LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-28-2005, 02:55 PM   #1
swoolley
LQ Newbie
 
Registered: Apr 2005
Location: Orlando, FL
Posts: 3

Rep: Reputation: 0
Transparent Proxying on Squid


I appreciated Jeremy Garcia's article in Linux Magazine entitled "Transparent Proxying with Squid". I have been trying to implement a Transparent Proxy with squid. I am running a Gentoo box running Linux v2.6.11 with Squid v2.5.9. The Gentoo box has a single network interface (IP 192.168.200.200) which I hope to be a transparent proxy for a Cisco router (IOS: v12.3 Internal IP: 192.168.200.1 External IP: X.X.X.X). If I manually set the proxy IP address of a client PC browser to the IP of squid, it works fine -- access.log/cache.log report proper results. If however, I unset the proxy IP in my client browser, the request times out. I do see GRE messages on squid and if I stop the squid services (once the router detects that squid is down) the request goes through. I believe I have followed Jeremy's instructions correctly (although I have not installed a the module ip_wccp because I believe this is not necessary because I am running kernel 2.6.11). From the output of a few commands I am sending, it looks like this should be working. No entries appear in my access.log file (however) the squid box is seeing the request, it just does not appear to be acting on it.


show ip wccp on router
-----------------------------
Router information:
Router Identifier: 192.168.200.1
Protocol Version: 1.0

Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 704
Redirect access-list: 112
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0

Snip from router config
-----------------------------
ip wccp version 1
ip wccp web-cache redirect-list 112
interface FastEthernet0/0
ip address X.X.X.X 255.255.255.0 ip wccp web-cache redirect out ip nat outside ip virtual-reassembly duplex auto speed auto !


squid2 root # ifconfig
eth0 Link encap:Ethernet HWaddr 00:0F:1F:F8:79:AA
inet addr:192.168.200.200 Bcast:192.168.200.255 Mask:255.255.255.0
inet6 addr: fe80::20f:1fff:fef8:79aa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3841 errors:0 dropped:0 overruns:0 frame:0
TX packets:3867 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:732606 (715.4 Kb) TX bytes:735382 (718.1 Kb)
Interrupt:18

gre1 Link encap:UNSPEC HWaddr C0-A8-C8-C8-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.2 P-t-P:127.0.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
RX packets:192 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9216 (9.0 Kb) TX bytes:0 (0.0 b)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:216 (216.0 b) TX bytes:216 (216.0 b)

squid2 root # netstat -in
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 3813 0 0 0 3833 0 0 0 BMRU
gre1 1476 0 192 0 0 0 0 0 0 0 OPRU
lo 16436 0 2 0 0 0 2 0 0 0 LRU

squid2 root # tcpdump -n -i gre1
tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
15:33:27.448919 IP 192.168.200.2.1225 > 216.109.126.22.80: S 4107953532:4107953532(0) win 65535 <mss 1260,nop,nop,sackOK>
15:33:27.449064 IP 192.168.200.2.1225 > 216.109.126.22.80: S 4107953532:4107953532(0) win 65535 <mss 1260,nop,nop,sackOK>
15:33:27.449234 IP 192.168.200.2.1225 > 216.109.126.22.80: S 4107953532:4107953532(0) win 65535 <mss 1260,nop,nop,sackOK>
15:33:27.449399 IP 192.168.200.2.1225 > 216.109.126.22.80: S 4107953532:4107953532(0) win 65535 <mss 1260,nop,nop,sackOK>
 
Old 04-28-2005, 03:07 PM   #2
Thoreau
Senior Member
 
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167

Rep: Reputation: 45
None of that crap you just posted matters.

A transparent proxy is an internal loopback with a specific port- typically 1080/8080 for the internal proxy- with forwarding on 80. It's just a setting in /etc/squid/squid.conf. Read up on squid first and understand what you are doing.

http://www.tldp.org/HOWTO/TransparentProxy.html
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html
http://www.linuxsolved.com/forums/ftopic116.html

Or else install a distro made for this like clarkconnect or ipcop or another.
 
Old 04-28-2005, 03:38 PM   #3
swoolley
LQ Newbie
 
Registered: Apr 2005
Location: Orlando, FL
Posts: 3

Original Poster
Rep: Reputation: 0
I set up the squid.conf according to the article:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_access <my subnet>

I created an iptables entry as such:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

I kept the squid port set to its default 3128 and used the gre tunnel configuration as detailed in Jeremy's article.

I made sure packet forwarding was on:
net.ipv4.ip_forward = 1

I made sure NAT/REDIRECT and other related KERNEL modules were active in the kernel.

I made sure the gre tunnel was setup (and I thought I included the output I did to endure readers that gre was functional and begin seen by the Cisco router)

Although the distros you mentioned may be better for this type of application, I do not believe any of the technologies used (squid/iptables/gre) are exclusive to them.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid Transparent win32sux Linux - Networking 2 08-05-2005 11:57 AM
Squid as a transparent proxy kemplej Linux - Software 2 12-08-2004 05:00 PM
Squid Transparent Proxy 1jamie Linux - Security 7 09-26-2003 06:09 AM
squid transparent proxy...... hitesh_linux Linux - Networking 1 06-13-2003 03:24 AM
transparent squid problem Steave Linux - Networking 7 05-05-2003 12:51 AM


All times are GMT -5. The time now is 07:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration