Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )

Advanced DNS Management
New ZoneEdit. New Managment.


Sign Up Now
> Squid+nat Server On Whitebox Linux, Whitebox Linux (or Clones)
post May 26 2004, 11:33 AM
Post #1

Its GNU/

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069

SQUID(transparent proxy server)+SQUIDGUARD+NAT Server On Whitebox Linux 3.0
Step-By-Step [tm]

1.Get yourself a Whitebox Enterprise Linux 3.0 CD or Download it from .

2.Install WBEL 3.0 using the minimal install ( choose custom during install , and select minimal ),
a 30GB hard disk drive would be highly reccomended, select manual partitioning during install
and partition it as :
/boot 102MB
/ 9892MB
/proxy1 10000MB
/proxy2 10000MB

PLEASE NOTE : I assume you'll be using IP : for the proxy / nat server
and for the firewall
and that you have 4 ethernet cards
eth0 :
eth1 :
eth2 :
eth3 :
When you configure windows or linux :
ip adress : 192.168.0.x
gateway :
dns : use your isp's dns server or wait a little more, and Hughesjr will finish his DNS GUIDE

( I think this is a very good configuration , so you might as well use this type of setup )

3.Download the yum.conf file from here
   [root@squid root] cd /home
   [root@squid root] wget
   [root@squid root] cp yum.conf.txt /etc/yum.conf

at the cp yum.conf.txt /etc/yum.conf point the system will ask you if you want to overwrite the file,
type yes. And you're done with the yum.conf file.

4.Enter the following commands :

[root@squid root]# yum update

this will take a while, later you should update your system on a regular bassis

5. Now it's time to install SQUID
[root@squid root]# yum install squid

6. Once squid is done, you will need to edit the /etc/squid/squid.conf file
    [root@squid root]# /etc/init.d/squid stop
    [root@squid root]# cd /etc/squid/
    [root@squid root]# rm squid.conf

Here is what you need to enter (please note since you can do a lot off stuff with squid, there might be things
that wont be needed , please do check the config file, I think it's not so hard to understand once you have
something to begin from)
http_port 3228
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

cache_mem 32 MB
fqdncache_size 1024

cache_dir ufs /proxy1/ 8000 16 256
cache_dir ufs /proxy2/ 8000 16 256

cache_mgr # enter your e-mail adress here
cache_effective_user nobody # I like to run squid as nobody
cache_effective_group nobody # I like to run squid as nobody

acl all src
acl manager proto cache_object
acl ftpdr proto FTP
acl localhost src
acl SSL_ports port 443 563
acl Safe_ports port 80 8080 21 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl subnet1 src
acl subnet2 src
acl subnet3 src
acl deny_ext urlpath_regex -i "/etc/squid/deny_ext"

http_access deny deny_ext
http_access allow subnet1 subnet2 subnet3
always_direct allow ftpdr
http_access allow subnet1
http_access allow subnet2
http_access allow subnet3
http_access deny all

ie_refresh on # this is needed because IE doesn't recognise transparent proxies properly

redirect_program /usr/bin/squidGuard
redirect_children 4

    [root@squid root]# vi squid.conf

In order to type in text you need to press i
Once you're finished with typing in your text press ESC and then press :w
and press ENTER
Once you did the saving type :q and press ENTER in order to quit from vi

7. When finished with the squid.conf type :
    [root@squid root]# chown nobody.nobody /proxy1
    [root@squid root]# chown nobody.nobody /proxy2
    [root@squid root]# chown nobody.nobody /var/log/squid

DON'T FORGET if you update squid (with yum update) it will change /var/log/squid back to
user:squid group:squid , and this will cause erros , since we use user:nobody group:nobody , just
do chown nobody.nobody /var/log/squid after you update Squid !

8. Now it's time to create the deny_ext file in /etc/squid/
    [root@squid root]# touch /etc/squid/deny_ext

Now you need to add this to the deny_ext file ( make sure you check what extensions are denied,
since you might want to allow some, and you might want to add some more )


    [root@squid root]# vi /etc/squid/deny_ext

9. It's time to get SquidGuard
    [root@squid root]# cd /home
    [root@squid root]# wget
    [root@squid root]#
    [root@squid root]# rpm -Uvh squidguard-1.2.0-2.rhel3.dag.i386.rpm
    [root@squid root]# rpm -Uvh squidguard-blacklists-20040318-1.rhel3.dag.i386.rpm
    [root@squid root]# rm /etc/squid/squidguard.conf
    [root@squid root]# vi /etc/squid/squidguard.conf

Add the following to your squidguard.conf , please note that this is a example, you might need to adjust
certain things , and remove a few rules.


dbhome /var/lib/squidguard
logdir /var/log/squidguard

src subnet1 {
user foo bar
src subnet2 {
user foo bar
src subnet3 {
user foo bar

dest banned {
domainlist adult/domains
urllist adult/urls

acl {
subnet1 {
pass !banned all
subnet2 {
pass !banned all
subnet3 {
pass !banned all
default {
pass !banned all
This setup of SquidGuard will block pornsites ( my tests indicated that when I tried sex
and choose a few pages (50) on random none of them managed to pass SquidGuard, so we can assume
it's quiet safe to rely on this list )

