Transparent Proxy configuration
In my setup, I have a Linux firewall () that only provides firewalling services. Squid and Dansguardian are running on a seperate Linux server on the internal network. The ultimate goal of setting up content filtering is to have everybody use it, without being able to get around it. One way to do this is to block all out going web (port 80) requests, and only allow them from the proxy server. This will force every user to specify a port in their browser configuration if their browser supports it. An easier method is to set up some firewall rules:
* make sure transparent proxy support is compiled in the Linux kernel on the firewall
* at the top of the firewall rules/chains, Insert a rule to allow access from your proxy server
* at the bottom of the firewall rules/chains, add a rule to redirect all outgoing web requests to a local port: ipchains -A input -p tcp -d 0.0.0.0/0 80 -j REDIRECT 8081 -l
* use 'tproxyd' or 'redir' to do the redirection: redir --lport=8081 --laddr=192.168.20.1 --cport=8080 --caddr=192.168.20.3
* do not use the --transproxy flag with redir in this scenario. It will slow requests by 3-4 seconds.
* we need to use redir, because ipchains will only redirect to local ports
, not ports on other systems.
* in the above notes, 192.168.20.1 is the firewall, 192.168.20.3 is the proxy server, port 3128 is squid, port 8080 is Dans Guardian, port 8081 is the local redirection port on the firewall.