I'm running RH9 on a gateway connected to a small wireless lan.
(I hope to add nocat next!)

Since i'm connected to only 256k to the internet i decided to add squid with transparent proxying so things 'seem' faster....... a real murderous task for a novice like me..


Things done so for:

- the usual box with eth1(internet) and eth0(wlan)
- setup a name-caching dns server
- setup dhcp
- setup a custom firewall (can browse on wlan at this point :-))
- install xampp
- install squid ...... and this is where i grind to a halt, or so i think

I downloaded squid-2.5stable10
Installed it with ./configure --enable-linux-netfilter
Tried to configure the squid.conf as best i could
Started squid ... got the 'Ready to serve request' go ahead!

--At this point the confusion started with just the ordinary proxy activated--

I realized i could still browse the net even though i hadn't set the proxy IPort in the client browser, i checked the /access.log, it was empty

I set the proxy IPort in the browser, then boom! the /access.log came alive immediately after i browsed a few sites. The box also became erratic, with the hard drive led very busy!

hmm, ok great

--Still a little confused, here comes the transparent proxy--

Went back to the firewall and added 'iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128' , and restarted iptables

Now i removed the proxy setting from the client browser and was browsing fine until i checked the /access.log. It wasn't updated (how come??). I emptied the file to make sure, still nothing

I also realized when i put back the proxy IPort in the browser the /access.log started updating again


The big question now is, doesn't the transparent proxy keep an access log???
How do i know transparent proxying is working for sure?

I need any help on what might be wrong......




Another thing: I realize i have to manually start squid everytime i reboot and 'chkconfig squid on' is giving an error, is there a custom script somewhere i can use?


Thanks!

Another thing is, my Linux Magazine says i must have;

- packet filtering
- connection tracking
- IP tables support
- full NAT , and
- REDIRECT target support enabled in the kernel

Fast switching must also be set to NO


How do i check those things in the kernel?

well i also have the same configuration of the topology. and for me it is working well

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
eth0 is my wlan------goes to my access-point
eth1 is my internet

i am using transparent proxy. Have you configured your squid box to transparent mode?? I also had the problem with the access.log file.It was not created automatically. I creatd it manually and changed the ownership to squid. As you had said that your squid does not start at start up confirm that your hostname is issued in the box. And as you were thinking of NOCAT. I suggest you to use CHILLISPOT. This is really a thing one wants in their hotspot. Like prepiad and postpaid accounting,Simultaneous use, authentication and many more.

you can find the RPM at chillispot.org

Well from the configuration and observation i think i have it right up to the ordinary proxy mode, since when i set the IP in the browser things happened in the /access.log when i browsed.

Isn't setting the transparent mode as simple as setting the redirect rule in the firewall?

Can you expand some more on this, i'm not sure where in the box you're referring?
"As you had said that your squid does not start at start up confirm that your hostname is issued in the box"

Well i actually didn't know about CHILLISPOT until now!
I spend a lot of time researching Nocat and the only pressure i'm under now is that i'm forced to run the captive portal and the auth server on the same machine, althought they advised strongly about it..



Are you saying CHILLISPOT is a better option?

BTW roopunix, which distro are you running?

I see where running the latest 2.6.10 kernel might be to my advantage.
Right now i'm running RH9 2.4.......... maybe that's my problem....

well i am also using redhat9 box with squid. I am running chillispot on the other box.That too is also a redhat9. i redirect my chillispot authenticated users to squid box. As i have understood your scenerao. You are natting and proxing on the same box right? The following is my natting and transparent configuration on a redhat9 box.

#vi /etc/squid/squid.conf

find for this syntax
3128

then it should be like this

http_port 3128

then find 192.168. after that do the following

#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl our_networks src 139.61.0.0/16
http_access allow our_networks
my network is 139.61.0.0/16 so i am allowing only this network And i am denying 192.168.1.0/24 and 192.168.2.0/24.

now for transparent proxy the following keywords are needed to add.
search for this parameter
httpd_accel_port 80 ----it should be commented by default.. So uncomment it and add the following things after that.

httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Now the following it my nat configuration

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
/sbin/iptables -t nat -A POSTROUTING -s 139.61.0.0/16 -o eth0 -j MASQUERADE
eth1 is my lan interface, 139.61.0.0/16 in my lan network. and eth0 is my ISP[wan] side.
Hope this helps you..

thanks, checking it now, get back to you asap

Here's where i got caught:

........iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128.......


According to this chain the lan interface is eth1, but mine is eth0,

So its now ..... iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128..





Respect!