Tuesday, July 19, 2016

configure transparent proxy using squid3 + mikrotik

*** setup information ***
squid ip address: 192.168.56.23
transparent port: 3127
client ip subnet: 192.168.57.0/24



*** squid
1- update squid configuration as below (/etc/squid3/squid.conf)
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
acl localnet src 192.168.57.0/24
http_access allow localnet
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all
dns_nameservers 8.8.8.8
http_port 3128
http_port 3127 transparent
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .        0    20%    4320


2- enable ip forwarding and redirect ip http traffic to port 3127
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3127



*** on mikrotik
1-  mark route for http traffic
/ip firewall mangle add chain=prerouting action=mark-routing new-routi
ng-mark=to-proxy protocol=tcp src-address=192.168.57.0/24 dst-port=80


2- route the marked route to squid
/ip route add dst-address=0.0.0.0/0 gateway=192.168.56.23 routing-mark=
to-proxy



- screenshot of client access to website and we can access log on squid


No comments:

Post a Comment