10. Phew so we are now done with configuring Squid+Squidguard, next comes the NAT, this will be done with
     [root@squid root]# touch /home/proxy-iptables
     [root@squid root]# vi /home/proxy-iptables

You'll need to add these lines to your proxy-iptables file :
      iptables -A FORWARD -i eth0 -o eth1 -j DROP
      iptables -A FORWARD -i eth0 -o eth2 -j DROP
      iptables -A FORWARD -i eth1 -o eth0 -j DROP
      iptables -A FORWARD -i eth1 -o eth2 -j DROP
      iptables -A FORWARD -i eth2 -o eth0 -j DROP
      iptables -A FORWARD -i eth2 -o eth1 -j DROP
      iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3228
      iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3228
      iptables -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3228
      iptables -A POSTROUTING -t nat -s -o eth3 -j SNAT --to-source
      iptables -A POSTROUTING -t nat -s -o eth3 -j SNAT --to-source
      iptables -A POSTROUTING -t nat -s -o eth3 -j SNAT --to-source

Once your done typing this in ( this might take some time, depending on your cpu and memory smile.gif ),
it's time to make these iptables settings permanent.

      [root@squid root]# source /home/proxy-iptables
      [root@squid root]# iptables-save > /etc/sysconfig/iptables

11. Now let's make sure Squid and Iptables will start up on the next boot :
      [root@squid root]# chkconfig --list | grep iptables

the following result should come back
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
if for some reason iptables is not running in any of these runlevels just type
      [root@squid root]# chkconfig iptables on

Check if it's running again, just to make sure.
      [root@squid root]# chkconfig --list | grep squid

this will show this :
squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off
just do a :
      [root@squid root]# chkconfig squid on

and check again if squid is now starting.
Add this line to your /etc/rc.d/rc.local
echo "1" > /proc/sys/net/ipv4/ip_forward
      [root@squid root]# vi /etc/rc.d/rc.local

12.Now we need to get apache (to host that redirection page that we use in squidguard.conf)
      [root@squid root]# yum install httpd
      [root@squid root]# chkconfig httpd on

and modify the following line in /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html"
change it to
DocumentRoot "/home"
(I like my webpages in my /home folder better then the default)
now you only need to create a index.html in /home
      [root@squid root]# touch /home/index.html
      [root@squid root]# vi /home/index.html

You can use this example html file if you wish, or create your own :
<title>! Porn Sites Are Banned !</title>

<body background="">

<center><B><font face="arial" color="white" size="4">WHITEBOX</B></font><B><font face="arial" color="gold" size="2"> Enterprise Linux 3.0 Final</B></font></center>
<center><B><font face="arial" color="white" size="+2">!<font face="arial" color="gold"> PORNO</font>/<font face="arial" color="darkorange">MP3</font>/<font face="arial" color="orange">VIDEO</font> PAGES ARE BLOCKED - YOU SHOULD WORK !</font></B></center>
<center><B><font face="arial" color="white" size="+2">!<font face="arial" color="gold"> PORNO</font>/<font face="arial" color="darkorange">MP3</font>/<font face="arial" color="orange">VIDEO</font> LAPOK BLOKOLVA - INKABB DOLGOZZON ! </font></B></center>
<center><font face="system" color="gold" size="+1"> Proxy / Nat Server Specifications</font></center>
<center><font face="system" color="white" size="1"> CPU : AMD XP 1800+</font></center>
<center><font face="system" color="white" size="1"> MEMORY : 1024 MB DDR 400Mhz</font></center>
<center><font face="system" color="white" size="1"> HDD : 40GB / 2x Cache Dir 10-10GB</font></center>
<center><font face="system" color="white" size="1"> MOTHERBOARD : Gigabyte NForce2</font></center>
<center><font face="system" color="white" size="1"> LAN : 4xRealtek 10/100Mbit</font></center>
<center><font face="arial" color="cyan" size="5"> YOUR GUARDIAN ANGEL IS : SquidGUARD[tm]</font></center>
<center><A HREF="mailto:user@somedomain .com"><font face="system" color="yellow" size="5">YOUR NAME HERE</font></A><font face="system" color="orange" size="5"><U>  MOB TEL: xxxxxxxxx</U></font></center>
<center><font face="system" color="gold" size="3">Somebody & Nobody Co.,Ltd.</font></center>


13.Okay we are done now with the configuration , so let's reboot our new (transparent)proxy+nat server :
      [root@squid root]# reboot

Once the system is up and running again :
a.) check if squid is running
      [root@squid root]# /etc/init.d/squid status

next you can check the log files
just to see if everything started up without complaining.

I think this is it, you now have a fully working (transparent)proxy+nat server.

This topic is now closed, you can ask your questions about this guide in the Technical Support Forum

Robert B

Robert Becskei
May the source be with us!
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
Go to the top of the page
+Quote Post

Posts in this topic

Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:


RSS Lo-Fi Version Time is now: 16th July 2018 - 07:17 PM