow all

Be careful if you don't want to allow everyone to use your Webcache. I recommend using this configuration only for testing.

Start squid. In Fedora, you can use:

bash# service squid start

Other distributions may use:

bash# /etc/init.d/squid start

or you can start it manually. The first time you run it, it will take a few moments to build its cache files. Be patient.

In Fedora, let's make sure squid starts automatically:

bash# chkconfig squid on

Configuring the bridge

This couldn't be easier:

ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ifconfig br0 200.1.2.3 netmask 255.255.255.0 up
route add default gw 200.1.2.254 dev br0

Potential Pitfall:

If your PC locks or kernel panics, it's because you have a bad network adapter card. Most cheap motherboards have a bad integrated NIC. Just get a better NIC; even an old Realtek should work fine.

In this example, I suppose you are using eth0 and eth1. In the ifconfig line, I assigned IP address 20.1.2.3 to the bridge so I can access it remotely. Use an IP address in your network. Don't forget it; you will need it later.

You may check that the bridge is working by using tcpdump:

bash# tcpdump -n -i eth0                         
                       ...
         (lots of funny stuff)
                       ...
bash# tcpdump -n -i eth1
                       ...
         (lots of funny stuff)
                       ...

Plug your machine into the network, and everything should work. Your Linux box is now a big, expensive two-port switch.

Configuring transparent redirection

We're able to see all the traffic in our network, because we are in the middle. Now we want to catch Web traffic and redirect it directly into Squid.

First, let's see if squid is correctly configured.

Go to a PC in your LAN and manually configure a proxy. If you use Firefox, for example, go to the Edit menu and select Preferences. Select General and click "Connection Settings", choose "Manual Proxy Configuration", and enter the IP address of your bridge. The port is 3128, unless you have changed it.

Try surfing the Web. If it works, you have squid running and working as desired. Now we'll move on to the fun stuff and build a "brouter".

First, install ebtables on the bridge machine. Then, just run these two commands:

bash# ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
        --ip-destination-port 80 -j redirect --redirect-target ACCEPT

bash# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \
        -j REDIRECT --to-port 3128

The first command says that packets passing through the bridge going to port 80 will be redirected to the local machine, instead of being bridged. The second uses iptables to redirect those packets to local port 3128, so squid can take care of them.

Check squid's log to see whether you're catching traffic:

bash# tail -f /var/log/squid/access.log

You should see a lot of "[x]__HIT" messages, meaning that all that content is being caught.

Congratulations, you have a Transparent Proxy/Webcache!

Fine Tuning

You may want to fine-tune squid, adjusting how much memory or disk space it will use. Just edit /etc/squid/squid.conf.

Remember to create the ACLs (Access Control Lists) for your networks.

You may want to have a script to set up all of this at boot. Use something like this:

ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ifconfig br0 200.1.2.3 netmask 255.255.255.0 up
route add default gw 200.1.2.254 dev br0

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6  \
	--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80  \
	-j REDIRECT --to-port 3128

Save it and put it in /var/my-start-scripts/bridgeBrouter-up.sh. chmod it to 0755 and put a line in /etc/rc.local as follows:

/var/my-start-scripts/bridgeBrouter-up.sh

Have fun!

RSS Recent comments

01 Jan 2005 05:28 davide73

IP 20.1.2.3
Please don't use 20/8 because this isn't a free IP address (ws.arin.net/cgi-bin/wh... for further info)

Use 10/8.

01 Jan 2005 06:50 mituc

fine tunning for FC
Hi,

Speaking of fine tunning for Fedora Core, you can use:

/etc/sysconfig/network-scripts/ifcfg-br0

having the following content:

DEVICE=br0

ONBOOT=yes

BOOTPROTO=static

IPADDR=200.1.2.3

NETMASK=255.255.255.0

TYPE=Bridge

In order that the configuration to work you have also to modify the configuration files for eth0 and eth1 (in your case)

/etc/sysconfig/network-scripts/ifcfg-eth[01]

DEVICE=eth0 # or eth1

ONBOOT=yes

BOOTPROTO=static

BRIDGE=br0

/etc/rc.d/init.d/network restart and enjoy. It's better to use the tools from the linux distro than to placing configuration scripts in rc.local.

02 Jan 2005 03:49 arcofdescent

bandwidth control
HI,

Can we have bandwidth control working with this

setup too?

using the tc utility.

I think it will work. Just wanna be sure!

