LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-14-2009, 04:07 PM   #1
andy.schmid
LQ Newbie
 
Registered: Oct 2009
Posts: 2

Rep: Reputation: 0
Question about IPTABLES Configuration / Squid Proxy


Hi,

Here is quick info on my environment -
I have a CentOS 5.3 box server as firewall/gateway/router.
It has two interfaces
eth0 - public internetIP
eth1 - internal network IP (10.9.32.1)

The server hands out DHCP to all clients, and the server is the gateway.

I have installed squid proxy, and configured it to allow the local subnet, and added transparent option.

I added this to my iptables
# http proxy redirect

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.9.32.1:3128
-A POSTROUTING -o eth0 -j MASQUERADE

The transparent caching now appears to work. However I came across this article which says this: "WARNING: This method of interception is not recommended. There are other methods such as Proxy.PAC and http_proxy environment variable which are as effective and less intrusive when multiple clients are involved."
http://wiki.squid-cache.org/ConfigEx...rcept/AtSource

So I am trying to find the better way to do this. This is what I have come up with so far but does not seem to be working:
-A PREROUTING -i eth0 -p tcp --dport 80 -j ACCEPT
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
-A POSTROUTING -o eth0 -j MASQUERADE

Is this correct? Does anyone have better suggestions on how to do this?

Thanks.

Last edited by andy.schmid; 10-14-2009 at 04:08 PM.
 
Old 10-15-2009, 10:31 AM   #2
favoretti
LQ Newbie
 
Registered: Jan 2008
Posts: 9

Rep: Reputation: 0
Hi,

You're mixing two things. NAT interception is something which allows you transparent proxying _without_ browser configuration.

WPAC and other stuff feeds proxy config to the browsers, and is not supported by all browsers.

So there's nothing wrong in the solution you used in the first place.

Cheers,
Favoretti
 
Old 10-15-2009, 10:37 AM   #3
andy.schmid
LQ Newbie
 
Registered: Oct 2009
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks, I understand now how I confused the two.

Now, just for my knowledge, what would be the difference between using the DNAT and the REDIRECT for interception?

Is one better then the other? Or are they for different applicable situations?
 
Old 10-15-2009, 10:54 AM   #4
favoretti
LQ Newbie
 
Registered: Jan 2008
Posts: 9

Rep: Reputation: 0
Redirect won't work in this case, cuz it changes destination address in the packet, which is not the point in this case
 
Old 10-15-2009, 11:14 AM   #5
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
Now, just for my knowledge, what would be the difference between using the DNAT and the REDIRECT for interception?
This is from the iptables man page:
Quote:
REDIRECT
This target is only valid in the nat table, in the PREROUTING and OUT-
PUT chains, and user-defined chains which are only called from those
chains. It redirects the packet to the machine itself by changing the
destination IP to the primary address of the incoming interface
(locally-generated packets are mapped to the 127.0.0.1 address).
Therefore, the following two rules are equivalent:

Code:
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.9.32.1:3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128

Last edited by Berhanie; 10-15-2009 at 11:17 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
squid proxy server configuration & distribution of internet without proxy gaurav_gupta082 Linux From Scratch 2 07-31-2010 11:25 AM
squid proxy-only configuration SPEEDEX Linux - Server 0 06-18-2009 03:38 AM
Squid configuration question. Client => HTTPS => proxy => HTTP => webserver newhere Fedora 5 02-21-2009 01:33 PM
squid proxy with iptables ssilayaraja Linux - Networking 7 04-14-2008 12:15 AM
Squid proxy configuration mukeshrathod15 Linux - Networking 2 01-29-2007 11:33 PM


All times are GMT -5. The time now is 07:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration