Printable Version of Topic

Click here to view this topic in its original format

Linuxhelp _ Guides Forum _ Squid+nat Server On Whitebox Linux

Posted by: Robert83 May 26 2004, 11:33 AM

SQUID(transparent proxy server)+SQUIDGUARD+NAT Server On Whitebox Linux 3.0
Step-By-Step [tm]

1.Get yourself a Whitebox Enterprise Linux 3.0 CD or Download it from .

2.Install WBEL 3.0 using the minimal install ( choose custom during install , and select minimal ),
a 30GB hard disk drive would be highly reccomended, select manual partitioning during install
and partition it as :
/boot 102MB
/ 9892MB
/proxy1 10000MB
/proxy2 10000MB

PLEASE NOTE : I assume you'll be using IP : for the proxy / nat server
and for the firewall
and that you have 4 ethernet cards
eth0 :
eth1 :
eth2 :
eth3 :
When you configure windows or linux :
ip adress : 192.168.0.x
gateway :
dns : use your isp's dns server or wait a little more, and Hughesjr will finish his DNS GUIDE

( I think this is a very good configuration , so you might as well use this type of setup )

3.Download the yum.conf file from here

   [root@squid root] cd /home
   [root@squid root] wget
   [root@squid root] cp yum.conf.txt /etc/yum.conf

at the cp yum.conf.txt /etc/yum.conf point the system will ask you if you want to overwrite the file,
type yes. And you're done with the yum.conf file.

4.Enter the following commands :

[root@squid root]# yum update

this will take a while, later you should update your system on a regular bassis

5. Now it's time to install SQUID
[root@squid root]# yum install squid

6. Once squid is done, you will need to edit the /etc/squid/squid.conf file
    [root@squid root]# /etc/init.d/squid stop
    [root@squid root]# cd /etc/squid/
    [root@squid root]# rm squid.conf

Here is what you need to enter (please note since you can do a lot off stuff with squid, there might be things
that wont be needed , please do check the config file, I think it's not so hard to understand once you have
something to begin from)
http_port 3228
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

cache_mem 32 MB
fqdncache_size 1024

cache_dir ufs /proxy1/ 8000 16 256
cache_dir ufs /proxy2/ 8000 16 256

cache_mgr # enter your e-mail adress here
cache_effective_user nobody # I like to run squid as nobody
cache_effective_group nobody # I like to run squid as nobody

acl all src
acl manager proto cache_object
acl ftpdr proto FTP
acl localhost src
acl SSL_ports port 443 563
acl Safe_ports port 80 8080 21 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl subnet1 src
acl subnet2 src
acl subnet3 src
acl deny_ext urlpath_regex -i "/etc/squid/deny_ext"

http_access deny deny_ext
http_access allow subnet1 subnet2 subnet3
always_direct allow ftpdr
http_access allow subnet1
http_access allow subnet2
http_access allow subnet3
http_access deny all

ie_refresh on # this is needed because IE doesn't recognise transparent proxies properly

redirect_program /usr/bin/squidGuard
redirect_children 4

    [root@squid root]# vi squid.conf

In order to type in text you need to press i
Once you're finished with typing in your text press ESC and then press :w
and press ENTER
Once you did the saving type :q and press ENTER in order to quit from vi

7. When finished with the squid.conf type :
    [root@squid root]# chown nobody.nobody /proxy1
    [root@squid root]# chown nobody.nobody /proxy2
    [root@squid root]# chown nobody.nobody /var/log/squid

DON'T FORGET if you update squid (with yum update) it will change /var/log/squid back to
user:squid group:squid , and this will cause erros , since we use user:nobody group:nobody , just
do chown nobody.nobody /var/log/squid after you update Squid !

8. Now it's time to create the deny_ext file in /etc/squid/
    [root@squid root]# touch /etc/squid/deny_ext

Now you need to add this to the deny_ext file ( make sure you check what extensions are denied,
since you might want to allow some, and you might want to add some more )


    [root@squid root]# vi /etc/squid/deny_ext

9. It's time to get SquidGuard
    [root@squid root]# cd /home
    [root@squid root]# wget
    [root@squid root]#
    [root@squid root]# rpm -Uvh squidguard-1.2.0-2.rhel3.dag.i386.rpm
    [root@squid root]# rpm -Uvh squidguard-blacklists-20040318-1.rhel3.dag.i386.rpm
    [root@squid root]# rm /etc/squid/squidguard.conf
    [root@squid root]# vi /etc/squid/squidguard.conf

Add the following to your squidguard.conf , please note that this is a example, you might need to adjust
certain things , and remove a few rules.


dbhome /var/lib/squidguard
logdir /var/log/squidguard

src subnet1 {
user foo bar
src subnet2 {
user foo bar
src subnet3 {
user foo bar

dest banned {
domainlist adult/domains
urllist adult/urls

acl {
subnet1 {
pass !banned all
subnet2 {
pass !banned all
subnet3 {
pass !banned all
default {
pass !banned all
This setup of SquidGuard will block pornsites ( my tests indicated that when I tried sex
and choose a few pages (50) on random none of them managed to pass SquidGuard, so we can assume
it's quiet safe to rely on this list )