Regards,

Rohan

02 Jan 2005 05:48 commanderx

Remote Squid
Hi,

is it possible to redirect the Traffic to another Machine in the LAN which is runnning Squid?

Cause my Box running the Bridge mode isnt very powerfull.

02 Jan 2005 12:42 ariel999

Re: IP 20.1.2.3

> Please don't use 20/8 because this isn't

> a free IP address

> (ws.arin.net/cgi-bin/wh... for

> further info)

>

> Use 10/8.

>

>

You are right, but that was only an example, people should use an IP in their own network or a private IP.

02 Jan 2005 12:54 ariel999

Re: bandwidth control and more networks

> HI,

> Can we have bandwidth control working

> with this

> setup too?

> using the tc utility.

>

> I think it will work. Just wanna be

> sure!

>

> Regards,

> Rohan

>

Yes, it certainly can be done, in fact, i am doing it right now for a mid-size ISP. Just use tc and shape in the right direction, outbound traffic (uploads) in the interface pointing to the world and inbound traffic (downloads) in the one pointing to your LAN. You should use only tc filters because it is a waste of computer power to bring those packets to iptables (using ebtables) and then bounce them back using routing, use tc filter ...... and you and your network will be happy.

You can also add more network adaptors and join them to the bridge to catch traffic from more networks.

It works like a charm.

BTW: I am also shaping in a linksys Wireless router, i can control specific wireless clients directly from the router, it is also a wonderful thing.

02 Jan 2005 12:57 ariel999

Re: Remote Squid

> Hi,

>

> is it possible to redirect the Traffic

> to another Machine in the LAN which is

> runnning Squid?

> Cause my Box running the Bridge mode

> isnt very powerfull.

Of course, just use iptables rules to redirect traffic to another machine istead of redirecting them to itself, but you should better use a better machine.

03 Jan 2005 15:15 commanderx

Re: Remote Squid

> Of course, just use iptables rules to

> redirect traffic to another machine

> istead of redirecting them to itself,

> but you should better use a better

> machine.

This settings work for me (redirecting on my Linksys WRT54G to my Squid Box)

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT

iptables -t nat -A PREROUTING -i br0 -p tcp --source ! 192.168.1.10/255.255.255.255 --dport 80 -j DNAT --to-destination 192.168.1.10:8080

Maybe its dirty...but it works fine :)

16 Jan 2005 01:34 lussac

can i use cbq with this setting ?
i have topologi network like below :

internet -- gateway -- bridge/squid -- all_cilent

and i will plan in gateway (linux box) setting CBQ for bandwidth limiting to shape all_client based BW alocation.

but request all_client be handle squid, and i confuse about it. can i shape BW all_client with CBQ in gateway or in bridge/squid ??

26 Jan 2005 07:32 wakebdr

Can I run services on the bridge?
The box I would like to setup as my bridge is currently running services such as http and ftp that are being served to the internet via port forwarding on my router. Will this still be possible if the box is setup to act as a bridge? If it's possible, is it safe?

28 Jan 2005 02:40 dunmi

Re: fine tunning for FC

> Hi,

> Speaking of fine tunning for Fedora

> Core, you can use:

> /etc/sysconfig/network-scripts/ifcfg-br0

> having the following content:

>

> DEVICE=br0

> ONBOOT=yes

> BOOTPROTO=static

> IPADDR=200.1.2.3

> NETMASK=255.255.255.0

> TYPE=Bridge

>

> In order that the configuration to work

> you have also to modify the

> configuration files for eth0 and eth1

> (in your case)

> /etc/sysconfig/network-scripts/ifcfg-eth[01]

> DEVICE=eth0 # or eth1

> ONBOOT=yes

> BOOTPROTO=static

> BRIDGE=br0

>

> /etc/rc.d/init.d/network restart and

> enjoy. It's better to use the tools from

> the linux distro than to placing

> configuration scripts in rc.local.

>

hi

please i have a problem getting the bridge to start on reboot . i tried the script but it says brctl command not recognised . at boot time.

08 Feb 2005 13:17 jeenux

ebtables
Hi,

I have a bridge which passes http requests to Squid on the same machine (like the setup in the doc). But the thing is I don't use ebtables. I only use iptables and it's working fine except for some cases which, I heard, were normal problems (like refresh problems with Internet Explorer).

So I was wondering if there was any reason for me to use ebtables and why does it work without it.

Thanks,

Jeenux

14 Feb 2005 19:34 cweng

To my surprise, even if I removed the ebtables statement, it still works. Care to comment why ?
To my surprise, even if <B>I removed the ebtables statement, it still works<B>. Care to comment why ?

