squid at ISP
How are you all?
I have following scenario .
Example
My RAS = 192.168.3.1/28 (client gets ip range of 192.168.3.32/27) (default gw of RAS defined as ip route 0.0.0.0 0.0.0.0 192.168.3.2)
My Router = 192.168.3.2/28 (defned route towards 192.168.3.1 as ip route 192.168.3.32 255.255.255.224 192.168.3.1)
the above mentioned setup is with out proxy and working fine
but now i want to implement proxy
i have configured transparant proxy(also working as dns) ip 192.168.3.17/28(only one network card connected to same switch which is connected to Router and RAS) and test on lan it is working fine. but when i want to implement it on WAN it not works.
i do as follow
i changed my default gw of RAS from 192.168.3.2 to 192.168.3.17 and also defined route in RAS for 192.168.3.17 as 192.168.3.17 255.255.255.240 192.168.3.2(now i can ping 192.168.3.17 from RAS 192.168.3.1)
i have enabled routing in proxy using
echo 1 > /proc/sys/net/ipv4/ip_forward
i have also defined a rule in iptables nat prerouting .i.e
iptables -t nat -A PREROUTING -tcp --dport 80 -j REDIRECT --to-port 3128
which worked on single lan.
but this is not working for me i want to know how to implement Tranparant proxy on ISP level .
i dont want to use my router for redirecting traffic to proxy(because it is old router and rules not works good on it) i want to use linux box as router and proxy in above mentioned scenario.
hope you understand scenario and will help me.
want to use as linux as following
-----------------
- RAS -
-----------------
|
|
|
-----------------
- Switch - -------------| Linux as Router |
-----------------
|
|
|
-----------------
- Router -
-----------------
|
|
|
Main Links
i dont want to disturb my main links which are through router i just want to add a linux box as router only to redirect RAS traffic for squid.
here is out put of my squid.conf and iptables
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir diskd /var/spool/squid 3000 16 256
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_reply_access allow all
icp_access allow all
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid
iptables
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:squid
ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
nat
[root@cache2 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|