Transparent_Squid_caching_bridge

A transparent caching bridge is helpful to add a web proxy automatically to your outbound internet traffic. It doesn't require much hardware beyond two ethernet cards. I used a 800 MHz Pentium III with 512 MB of RAM, and it is more than enough for a 150 person office.

This system was built using gentoo-sources 2.6.22-r2, Squid 2.6.STABLE13, and iptables 1.3.5.

This document is a reference to two other documents, which are included here, and some trial an error.

• Bridging
• http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch32_:_Controlling_Web_Access_with_Squid

I suggest reading the above docuements

Install the required kernel module

Networking --->
    Networking Options --->
    [*] 802.1d Ethernet Bridging

Emerge the bridging software

   emerge bridge-utils

Edit the network config for the new interface:

   config_eth0=( "null" )
   config_eth1=( "null" )
   bridge_br0="eth0 eth1"
   config_br0=( "192.168.XX.XX netmask 255.255.255.0" )
 

Create a link for the new br0 interface, and add it to the default run level:

 ln -s net.lo net.br0
 rc-update add net.br0 default

Once the bridge is up and working, you need to install squid.

    emerge squid

Edit squid.conf to enable transparent mode, and set a hostname.

 ...
    http_port 3128 transparent
    visible_hostname <your_name_here>
 ...
 

Start squid, and add it to the default run level.

   /etc/init.d/squid start
   rc-update add squid default

• Note - You may receive errors starting Squid the first time regarding flawed ACLs. If you do, simply search for and delete the relevant lines from squid.conf.

Now, we need to redirect the port 80 internet traffic to use the Squid proxy. To do so, emerge iptables.

    emerge iptables

You will need to enable some settings in the kernel to make use of iptables:

Networking --->
    Networking Options --->
       [*] Network packet filtering framework
          [*]   Bridged IP/ARP packets filtering
          Core Netfilter Configuration
             <*> Netfilter netlink interface
             <*> Netfilter connection tracking support
             [*] Connection tracking events
             --- Netfilter Xtables support (required for ip_tables)
             <*> for all entries               

Add the rule to iptables:

   iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128

At this point you have a working transparent bridge.

The logging performed by Squid will eat your disk space if you are not careful. I suggest using logrotate to handle the log file growth. Install logrotate:

    emerge logrotate

Create a job for squid:

/var/log/squid {
        rotate 7
        daily
}