Proxy Squid dengan tproxy

Acuan dari

Software yang Dibutuhkan

Linux Kernel 2.6.39.3
iptables 1.4.10
Squid 3.1
libcap-dev or libcap2-dev
libcap 2.09 or later

Pekerjaan di Mesin Squid

Compile Kernel :
Tambahan yang harus di lakukan
NF_CONNTRACK=m
NETFILTER_TPROXY=m
NETFILTER_XT_MATCH_SOCKET=m
NETFILTER_XT_TARGET_TPROXY=m

Boot Script

Masukkan ke salah satu boot script misal rc.local
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

Bila memakai SELINUX

setsebool squid_connect_any=yes
setsebool squid_use_tproxy=yes

Script iptables untuk membuat transparent proxy

buat file di /usr/local/sbin/tproxy

#!/bin/sh

case “$1” in
‘start’)
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK –set-mark 0x1/0x1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp –dport 80 -j TPROXY –tproxy-mark 0x1/0x1 –on-port 3129
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
;;
‘stop’)
ip route del local 0.0.0.0/0 dev lo table 100
ip rule del fwmark 1 lookup 100
iptables -t mangle -D PREROUTING -p tcp –dport 80 -j TPROXY –tproxy-mark 0x1/0x1 –on-port 3129
iptables -t mangle -D PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -D DIVERT -j ACCEPT
iptables -t mangle -D DIVERT -j MARK –set-mark 0x1/0x1
iptables -t mangle -X DIVERT
;;
‘restart’)
/usr/local/sbin/tproxy stop
/usr/local/sbin/tproxy start
;;
‘edit’)
pico /usr/local/sbin/tproxy
;;
*)
echo “Usage: $0 {start|stop|restart}”
;;
esac

Pekerjaan di Gateway

to be continue