Feb 21, 2022

Transparent Proxy Using Squid Cache and Cisco Router in Linux

There is a excellent article about setting up transparent proxy to control web traffic using Squid and Cisco router. Here's my summary note.


Step 1: Install Squid Cache

 

Step 2: Prepare Squid Cache

$ sudo vi /etc/sysctl.conf

# To make sure the OS will never drop the packet because of wrong dest IP addr.

net.ipv4.ip_forward = 1 #set to 1 for enable the packet forwarding feature

# To make sure the OS will accept packets that not accessible or the dest IP addr in the same subnet
net.ipv4.conf.default.rp_filter = 0 # set to 0 for disable the reverse path filter behavior

$

Step 3: Create GRE interface

$ vi /etc/sysconfig/network-script/ifcfg-gre0

DEVICE=gre0
BOOTPROTO=static
IPADDR=10.0.0.2         #unused ip address in your network
NETMASK=255.255.255.252
ONBOOT=yes
IPV6INIT=no

$ sudo service network restart

$

Step 4: Configuring Squid Cache

$ vi /etc/squid/squid.conf

http_port 3128 intercept                 # Define SQUID listening port
wccp2_router 192.168.1.254          #ip address of the router
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0

$ service squid restart

$ sudo  iptables -t nat -A PREROUTING -i gre0 -p tcp --dport 80 -j REDIRECT --to-port 3128
$ sudo  iptables -t nat -A POSTROUTING -j MASQUERADE

Step 5: Cisco router configuration

Enable WCCP at Cisco router

R1(config)# ip wccp version 2
Then we must use an ACL for introducing SQUID cache machine to router
R1(config)# ip access-list standard SQUID-MACHINE
R1(config-std-nacl)# permit host 192.168.1.10

Define ACL to except squid-cache from WCCP tunnel. Then forward web traffic to squid-cache via WCCP tunnel.

R1(config)#ip access-list LAN-TRAFFICS
R1(config-ext-nacl)#deny ip host 192.168.1.10 any                            #Prevent SQUID to get in loop
R1(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any equal www           #define LAN Traffics

Next, create ACL with WCCP:

R1(config)# ip wccp web-cache redirect-list LAN-TRAFFIC group-list SQUID-MACHINE

Last, specific the interface for web traffic re-direction:

R1(config)#interface fastEthernet 0/0
R1((config-if)# ip wccp web-cache redirect in


Link: