Configuring Squid as a Transparent WWW Caching Server

• First I had to add/modify these lines to /etc/squid/squid.conf

  acl our_networks src 192.168.0.0/24
  
  http_access allow our_networks
  
  httpd_accel_host virtual
  
  httpd_accel_with_proxy on
  
  httpd_accel_uses_host_header on
  

• Next I modified a script, which I found somewhere on the web, named setipwall that sets up proper packet filtering rules on Hilltop and must be run each time Hilltop is rebooted.

  #!/bin/bash
  
  # Acceptable ports
  APORTS="20 21 22 25 53 80 110 143 3128"
  # Reject ports Kazaa(1214), Gnnutella (6346 6347)
  RPORTS="1214 6346 6347"
  
  EX_ETH=eth0                     #       External Interface
  IN_ETH=eth1                     #       Local Interface
  LOCAL_IP=192.168.0.252          #       Local Host IP
  LOCAL_NET=192.168.0.0/24        #       Local Network
  EXTERNAL_NET=63.250.102.168/29  #       External Network
  PROXY_IP=192.168.0.252          #       Proxy Server IP (Transparent Proxy)
  PROXY_PORT=3128                 #       Proxy Server Port No
  
  # Clear all iptables
  
  iptables -t filter -F
  iptables -t nat -F
  
  # Masquerade
  iptables -t nat -A POSTROUTING -o $EX_ETH -j MASQUERADE
  
  # Transparent Proxy
  iptables -t nat -A PREROUTING -i $IN_ETH \
         -p tcp --dport 80 -j REDIRECT --to-port $PROXY_PORT
  
  # Accept
  for AP in $APORTS
  do
      iptables -A INPUT -i $EX_ETH -p tcp --dport $AP -j ACCEPT
      iptables -A INPUT -i $EX_ETH -p udp --dport $AP -j ACCEPT
  done
  
  # Reject
  for RP in $RPORTS
  do
      iptables -A INPUT -p tcp --dport $RP -j REJECT
      iptables -A INPUT -p udp --dport $RP -j REJECT
  done
  
  # Any other packets must be dropped.
  iptables -A INPUT -i $EX_ETH -m state --state NEW,INVALID -j DROP
  
  # FORWARD Chain
  iptables -A FORWARD -i $EX_ETH -m state --state NEW,INVALID -j DROP
  
  # Turn on IP forwarding
  echo 1 > /proc/sys/net/ipv4/ip_forward