Proxy Server How To

Start by installing Arch Linux (or your chosen distribution) onto the hardware you selected. If you are in need of a little assistance with the installation, I recommend using this wiki guide and then set up yaourt. Once you have completed your standard Linux installation you need to ensure your network is configured properly. In the case of my transparent proxy, I plugged one network port directly into my cable router and allowed it to grab and IP address via DHCP. The second adapter is then given an IP address of your choice (I chose; other common IP addresses would be 192.168.x.x).

At this point you will want to test your network configuration. Start with trying to get out to the internet. If this works, plug your secondary network adapter into whatever switch/router you have available. Take your desktop or laptop that's plugged into the same switch and assign it an IP address in your 10.4.20.x range. (For DHCP setups, see below.) You should now be able to ping your new proxy server ( from your desktop/laptop. As a quick note for the users who only have a wireless cable modem, it is okay to have both interfaces of your proxy server and desktop plugged into the same cable modem hub.

Now that we have the configuration of the network cards complete, we just need to do a quick installation and configuration of Shorewall/Squid. That may sound like a daunting task to the Linux initiate, but this is actually very simple. First go ahead and install both Squid and Shorewall. Arch has both readily available in the package repository (from a command prompt: yaourt –S shorewall squid). If you are not utilizing Arch, you can download the packages manually from and

Whether you installed Arch Linux or another distribution as your base OS, Shorewall has one simple command to get it set up: cp /usr/share/shorewall/Samples/two-interfaces/* /etc/shorewall. (This copies the base two-NIC example to your live Shorewall directory, which saves a lot of manual work.) Make a quick edit to /etc/shorewall/shorewall.conf and change the Startup_Enabled to yes and you now have a functioning Shorewall. The only thing you need to do for Shorewall at this point is add the following rule into the /etc/shorewall/rules file: REDIRECT loc 3128 tcp www. Start Shorewall by typing: shorewall start from the command line, and add it to your boot process by putting shorewall into the DAEMONS section of /etc/rc.conf.

Now that Shorewall is fully functional and configured, we need to configure Squid. I found a short wiki guide that will assist with the initial set up of Squid. Once you have completed the configuration in the wiki guide, you need to pay close attention to a few configuration settings located in /etc/squid/squid.conf. The cache_memline should be set to half of your installed ram on your proxy server. In my case I have 512MB of total memory so I configured cache_mem to 256. The other setting that you need to pay attention to is maximum_object_size. This setting is the maximum file size your proxy will retain. I set my maximum size to 2048MB in order to retain everything up to a CD ISO. Be cautious of using 2048 if you have anything less than a 120gb drive as your storage space could be gone in the matter of a few days. To get the caching proxy in place and running, the most important line to add is http_port 3128 transparent. The key here is the addition of "transparent", which turns squid into a caching proxy that won't require any additional configuration on your client PCs.

If you followed all of the directions correctly, you're now ready to configure all the machines on your network with a 10.4.20.x IP address with the gateway set as Don't forget to configure your DNS as well (in /etc/resolve.conf). Now that you have everything fired up give your new proxy a spin around the internet. If you would like to do a good test, download a decent size file (i.e. larger than 1MB). Once the download is complete, you should be able to download it again a second time and get LAN speeds on the download. If you have multiple computers, use another machine on your network and attempt to download the same file and you should again see LAN download speeds.

Proxy Server with DHCP

Although I wanted to keep this short and to the point, a common question inevitably comes up: what if you still want to use DHCP? There are a few ways to tackle this issue. If you're lucky enough to have a router/cable modem that will allow you to change what IP addresses it assigns to the network, simply change it over to your new 10.4.20.x subnet and have it assign the gateway of If this is not the case, you will need to disable DHCP on your router and install the DHCP server package (in Arch: pacman –S dhcp). The configuration can be a bit of a hassle, so here's my /etc/dhcpd.conf.

Start the DHCP service on your proxy (/etc/rc.d/dhcpd start) and test DHCP on your desktop/laptop. Assuming all goes well, add dhcpd to your DAEMONS in /etc/rc.conf. If you happen to reboot your Linux box, after a minute or so your proxy should be back up and running.

Introduction to Proxy Servers Linux Neophyte Troubleshooting
Comments Locked


View All Comments

  • KaarlisK - Tuesday, May 11, 2010 - link

    A semi old machine probably won't have any virtualization instructions.
    I fear to think what will happen when you chain these virtual machines together :D though I may be completely wrong.
  • JarredWalton - Tuesday, May 11, 2010 - link

    Virtualization may be the answer, but what was the question? "What is the answer to life, the universe, and everything?" Virtualization! And 42.

    Good night, all!
  • ChrisRice - Tuesday, May 11, 2010 - link

    I agree with this statement completely. Setting up a KVM/VMware server is a great way to get even more use out of your centralized computer. With the proper hardware and switching you can go one further and make it fail over in case of an outage "Ya I know a bit over done for home but allot of fun".
  • mindless1 - Tuesday, May 11, 2010 - link

    Once you get your target for memory caching you can determine how old a system will suffice based on reasonably upgradable memory capacity. For example, a Pentium II/350MHz with 768MB of memory would suffice for many home users, but alas you probably want a more modern, not worn out old, hard drive that uses SATA.

    It's not hard to get power consumption down low though, follow the same standards for underclocking that you would for overclocking, remembering that the typical bottlenecks are not memory or bus frequency, or CPU processing capability. As with the hard drive there is yet another issue, a box like this you would typically plan to set up and use for years at a time so if you pick a box already 5 years old that would've lasted 10 years total, do you want to have to do the project over again for no reason other than to avoid having spent a few dollars more now?
  • chromatix - Tuesday, May 11, 2010 - link

    I've had a setup very like this for about a decade, using everything from a 486SX/25 running Red Hat 6.1 up to an Athlon-XP 2500 with a RAID-5 array, and back down to a redundant PowerBook G3 running Gentoo. I happen to run a caching DNS server as well on the same box, partly because at various times I've found ISP DNS service to be unreliable.

    The G3 is *silent*, and sufficiently powerful both to do it's job and compile Gentoo updates. It's the best use I've found for an old PowerBook ever. It even still has a few minutes of life in the built-in UPS, and if I wanted to I could extend that to about 5 hours for about €100. ;-)

    There are some downsides to Squid. As an enterprise-grade tool it has a very slow development cycle, and the stable versions do not yet support IPv6 and - as Peacekeeper demonstrates - have trouble with some recent webservers. In general though it works well.
  • EvilIgor - Tuesday, May 11, 2010 - link

    I would recommed Smoothwall instead. But this alot more powerfull then just a proxy.
  • ChrisRice - Tuesday, May 11, 2010 - link

    Smoothwall is another great product that I have used in the past. Its a very easy setup with a nice GUI interface. However I have found over the past few times I have worked with Smoothwall that it is lacking in features compared to a more traditional Linux setup.
  • rahvin - Tuesday, May 11, 2010 - link


    I believe you are making a mistake to assume that the user has configured their interfaces exactly as the 2-interface example. If I were you, I would edit the article and add an edit the of interfaces file to correct the zones to match the network configuration the user has chosen or tell the user that the internet needs to be on a particular interface.

    FWIW I agree with your choice of Shorewall, although less popular it's far more configurable than most of the other packages although you have to be accustomed to the "linux/unix" way of management (ie text configuration files). I'm glad you pointed users to it, although I would be happier if you suggested Debian as it's easier to manage security updates IMO, and that's a critical feature for a persistently connected box.
  • LiamC - Thursday, May 13, 2010 - link

    What features (mentioned in your article) would it be missing? If you just want a (transparent) proxy that handles account authentication and DHCP, then Smoothwall fits the bill--and also acts as a firewall. And it is very easy to setup.
  • Exodite - Tuesday, May 11, 2010 - link

    I suppose I'm spoiled by living in a country with decent network standards but to me the obvious solution would be to just get rid of the router and modem and plug your home switch straight into the ethernet wall outlet. :)

    Oh well.

Log in

Don't have an account? Sign up now