Squid in TProxy mode on Fedora

From MikroTik Wiki
Jump to: navigation, search

Starting point: fresh Fedora installation with network up and running.

Disable SElinux

Open /etc/sysconfig/selinux and change SELINUX=enforcing to SELINUX=disabled.

Edit /etc/sysctl.conf

Add the following lines:

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

And change net.ipv4.ip_forward = 0 to

net.ipv4.ip_forward = 1

Edit /etc/rc.local

Add the following lines:

ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev lo table 100

Configure iptables

Edit /etc/sysconfig/iptables, add the following lines:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -m addrtype ! --dst-type LOCAL -j ACCEPT
*mangle
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 --tproxy-mark 0x1/0x1
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
COMMIT

Remove/#comment the following line:

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Install squid

yum install squid

Edit squid config

Edit /etc/squid/squid.conf to face your needs: at least, change http_port 3128 to

http_port 3128 tproxy

You will also need to add necessary addresses to 'localnet' acl.