10. Phew so we are now done with configuring Squid+Squidguard, next comes the NAT, this will be done with
     [root@squid root]# touch /home/proxy-iptables
     [root@squid root]# vi /home/proxy-iptables

You'll need to add these lines to your proxy-iptables file :
      iptables -A FORWARD -i eth0 -o eth1 -j DROP
      iptables -A FORWARD -i eth0 -o eth2 -j DROP
      iptables -A FORWARD -i eth1 -o eth0 -j DROP
      iptables -A FORWARD -i eth1 -o eth2 -j DROP
      iptables -A FORWARD -i eth2 -o eth0 -j DROP
      iptables -A FORWARD -i eth2 -o eth1 -j DROP
      iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3228
      iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3228
      iptables -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3228
      iptables -A POSTROUTING -t nat -s -o eth3 -j SNAT --to-source
      iptables -A POSTROUTING -t nat -s -o eth3 -j SNAT --to-source
      iptables -A POSTROUTING -t nat -s -o eth3 -j SNAT --to-source

Once your done typing this in ( this might take some time, depending on your cpu and memory smile.gif ),
it's time to make these iptables settings permanent.

      [root@squid root]# source /home/proxy-iptables
      [root@squid root]# iptables-save > /etc/sysconfig/iptables

11. Now let's make sure Squid and Iptables will start up on the next boot :
      [root@squid root]# chkconfig --list | grep iptables

the following result should come back
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
if for some reason iptables is not running in any of these runlevels just type
      [root@squid root]# chkconfig iptables on

Check if it's running again, just to make sure.
      [root@squid root]# chkconfig --list | grep squid

this will show this :
squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off
just do a :
      [root@squid root]# chkconfig squid on

and check again if squid is now starting.
Add this line to your /etc/rc.d/rc.local
echo "1" > /proc/sys/net/ipv4/ip_forward
      [root@squid root]# vi /etc/rc.d/rc.local

12.Now we need to get apache (to host that redirection page that we use in squidguard.conf)
      [root@squid root]# yum install httpd
      [root@squid root]# chkconfig httpd on

and modify the following line in /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html"
change it to
DocumentRoot "/home"
(I like my webpages in my /home folder better then the default)
now you only need to create a index.html in /home
      [root@squid root]# touch /home/index.html
      [root@squid root]# vi /home/index.html

You can use this example html file if you wish, or create your own :
<title>! Porn Sites Are Banned !</title>

<body background="">

<center><B><font face="arial" color="white" size="4">WHITEBOX</B></font><B><font face="arial" color="gold" size="2"> Enterprise Linux 3.0 Final</B></font></center>
<center><B><font face="arial" color="white" size="+2">!<font face="arial" color="gold"> PORNO</font>/<font face="arial" color="darkorange">MP3</font>/<font face="arial" color="orange">VIDEO</font> PAGES ARE BLOCKED - YOU SHOULD WORK !</font></B></center>
<center><B><font face="arial" color="white" size="+2">!<font face="arial" color="gold"> PORNO</font>/<font face="arial" color="darkorange">MP3</font>/<font face="arial" color="orange">VIDEO</font> LAPOK BLOKOLVA - INKABB DOLGOZZON ! </font></B></center>
<center><font face="system" color="gold" size="+1"> Proxy / Nat Server Specifications</font></center>
<center><font face="system" color="white" size="1"> CPU : AMD XP 1800+</font></center>
<center><font face="system" color="white" size="1"> MEMORY : 1024 MB DDR 400Mhz</font></center>
<center><font face="system" color="white" size="1"> HDD : 40GB / 2x Cache Dir 10-10GB</font></center>
<center><font face="system" color="white" size="1"> MOTHERBOARD : Gigabyte NForce2</font></center>
<center><font face="system" color="white" size="1"> LAN : 4xRealtek 10/100Mbit</font></center>
<center><font face="arial" color="cyan" size="5"> YOUR GUARDIAN ANGEL IS : SquidGUARD[tm]</font></center>
<center><A HREF="mailto:user@somedomain .com"><font face="system" color="yellow" size="5">YOUR NAME HERE</font></A><font face="system" color="orange" size="5"><U>  MOB TEL: xxxxxxxxx</U></font></center>
<center><font face="system" color="gold" size="3">Somebody & Nobody Co.,Ltd.</font></center>


13.Okay we are done now with the configuration , so let's reboot our new (transparent)proxy+nat server :
      [root@squid root]# reboot

Once the system is up and running again :
a.) check if squid is running
      [root@squid root]# /etc/init.d/squid status

next you can check the log files
just to see if everything started up without complaining.

I think this is it, you now have a fully working (transparent)proxy+nat server.

This topic is now closed, you can ask your questions about this guide in the Technical Support Forum

Robert B

Posted by: Robert83 Jun 15 2004, 01:55 PM


I just wanted to add this extra info which might save sime time for Internet Explorer users,

since our proxy is transparent and since Squid is not really a ftp proxy .

If you get errors with Internet Explorer 6 when trying to open up ftp sites

do this :

1. Open Up Internet Explorer
2. Click on Tools
3. Click on Internet Options
4. Click on Advenced
and uncheck the following
Enable folder view of FTP sites
and check the following
Use Passive FTP ( for firewall and DSL modem compatiblity )

Robert B

Powered by Invision Power Board (
© Invision Power Services (