Setting up SQUID proxy on CentOS

Linux, System OS 2 Minutes

I have heard that Squid supports Cisco WCCP version 1 and 2, I need a proxy server / cache engine that can help me do proof of concept with WCCP.

I created a VM which runs on CentOS, and install squid: yum install squid -y

I modified the configuration on this path /etc/squid/squid.conf

#This example specify the subnet that is allowed to use squid proxy.
acl PERMIT_HOST src 100.0.0.0/24 

#This statement allow the source subnet to surf the web through squid proxy.
http_access allow PERMIT_HOST

By default Squid proxy uses TCP 3128, but this can be modified by looking for this line http_port 3128 here you can modify the tcp port number of your proxy.

If the squid proxy is between your hosts and internet, then you may need to turn on ip forward.

sysctl -w net.ipv4.ip_forward=1

You can check the ip_forward status by using

sysctl net.ipv4.ip_forward

Lastly add statements to allow your proxy clients (browsers) to access the squid proxy, modify the iptables rule in this script file in this path /etc/syconfig/iptables. CentOS contains a set of pre-defined iptables rules. Add this rule in the INPUT chain before this line -A INPUT -j REJECT --reject-with icmp-host-prohibited.

#100.0.0.1 is just an example for my proxy server ip address
-A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 100.0.0.1 --dport 3128 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

This statement allows incoming client to connect to the squid proxy. You can omit the -d 100.0.0.1 statement, as long as the destination port matches tcp 3128 iptables will allow.

I have read a tutorial which also added a statement on OUTPUT chain, but this is not necessary, this is because default iptables rule allow anything to anywhere from OUTPUT chain. However the statement on OUTPUT chain is like this:

-A OUPUT -p tcp -s 100.0.0.1 -sport 3128 -d 0/0 --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT.

Credit of the iptables statement for squid goes to this link.

After the iptables script has been modified, restart the iptables service /etc/init.d/iptables restart.

Use your favourite web browser and put in the proxy server as the one you have configured. You should be able to surf the net via proxy server.

Advertisement

Published by cyruslab

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s