In other words, the following statment is sufficient!

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \

-j REDIRECT --to-port 3128

15 Feb 2005 20:32 jbwjbw

Strange Problem

Below are what I am using to setup my bridge. When the server boot's I can ping/ftp though the router right away. However trying to ping/ssh/etc to the bridge IP does not work right away. It seems to take a few minutes, then it starts to work. Any ideas what I might be doing wrong?

e.g. I can ftp to some external server or ping an external server but can't ping the 192.168.2.16 for a few minutes at least after it comes up. Very strange. I don't see why I can't ping or ssh to it if the interfaces are up and working. Thanks,

ifconfig eth0 0.0.0.0 promisc up

ifconfig eth1 0.0.0.0 promisc up

brctl addbr br0

brctl addif br0 eth0

brctl addif br0 eth1

ifconfig br0 192.168.2.16 netmask 255.255.255.0 up

route add default gw 192.168.2.1 dev br0

ebtables -P FORWARD DROP

ebtables -A FORWARD -p IPv4 -j ACCEPT

ebtables -A FORWARD -p ARP -j ACCEPT

ebtables -A FORWARD --log-level info --log-ip --log-prefix EBFW

ebtables -P INPUT DROP

ebtables -A INPUT -p IPv4 -j ACCEPT

ebtables -A INPUT -p ARP -j ACCEPT

ebtables -A INPUT --log-level info --log-ip --log-prefix EBFW

ebtables -P OUTPUT DROP

ebtables -A OUTPUT -p IPv4 -j ACCEPT

ebtables -A OUTPUT -p ARP -j ACCEPT

ebtables -A OUTPUT --log-level info --log-ip --log-arp --log-prefix EBFW -j DROP

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j REDIRECT --to-port 53

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j REDIRECT --to-port 53

22 Feb 2005 20:01 MrMoke

Re: Strange Problem
I remember seeing in the documentation that it will take a while for the bridge software to memorize the MAC addresses of the NIC's that it can find. I believe that this is standard procedure for bridges, and the articles indicate that this results in somewhat slowed responses immediately after startup.

22 Feb 2005 21:21 MrMoke

Dansguardian/Squid/Ebtables
I currently have a Fedora3 box running the above three products as a Dansguardian Bridge. Since bridging is part of the 2.6 kernel build, it was the easiest to include, and I am currently running with all tables open with:

br0 192.168.250.50/24

eth0 Outer subnetwork

eth1 Inner subnetwork

I then added Squid, and configured it to run as a transparent proxy. The trick here is that I only want the bridge services to be visible to the inner subnet, not to everyone. Based on the sparse documentation that I have been able to find, I assume that I can force Brouting of IPv4 traffic, and use Iptables to do blocking of requests to upstream nodes. The ultimate goal is to add Dansguardian, plus a tight set of iptables rules using the physdev option to create a mostly invisible Bridge Filter that services IP to the inner subnet without hindering the flow of other protocols. If anyone has seen ebtables used like this before I could use a link, because I have found zero articles so far.

Thanks

04 Mar 2005 07:37 ariel999

Re: ebtables

> Hi,

>

> I have a bridge which passes http

> requests to Squid on the same machine

> (like the setup in the doc). But the

> thing is I don't use ebtables. I only

> use iptables and it's working fine

> except for some cases which, I heard,

> were normal problems (like refresh

> problems with Internet Explorer).

>

> So I was wondering if there was any

> reason for me to use ebtables and why

> does it work without it.

>

> Thanks,

>

> Jeenux

>

By the time i worked on that problem iptables was not able to "see" packets going thru the bridge. There was even another proyect useful for bringing packets into iptables: the frame diverter.

Perhaps there was a promise to patch iptables. Maybe iptables is now capable of doing that without ebtables.

--

The same answer for the post above this.

:-)

04 Mar 2005 07:42 ariel999

Re: To my surprise, even if I removed the ebtables statement, it still works. Care to comment why ?

> To my surprise, even if <B>I

> removed the ebtables statement, it still

> works<B>. Care to comment why ?

> In other words, the following statment

> is sufficient!

>

> iptables -t nat -A PREROUTING -i br0 -p

> tcp --dport 80 \

> -j REDIRECT --to-port 3128

Take a look at my answer to jeenux

04 Mar 2005 07:45 ariel999

Re: ebtables

> except for some cases which, I heard,

> were normal problems (like refresh

> problems with Internet Explorer).

