How to Configure Client Machines for Squid Transparent Proxy in Ubuntu 14.04 with Squid 3.3.8


4 views

When implementing transparent proxy with Squid 3.3.8 on Ubuntu 14.04, many administrators encounter connectivity issues where client machines fail to access the internet when configured with Squid as both gateway and DNS server. Let me walk through the complete solution based on my troubleshooting experience.

From your setup, I notice several key points:

# Current iptables NAT rules:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.3:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

The dual PREROUTING rules (both DNAT and REDIRECT) for port 80 might be causing conflicts. Let's simplify this.

Squid Configuration Adjustments

Add these critical directives to your squid.conf:

# Required for transparent proxy support
http_port 3128 intercept
https_port 3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myca.pem

# DNS configuration
dns_nameservers 8.8.8.8 8.8.4.4
dns_v4_first on

# Additional ACL for proper handling
acl localnet src 192.168.1.0/24

Optimized iptables Rules

Replace your current NAT rules with this cleaner implementation:

# Clear existing rules
iptables -t nat -F
iptables -t mangle -F

# HTTP transparent proxy
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

# HTTPS transparent proxy (requires ssl-bump)
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130

# MASQUERADE outbound traffic
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1

For Ubuntu clients, use this network configuration:

auto eth0
iface eth0 inet static
    address 192.168.1.10
    netmask 255.255.255.0
    gateway 192.168.1.3
    dns-nameservers 192.168.1.3

For Windows clients, set:

  • IP Address: 192.168.1.x (where x ≠ 3)
  • Subnet Mask: 255.255.255.0
  • Default Gateway: 192.168.1.3
  • DNS Server: 192.168.1.3

Check these components to ensure proper functionality:

# Verify Squid is running
service squid3 status

# Check iptables rules
iptables -t nat -L -v

# Test DNS resolution from client
nslookup google.com

# Verify cache operation
tail -f /var/log/squid3/access.log

If clients still can't access the internet:

  1. Verify IP forwarding is enabled: sysctl net.ipv4.ip_forward
  2. Check for firewall restrictions: iptables -L
  3. Test basic connectivity: ping 192.168.1.3 from client
  4. Inspect Squid logs: tail -f /var/log/squid3/cache.log

Remember that DNS resolution must work properly for transparent proxy to function. The Squid server itself needs external DNS servers configured either in /etc/resolv.conf or via the dns_nameservers directive in squid.conf.

When setting up Squid 3.3.8 as a transparent proxy on Ubuntu 14.04, many administrators encounter client connectivity issues where internet access fails when using the Squid server as both gateway and DNS. This occurs despite proper iptables redirection rules being in place.

For transparent proxy to work properly, we need three critical components:

  • Correct iptables NAT rules
  • Proper Squid ACL and port configuration
  • Accurate client network settings

The existing configuration shows several potential issues:

# Current iptables rules that need adjustment:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.3:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

For Squid 3.3.8, we need cleaner redirection rules:

# Flush existing rules
iptables -t nat -F

# Set up transparent proxy rules
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

The critical changes needed in /etc/squid3/squid.conf:

# Replace the current http_port line with:
http_port 3128 intercept
http_port 3129

# Add these ACLs below existing ones:
acl localnet src 192.168.1.0/24
acl localhost src 127.0.0.1/32

# Update http_access rules:
http_access allow localnet
http_access allow localhost
http_access deny all

The DNS issue stems from Squid not being a DNS server. The proper client setup should be:

For Ubuntu Clients

auto eth0
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.3
dns-nameservers 8.8.8.8 192.168.1.1

For Windows Clients

Configure with:
- IP: 192.168.1.x
- Subnet: 255.255.255.0
- Gateway: 192.168.1.3
- DNS: Your preferred DNS (e.g., 8.8.8.8)

To test if caching is working properly:

# On the Squid server:
tail -f /var/log/squid3/access.log

# On a client:
curl -I http://example.com
# Repeat the command and check X-Cache header in response
  1. Confirm iptables rules with: iptables -t nat -L -v
  2. Check Squid logs: tail -f /var/log/squid3/cache.log
  3. Verify client routing with: traceroute 8.8.8.8