Opensolaris – configuring squid as a transparent proxy

I used to have a virtual machine that acted as a transparent proxy, but as of late thought i’d move squid onto my host box (opensolaris). This way hopefully increasing the amount of free ram available to the host while also taking advantage of ZFS etc…

So this is a very brief guide on how to configure your opensolaris 2008.11 box as a transparent proxy. Essentially meaning if you set the solaris box as the default gateway all web traffic will be cached as it goes through it before it goes onto your dls router or outside connection.

At this point i’m assuming that your opensolaris box can access the web without issue. The config i have loaded on my box points DNS and the default route straight to my dsl router. If you have having problems getting to the web it may be the DNS problem discussed here :

First step is to enable IP forwarding;

svcadm enable ipv4-forwarding

Then install the squid package though package manager – search for “squid” and install

Configure squid via /etc/squid/squid.conf file. Find the http_port setting and add “transparent” to the required line like so…

http_port 3128 transparent

Find the network acl and add your subnet to the required line. My subnet is so it should look like this. (note: you can have multiple subnets so i have two in the following example). You may need to uncomment the line…

acl our_networks src

http_access allow our_networks

Update : i had some problems with web traffic slowing down and stalling eventually over time so i have made an additional update to the /etc/squid/squid.conf file…

httpd_accel_no_pmtu_disc on

Run /usr/squid/sbin/squid -z to create the swap directories.

The default disk cache size in squid as of writing is 100MB, i usually increase mine to 30GB since disk is cheap). I also move my disk cache to a faster disk array and also increase the maximum cached object size to 1000 MB – but probably isn’t required for the small load that i would generate. Here are some of the additional changes i make (optional);

refresh_pattern . 0 80% 10080 reload-into-ims
maximum_object_size 1000 MB

I have made another post that details increasing your hit ratio here :

Run /usr/squid/sbin/squid

Check for any issues in the cache log located at /var/squid/logs/cache.log

You should test your proxy at the default port of 3128 first. i.e. setup the proxy details in Internet Explorer / FireFox to point to your solaris box ipaddress:3128

Next you need to redirect traffic hitting the solaris box on port 80 to 3128 (the transparent port forwarding) like so…

First enable the ipfilter service…    (no iptables in solaris)

svcadm enable ipfilter

create a file called /etc/ipf/ipnat.conf, and place this rule in it;  (this file should be auto loaded at startup)

rdr e1000g1 port 80 -> port 3128

This redirects my nic (e1000g1) any network port 80 to the local loopback port 3128. To load this rule type;  (clears current rules and loads file)

ipnat -Cf /etc/ipf/ipnat.conf

to check if its working and loaded type ipnat -l

Browse some websites from your web client, and check the squid logs that all http requests are hitting the cache. default log location is /var/squid/logs/access.log

Set your DHCP to point to your solaris box as the default gateway. Done. In most cases your dsl router if it has DHCP will not allow you to change your default gateway. If this is the case you will need to setup your own DHCP server and define the opensolaris box as the default gateway. The DHCP scope can point the clients to the dsl router for DNS, only the default gateway needs to be changed.

Set squid to autostart at boot via SMF manifest;

svcadm enable svc:/network/http:squid


Linux – routing examples

set ip_forward to 1 to enable routing between nics.
type ‘route‘ to insure both networks are routed as expected (connected route added with nic)

Setup a script with the following (CHMOD 0755 the script so it executes)

iptables -F (clears previous iptables stuff)
iptables -P INPUT DROP (will set default policy to DROP all INPUT packets – Incoming to local NICs)
iptables -P OUTPUT DROP (will set default policy to DROP all OUTPUT packets – Outgoing to local NICs)
iptables -P FORWARD DROP (will set default policy to DROP all FORWARDed packets – Routed via local NICs)

allow rules;
iptables -A FORWARD -s -d -p tcp –dport 80 -j ACCEPT (append forward rules – self explanatory)

Add more as required.

Want to use NAT outbound?

wlan0 => external network – route to Internet
eth0 => internal network

#setup masquerading
iptables -P INPUT ACCEPT
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

A very handy tool and the current best way i’ve found to test firewall rules is to fire up tcpdump. Check man for details but here is an example of monitoring a specific destination port and host on a specific NIC;

tcpdump -i eth1 dst port 22 and dst host

If you can see the traffic leaving the interface outbound it has made it past the firewall, if not then you need to have a look at your firewall rules or check your routing table. Type route to see current routing table