There is a workaround for refresh problems in IE. Check your squid.conf comments and sample settings.

04 Mar 2005 07:59 ariel999

Re: Can I run services on the bridge?

> The box I would like to setup as my

> bridge is currently running services

> such as http and ftp that are being

> served to the internet via port

> forwarding on my router. Will this

> still be possible if the box is setup to

> act as a bridge? If it's possible, is

> it safe?

Yes, it is possible, in fact if you assign an IP to your bridge your router can see it as a normal computer, so if you open port 81 (and run apache), you can redirect web requests to it. I suggest to run apache on a different port that 80 (81 is fine). Because IMHO iptables will redirect it to squid, and maybe squid will redirect it to your router and your router redicting to the bridge, and squid redirectig to the router, and... you will end with a loop. So do not use 80, in fact you dont need it, your traffic incoming traffic to por 80 (to www.yoursite.com) will be redirected by the router if you configure it to do so (to port 81).

In the other hand, if it is safe or not is subject to how do you define safety.

We have a two-NIC machine acting a as bridge, everything it receives on one nic is "blindly" passed to the other, only web traffic is redirected to squid, and incoming traffic to port 81 will be served by apache. It is a fancy configuration but it should work.

The only problem is that squid consumes a lot of memory and hard disk, and the traffic on the bridge consumes CPU. You only have to worry is you are running a site with lots of concurrent hits ( you certainly cannot run www.google.com on top of this :-P )

13 Mar 2005 11:04 a_daviel

Problem with return packets from proxy
We are running a transparent bridge on an RH7.3 machine with Linux 2.4.21 using brctl. It works fine.

I want to add a transparent proxy to block certain browsers from going to certain sites. It looked like HTTP::Proxy in Perl would work (well, it does, if I can get it to run transparently, either directly or with tproxy).

Getting Squid to work transparently seemed a

good first step.

I initially followed the recipe in

www.tldp.org/HOWTO/Tra...

and then the recipe above.

I tried squid-2.4.STABLE6 from rpm, and also

built squid-2.5.STABLE9 with --enable-linux-netfilter

Squid works OK.

Capturing packets works OK in UDP - I can capture

all traffic to my test port with "nc -u -l -p 9000" on

the bridge. But in TCP the replies get lost.

If Squid is not running, I get "connection refused".

If it's running, the browser (telnet for testing) hangs

and I see a TCP reset on the target host apparently

coming from the client.

Initially I just had

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 9000 \

-j REDIRECT --to-port 3128

but then tried adding

echo 1 > /proc/sys/net/ipv4/ip_forward

ifup eth0 promisc ; ifup eth1 promisc

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \

--ip-destination-port 9000 -j redirect --redirect-target ACCEPT

iptables -A INPUT -i br0 -p tcp -d bridge-ip -s 127.0.0.1 \

--dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT

none of which made any difference

It seems like I am missing something, but what ?

24 May 2005 05:31 madloons

Re: Can I run services on the bridge?

> The box I would like to setup as my
> bridge is currently running services
> such as http and ftp that are being
> served to the internet via port
> forwarding on my router. Will this
> still be possible if the box is setup to
> act as a bridge? If it's possible, is
> it safe?

the tutorial helped me lot thanks madloons (www.massheros.com)

26 May 2005 04:26 madloons

Re: fine tunning for FC

>
> % Hi,
> % Speaking of fine tunning for Fedora
> % Core, you can use:
> %
> /etc/sysconfig/network-scripts/ifcfg-br0
> % having the following content:
> %
> % DEVICE=br0
> % ONBOOT=yes
> % BOOTPROTO=static
> % IPADDR=200.1.2.3
> % NETMASK=255.255.255.0
> % TYPE=Bridge
> %
> % In order that the configuration to
> work
> % you have also to modify the
> % configuration files for eth0 and eth1
> % (in your case)
> %
> /etc/sysconfig/network-scripts/ifcfg-eth[01]
> % DEVICE=eth0 # or eth1
> % ONBOOT=yes
> % BOOTPROTO=static
> % BRIDGE=br0
> %
> % /etc/rc.d/init.d/network restart and
> % enjoy. It's better to use the tools
> from
> % the linux distro than to placing
> % configuration scripts in rc.local.
> %
>
>
> hi
> please i have a problem getting the
> bridge to start on reboot . i tried the
> script but it says brctl command not
> recognised . at boot time.

