Before knowing Transparent Proxy Server first of all we know about Proxy Server. Proxy servers are used to share an Internet connection with clients. A Proxy Server can be configured as the transparent Proxy Server to share the Internet connection and Caching web server to store web pages locally to improve performance. Proxy firewall to control access to the Internet. Squid Proxy is the most widely used open source proxy these software is used for Transparent Proxy Server.
Introduction to the Transparent Proxy Server
The transparent Proxy Server is the server that is used to share the Internet connection between the clients and server..The ‘transparent proxy’ is a proxy that does not modify the request or response beyond what is required for proxy authentication and identification.
Transparent proxy also known as an intercepting proxy, inline proxy, or forced proxy, a transparent proxy intercepts normal communication at the network layer without requiring any special client configuration. Clients need not be aware of the existence of the proxy.
A transparent proxy is normally located between the client and the Internet, with the proxy performing some of the functions of a gateway or router.Intercepting proxies are commonly used in businesses to enforce acceptable use policy, and to ease administrative overheads, since no client browser configuration is required.
This second reason however is mitigated by features such as Active Directory group policy, or DHCP and automatic proxy detection.Intercepting proxies are also commonly used by ISPs in some countries to save upstream bandwidth and improve customer response times by caching.
Working Principle of Transparent Proxy Server
Firstly the original destination IP and port must somehow be communicated to the proxy. There is a class of cross site attacks that depend on certain behavior of intercepting proxies that do not check or have access to information about the original destination.This can cause problems where an intercepting proxy requires authentication, then the user connects to a site which also requires authentication.Finally intercepting connections can cause problems for HTTP caches, since some requests and responses become unchangeable by a shared cache.More information about these can be find at Squid official website.
Squid Proxy Server quick key points
- Packages – squid*.rpm
- Port Numbers – 3128 (default)
- Configuration File – /etc/squid/squid.conf
- Service / Daemon – squid
Squid Proxy Server Installation and Configuration
Step-I (Install the Squid proxy packages)
[root@proxyserver ~]# yum install squid*
Step-II (Edit the configuration file)
[root@proxyserver ~]# vi /etc/squid/squid.conf
Modify the following parameters
http_port 3128 transparent visible_hostname linux?squid cache_dir ufs /var/spool/squid 100 16 256 acl our_networks src 192.168.0.0/24 acl business_hours time S M T W H F A 09:00?17:30 acl test url_regex www.yahoo.com http_access allow our_networks business_hours test
Step-III (Run the Natting script)
[root@proxyserver ~]# sh transparent_proxy.sh #!/bin/sh SQUID_SERVER="192.168.0.12" # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client #modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # Load IPTA # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP
Step-IV (Restart the squid service)
[root@proxyserver ~]# service squid restart
Linux Client Side Configuration
Step-I (Refresh the network)
Step-II (Give Gateway ip as Proxy)
Step-III (Open browser and start browsing)
That’s all for now.