Hi,

Here is quick info on my environment -
I have a CentOS 5.3 box server as firewall/gateway/router.
It has two interfaces
eth0 - public internetIP
eth1 - internal network IP (10.9.32.1)

The server hands out DHCP to all clients, and the server is the gateway.

I have installed squid proxy, and configured it to allow the local subnet, and added transparent option.

I added this to my iptables
# http proxy redirect

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.9.32.1:3128
-A POSTROUTING -o eth0 -j MASQUERADE

The transparent caching now appears to work. However I came across this article which says this: "WARNING: This method of interception is not recommended. There are other methods such as Proxy.PAC and http_proxy environment variable which are as effective and less intrusive when multiple clients are involved."
http://wiki.squid-cache.org/ConfigEx...rcept/AtSource

So I am trying to find the better way to do this. This is what I have come up with so far but does not seem to be working:
-A PREROUTING -i eth0 -p tcp --dport 80 -j ACCEPT
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
-A POSTROUTING -o eth0 -j MASQUERADE

Is this correct? Does anyone have better suggestions on how to do this?

Thanks.

Hi,

You're mixing two things. NAT interception is something which allows you transparent proxying _without_ browser configuration.

WPAC and other stuff feeds proxy config to the browsers, and is not supported by all browsers.

So there's nothing wrong in the solution you used in the first place.

Cheers,
Favoretti

Thanks, I understand now how I confused the two.

Now, just for my knowledge, what would be the difference between using the DNAT and the REDIRECT for interception?

Is one better then the other? Or are they for different applicable situations?

Redirect won't work in this case, cuz it changes destination address in the packet, which is not the point in this case

This is from the iptables man page:Therefore, the following two rules are equivalent: