4. Squid Transparent Proxy.md

First, this needs to be done on the Client PC.

1. Set IP on Client PC:

• First, open Network Connections: ncpa.cpl.
• Right-click on the active network adapter and select Properties.
• Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
• Set the IP settings like this:
  • IP Address: 192.168.1.10
  • Subnet Mask: 255.255.255.0
  • Default Gateway: 192.168.1.1
  • DNS Servers:
    • Primary DNS: 8.8.8.8 (Google DNS)
    • If you have your own DNS server, use: 192.168.1.1

2. Turn Off Proxy Settings in Browser:

• Open your browser (Chrome, Firefox, etc.).
• Go to Settings > Network/Connection Settings (varies depending on browser).
• Remove or turn off the proxy settings you previously added. On Browser Firefox

On System Setting

3. Ping Test:

• After applying the settings, open the Command Prompt (or terminal) and run the following commands to check connectivity:
  • ping 192.168.1.1 (ping the gateway to ensure it’s accessible).
  • ping 8.8.8.8 (ping Google DNS to check if there’s internet connectivity).
  • You can also ping other local devices to ensure the local network is working.

---

Squid Transparent Proxy Setup

• Objective: Configure Squid as a transparent proxy without using a script.
• Steps: Follow these steps to configure the Squid proxy and firewalld manually.

---

1. DNS Configuration for Squid Transparent Proxy with BIND

1.1 Edit the named.conf File

• Open the configuration file for ISC BIND:

  vim /etc/named.conf

1.2 Update the named.conf Configuration

• Add the following entries for ACL configuration:

  acl ns_ip_add {
      192.168.1.1;
  };
  
  acl mynetwork {
      192.168.1.0/24;
  };

1.3 Full Configuration of named.conf

• Here is the full configuration for named.conf:

  //
  // named.conf
  //
  
  acl ns_ip_add {
      127.0.0.1;
      192.168.12.145;
      192.168.12.146;
      192.168.12.147;
      192.168.1.1;
  };
  
  acl mynetwork {
      127.0.0.1;
      192.168.12.0/24;
      192.168.1.0/24;
  };
  
  options {
      listen-on port 53 { ns_ip_add; };
      listen-on-v6 port 53 { ::1; };
      directory "/var/named";
      dump-file "/var/named/data/cache_dump.db";
      statistics-file "/var/named/data/named_stats.txt";
      memstatistics-file "/var/named/data/named_mem_stats.txt";
      secroots-file "/var/named/data/named.secroots";
      recursing-file "/var/named/data/named.recursing";
      allow-query { mynetwork; };
      recursion yes;
      dnssec-validation yes;
      managed-keys-directory "/var/named/dynamic";
      geoip-directory "/usr/share/GeoIP";
      pid-file "/run/named/named.pid";
      session-keyfile "/run/named/session.key";
      include "/etc/crypto-policies/back-ends/bind.config";
  };
  
  logging {
      channel default_debug {
          file "data/named.run";
          severity dynamic;
      };
  };
  
  zone "." IN {
      type hint;
      file "named.ca";
  };
  
  include "/etc/named.rfc1912.zones";
  include "/etc/named.root.key";

1.4 Restart the Named Service

• Restart the named service to apply changes:

  systemctl restart named.service

1.5 Verify the DNS Server is Running

• Check the status of the named service:

  systemctl status named.service

• Use dig or nslookup to verify DNS resolution.

---

2. Set Up Squid Proxy

2.1 Edit the Squid Configuration File

• Open the Squid configuration file:

  vim /etc/squid/squid.conf

2.2 Update Squid Configuration for Transparent Proxy

• Remove old ACL entries and add the following to ensure Squid listens for transparent proxy connections:

  # http_port 3128
  http_port 3128
  http_port 3128 transparent

2.3 Restart Squid to Apply Changes

• Restart Squid to apply the new configuration:

  systemctl restart squid

2.4 Optional Filtering Command

• Use this command to filter and remove comments from the Squid configuration:

  cat /etc/squid/squid.conf | grep -v '^#' | sed '/^$/d'

---

3. Configure Firewalld

3.1 Enable IP Forwarding

• Enable IP forwarding for traffic routing between interfaces:

  sysctl -w net.ipv4.ip_forward=1

• Make the change permanent by editing sysctl.conf:

  vim /etc/sysctl.conf

• Add the following line to ensure IP forwarding remains enabled after a reboot:

  net.ipv4.ip_forward=1

• Apply the changes:

  sysctl -p

3.2 Configure Firewalld Zones

• Add Internet Interface to Public Zone:

  firewall-cmd --zone=public --add-interface=enp0s3 --permanent

• Add LAN Interface to Trusted Zone:

  firewall-cmd --zone=trusted --add-interface=enp0s8 --permanent

• Allow Loopback Traffic:

  firewall-cmd --zone=trusted --add-source=127.0.0.1 --permanent

• Allow DNS and UDP Traffic:

  firewall-cmd --zone=public --add-port=53/udp --permanent
  firewall-cmd --zone=public --add-service=dns --permanent

• Enable NAT (Masquerading) for Outgoing Connections:

  firewall-cmd --zone=public --add-masquerade --permanent

• Forward HTTP Traffic to Squid:

  firewall-cmd --zone=trusted --add-forward-port=port=80:proto=tcp:toport=3128 --permanent

• Ensure Incoming HTTP Traffic is Redirected to Squid:

  firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=3128 --permanent

3.3 Reload Firewalld to Apply Changes

• Reload firewalld to apply the new rules:

  firewall-cmd --reload

---

4. Verify Configuration

4.1 Verify Firewalld Rules

• List the current firewalld configuration:

  firewall-cmd --list-all

4.2 Test the Proxy

• On a client machine, configure the browser to use the Squid proxy:

  • Proxy IP: 192.168.2.1
  • Port: 3128

• Alternatively, test using curl or wget:

  curl http://example.com

---

5. Make IP Forwarding Persistent

5.1 Ensure IP Forwarding in sysctl.conf

• Ensure IP forwarding remains enabled after reboot:

  vim /etc/sysctl.conf

• Ensure the following line exists:

  net.ipv4.ip_forward=1

• Apply changes:

  sysctl -p

---