I am also facing the problem to start on reboot can any one help me thank you

27 May 2005 00:43 madloons

Re: Strange Problem
I remember seeing in the documentation
that it will take a while for the bridge
software to memorize the MAC addresses
of the NIC's that it can find. I believe
that this is standard procedure for
bridges, and the articles indicate that
this results in somewhat slowed
responses immediately after startup

11 Aug 2005 02:20 shazwaen

Re: fine tunning for FC
issue this command...

rpm -qa | grep bridge-utils

if nothing come out... seems that you forgot to install the bridge-utils package. that why the "brctl" command is not found

cheers...

>

> %

> % % Hi,

> % % Speaking of fine tunning for Fedora

> % % Core, you can use:

> % %

> %

> /etc/sysconfig/network-scripts/ifcfg-br0

> % % having the following content:

> % %

> % % DEVICE=br0

> % % ONBOOT=yes

> % % BOOTPROTO=static

> % % IPADDR=200.1.2.3

> % % NETMASK=255.255.255.0

> % % TYPE=Bridge

> % %

> % % In order that the configuration to

> % work

> % % you have also to modify the

> % % configuration files for eth0 and

> eth1

> % % (in your case)

> % %

> %

> /etc/sysconfig/network-scripts/ifcfg-eth[01]

> % % DEVICE=eth0 # or eth1

> % % ONBOOT=yes

> % % BOOTPROTO=static

> % % BRIDGE=br0

> % %

> % % /etc/rc.d/init.d/network restart

> and

> % % enjoy. It's better to use the tools

> % from

> % % the linux distro than to placing

> % % configuration scripts in rc.local.

> % %

> %

> %

> % hi

> % please i have a problem getting the

> % bridge to start on reboot . i tried

> the

> % script but it says brctl command not

> % recognised . at boot time.

>

>

> I am also facing the problem to start on

> reboot can any one help me madloons

> thank you

>

08 Nov 2005 02:03 madloons

Re: Strange Problem
I remember seeing in the documentation that it will take a while for the
bridge software to memorize the MAC addresses of the NIC's that it can find. I
believe that this is standard procedure for bridges, and the articles indicate
that this results in somewhat slowed responses immediately after startup

26 Mar 2006 03:04 sheesh

Having trouble in redirecting port 80 to 3128
Ariel Molina Rueda
Dear Sir,
I am trying to make a transparent bridge proxy for our ISP. I need to configure it in bridge mode so that no one can trace it. My squid.conf is like below-

http_port 3128
visible_hostname Wipll
cache_mem 100 MB # Testing on a simple machine
maximum_object_size 8000 KB
maximum_object_size_in_memory 2000 KB
cache_dir ufs /var/spool/squid 1000 32 256
acl all src 0.0.0.0/0.0.0.0
http_access allow all
cache_access_log /var/log/squid/access.log
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

My bridge mode setting script is like below-

ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ifconfig br0 202.6.176.55 netmask 255.255.255.224 up
route add default gw 202.6.176.33 dev br0

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect --redirect-target ACCEPT

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Linux bridge works well. Also the squid is good enough if I put it's address in client browser. But if I don't client cannot browse. If I remove the iptables command from the script client pc can browse but not through transparent proxy rather directly.

I think port redirection is not working properly, whenever I use iptables to redirect the port 80 it is blocking the port instead of redirecting it to port 3128.

Dear Sir, please help me finding a solution. We need to save our bandwidth.

Regards
Sheesh

26 Mar 2006 03:28 sheesh

Having trouble in redirecting port 80 to 3128
Ariel Molina Rueda

Dear Sir,

I am trying to make a transparent bridge proxy for our ISP. I need to configure it in bridge mode so that no one can trace it. I am using Fedora Core 4. My squid.conf is like below-

http_port 3128
visible_hostname Wipll
cache_mem 100 MB # Testing on a simple machine

maximum_object_size 8000 KB
maximum_object_size_in_memory 2000 KB
cache_dir ufs /var/spool/squid 1000 32 256
acl all src 0.0.0.0/0.0.0.0
http_access allow all
cache_access_log /var/log/squid/access.log
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

My bridge mode setting script is like below-

ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ifconfig br0 202.6.176.55 netmask 255.255.255.224 up
route add default gw 202.6.176.33 dev br0

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect --redirect-target ACCEPT

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Linux bridge works well. Also the squid is good enough if I put it's address in client browser. But if I don't client cannot browse. If I remove the iptables command from the script client pc can browse but not through transparent proxy rather directly.

I think port redirection is not working properly, whenever I use iptables to redirect the port 80 it is blocking the port instead of redirecting it to port 3128.

Dear Sir, please help me finding a solution. We need to save our bandwidth.

Regards
Sheesh

26 Mar 2006 04:48 sheesh

Re: Having trouble in redirecting port 80 to 3128
Dear Sir,
I also have checked my transparent proxy, it works well without bridge mode.

I need to make it in bridge mode. Please help.

Regards
Sheesh
sheesh@deltasoftbd.com

20 Apr 2006 05:07 bouncygoth

Re: fine tunning for FC
% DEVICE=br0
> ONBOOT=yes
> BOOTPROTO=static
> IPADDR=200.1.2.3
> NETMASK=255.255.255.0
> TYPE=Bridge

This all works really nicely for static ip addresses but it doesn't work so well for DHCP. Namely br0 gets initialized before eth0 or eth1 so br0 never gets a DHCP address. I've switched on DHCP persistence, i.e.

DEVICE=br0

BOOTPROTO=dhcp

ONBOOT=yes

TYPE=Bridge

DELAY=0

STP=off

PERSISTENT_DHCLIENT=yes

I can fiddle with DHCP client settings to get it to aggressively recheck but its all very flaky. I notice in ifup that with ethernet bonding the slaved ports get initialized before the master port for DHCP reasons but for ethernet bridges it doesn't.
I can get around it by hacking scripts together in rc.local but if anything restarts the network then it all goes horribly wrong and I like the idea of using the ifcfg scripts

Aside from hacking ifup or /etc/init.d/network, any ideas on how to force eth0/1 to get initialized before br0? I tried renaming br0 to tr0 on the assumption that the order was alphabetic but that seemed to make no difference at all.
Any ideas?

Cheers

Luke

20 Apr 2006 08:47 bouncygoth

Re: fine tunning for FC
% This all works really nicely for static
> ip addresses but it doesn't work so well
> for DHCP. Namely br0 gets initialized
> before eth0 or eth1 so br0 never gets a
> DHCP address. I've switched on DHCP
> persistence, i.e.

I knew I'd figure this out as soon as I posted the question!

run "ifconfig eth0 promisc up" and the eth0 and eth1 are already in promisc mode when the bridge code gets runs and the dhcp client then seems to work properly. The promisc flag survives a network restart so once up and running you can't easily break it and the bridge gets a DHCP address every time!

Cheers,
Luke

26 Jul 2006 02:32 adambengur

Still doesn't work?
To all of you who followed the exact steps without getting it to work - switch to Debian with kernel 2.6. I had the same problem installing it on Fedora 4. good luck!

10 Sep 2006 18:40 vbprogrammer

Dansguardian....
I have squid running successfully on fc4 in bridge mode with two interfaces. If i change the iptables statement to port 8080 for dansguardian instead of 3128 for squid, my client can no longer access the internet. Is there something else that needs to be done for this to work? Thanks in advance!

03 Oct 2006 03:46 stefanbauer

howto in germany
dear users, thank you for collecting your experience about this topic.

from this i have done a german howto which is available here.

www.plzk.de/archiv/fil...

19 Oct 2006 06:23 filipenf

Re: Problem with return packets from proxy
I'm having the same problems that Andrew related. I verified everything and it's all OK.

The connetions are being redirected to iptables:

5 240 REDIRECT tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

The squid is getting the connections:

1161252534.833 49 192.168.0.222 TCP_DENIED/403 1430 GET freshmeat.net - NONE/- text/html

But the access denied page of squid doesn't returns to the browser. Also, netstat display data on the send queue of Squid:

Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 1408 192.168.0.220:3128 192.168.0.222:1087 ESTABLISHED

Note 1408 bytes on the send queue.

Does anybody knows what may be causing this problem?

Thanks

12 Dec 2006 03:54 montievv

email problem
Hi Ariel,

Thank you for the guide. I manage a small setup in our building complex in India. The bandwidth terminates onto a linux box running proprietory bandwidth accounting package. This is connected to 80 odd houses via cascaded switches. I specifically want a transparent bridged caching proxy between the linux box and the internet users - So I connected the additional network card in the linux box into another box running a bridged squid proxy (followed the steps you described) on ubuntu 6.06 server; which in turn is connected to our distribution switch.

Internet<--->linux accounting/NAT<-->bridged squid<--->switch<---->80 houses

However the users are not able to visit sites like mail.yahoo.com, mail.google.com, rediffmail.com. etc.

there are no mail blocking rules defined and we do not specifically run any filtering or firewalling rules. Could this be an issue with the bridge? Everything works fine as soon as I eliminate the bridge from the network. All the installation on the bridge is default Ubuntu server with following additional packages:

squid

ebtables

bridge-utils

squid doesnt have any mail blocking rules. I tried masquerading too on the bridged linux machine. All sites work fine (including email) but then my bandwidth accounting goes for a toss.

Thank you once again,

Vivek

21 Dec 2006 14:23 stefanbauer

Re: email problem

> However the users are not able to visit
> sites like mail.yahoo.com,
> mail.google.com, rediffmail.com. etc.
>
> there are no mail blocking rules defined
> and we do not specifically run any
> filtering or firewalling rules. Could
> this be an issue with the bridge?

This Sites are running in SSL Mode (Port 443). You need to grab ssl packets too.

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 443 -j redirect --redirect-target ACCEPT

26 Dec 2006 00:28 quartet

Re: Remote Squid

>

> % Of course, just use iptables rules to

> % redirect traffic to another machine

> % istead of redirecting them to itself,

> % but you should better use a better

> % machine.

>

>

> This settings work for me (redirecting

> on my Linksys WRT54G to my Squid Box)

> ebtables -t broute -A BROUTING -p IPv4

> --ip-protocol 6 --ip-destination-port 80

> -j redirect --redirect-target ACCEPT

> iptables -t nat -A PREROUTING -i br0 -p

> tcp --source !

> 192.168.1.10/255.255.255.255 --dport 80

> -j DNAT --to-destination

> 192.168.1.10:8080

>

> Maybe its dirty...but it works fine :)

>

>

>

What changes have to be done on the Linksys router side for this configuration to work? Is this some advanced feature on the router, that allow traffic to bind to squid server?

26 Dec 2006 01:12 commanderx

Re: Remote Squid

>

> %

> % % Of course, just use iptables rules

> to

> % % redirect traffic to another machine

> % % istead of redirecting them to

> itself,

> % % but you should better use a better

> % % machine.

> %

> %

> % This settings work for me

> (redirecting

> % on my Linksys WRT54G to my Squid Box)

> % ebtables -t broute -A BROUTING -p

> IPv4

> % --ip-protocol 6 --ip-destination-port

> 80

> % -j redirect --redirect-target ACCEPT

> % iptables -t nat -A PREROUTING -i br0

> -p

> % tcp --source !

> % 192.168.1.10/255.255.255.255 --dport

> 80

> % -j DNAT --to-destination

> % 192.168.1.10:8080

> %

> % Maybe its dirty...but it works fine

> :)

> %

> %

> %

>

>

> What changes have to be done on the

> Linksys router side for this

> configuration to work? Is this some

> advanced feature on the router, that

> allow traffic to bind to squid

> server?

>

Well you have to install an alternativeFirmware like dd-wrt.

Then you have ssh/telnet access to the Router and you can easily change the Firewall rules.

19 Feb 2007 04:58 sankars007

Squid+Bridge
I have configured a FC3 with squid and iptables pointed to port 3128 as mentioned above.The problem i am facing is, if i am connect 3-4 PC passing throughbridge, the squid/Bridge/Iptables works fine.But when i put on the actual load users are not abling to browse.At the same time if i try pointing browser to cache (even port 80) it works perfectly.Is this a probs, Requestgenerating from Public ipeven though hitting cache, but not getting resolved..All my PC and a different DNS server and every Ip is Public.

1171888657.435 3 (Public ip) TCP_MISS/503 1484 GET www.yahoomail.com/ - NONE/- text/html

Squid/Iptables both taken from the FC3 itslef(builtin).

Please help me out.

22 Aug 2007 20:19 nepalibabu

can ping from bridge , hows that ???
Bridge shouldn't be able to ping and traceroute.

But mine does. I configured a transparent squid bridge in my FC3 linux box. And the box is supposed to not able to ping or shouldn't be visible to others. But i can browse the internet and ping as well. Actually i have following setup :

Gw <---> linux squid bridge <----> clients

(b/w control)

Before i put the bridge in the middle the bandwidth controlling was great but after i put the bridge, the

the bw control in not good and all the traffic seems to come from the bridge as if the nating has been done on the bridge.

Please help whats the problem

23 Sep 2007 14:37 al9000

Re: To my surprise, even if I removed the ebtables statement, it still works. Care to comment why ?
To quote the ebtables website:
"ebtables tries to provide the bridge firewalling that iptables
cannot provide, namely the filtering of non-IP traffic."
Apparently the "bridge-nf" code allows iptables to see IP
traffic on the bridge. Since the Internet is, by definition, a
network of IP networks, you probably don't need to bridge
any non-IP packets.

11 Oct 2007 00:41 fodde

Help Please
Thanks for a great article.

I'm trying to setup squid at my home with 2 lan PC's connecting with DSL to the i-net.

Questions: Does my squid box need 2 network cards?

Should the setup be like this?

^

|

~~~~~~~~~~~~~~~

~(inet ip) DSL Router ~

~ (10.0.0.2)~

~~~~~~~~~~~~~~~

|

~~~~~~~~~~~~

~(eth0 10.0.0.3)~

~ squid ~

~(eth1 10.0.0.4)~

~~~~~~~~~~~~

|

~~~~~~~~~~

~ eth Switch ~

~ 10.0.0.x ~

~~~~~~~~~~

|

LAN Clients

Thanks

10 Jan 2008 19:28 WhyOldBill

Re: can ping from bridge , hows that ???
If you have IP Addresses assigned to either (or both) of the eth interfaces, you will be able to ping from the bridge.

> Bridge shouldn't be able to ping and

> traceroute.

> But mine does. I configured a

> transparent squid bridge in my FC3 linux

> box. And the box is supposed to not able

> to ping or shouldn't be visible to

> others. But i can browse the internet

> and ping as well. Actually i have

> following setup :

>

> Gw <---> linux squid

> bridge <----> clients

> (b/w control)

>

> Before i put the bridge in the middle

> the bandwidth controlling was great but

> after i put the bridge, the

> the bw control in not good and all the

> traffic seems to come from the bridge as

> if the nating has been done on the

> bridge.

> Please help whats the problem

10 Jan 2008 19:32 WhyOldBill

Re: Help Please
You need to follow the instructions in the article exactly, if you want to use the IP addresses you are showing for the DSL modem and the PC... i.e. your brindge will NOT have ip addresses assigned to either interface.

cheers,

Bill

> Thanks for a great article.

>

> I'm trying to setup squid at my home

> with 2 lan PC's connecting with DSL to

> the i-net.

>

> Questions: Does my squid box need 2

> network cards?

>

> Should the setup be like this?

> ^

> |

> ~~~~~~~~~~~~~~~

> ~(inet ip) DSL Router ~

> ~ (10.0.0.2)~

> ~~~~~~~~~~~~~~~

> |

> ~~~~~~~~~~~~

> ~(eth0 10.0.0.3)~

> ~ squid ~

> ~(eth1 10.0.0.4)~

> ~~~~~~~~~~~~

> |

> ~~~~~~~~~~

> ~ eth Switch

> ~

> ~ 10.0.0.x

> ~

> ~~~~~~~~~~

> |

> LAN Clients

>

> Thanks

18 Aug 2009 07:38 mrabbat

Hello,
I’m using a transparent proxy bridge, and I noticed that a download never completes and it always cuts, as to connection to the server is reset !
I’m using these rules in the firewall :
ebtables -t broute -A BROUTING -p IPv4 –ip-protocol 6 –ip-destination-port 80 -j redirect –redirect-target ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 -j REDIRECT –to-port 8080

Where port 8080 is the dansguardian port for url filtering.
Any idea why the connection resets ? It’s like a tcp reset is being done.
Thanks.

30 May 2011 12:42 rethink_aboutit

Hello Everybody,

I tried with ebtables,iptables with squid3. I found that following squid directives are no longer valid in squid3

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Therefore I tried with following squid3 config

http_port 3128 transparent

With above configuration, the squid proxy is working when proxy is configured manually in client browser but not working when not configured.

pls help me out.

28 Feb 2012 03:59 ishantha Thumbs up

Hello Everyone

I need to set up transparent squid proxy , in fact we can router all TCP traffic form our firewall , so what i need hear is , convert those traffic as proxy traffic and sent it to other gate way ( that's also another proxy having special features ) ,
- what will be the originator IP for second proxy ??, i guess second proxy see proxy one as originator , instead of real source IP , is there any way to get real originator ip at second proxy ..

Much appreciate if any one can share real experience regarding this ...

Screenshot

Project Spotlight

sshdfilter

A program that automatically blocks ssh brute force attacks.

Screenshot

Project Spotlight

libmodbus (stable)

A multiplatform Modbus library.