LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 11-17-2008, 10:07 AM   #1
Frank Ng'andwe
Member
 
Registered: Nov 2008
Location: Lusaka, Zambia
Distribution: ubuntu
Posts: 33

Rep: Reputation: 16
Squid In Transparent Mode...


Hi there all,

I have checked that this question has not been dealt with before on the latest kernel version of Linux.

I am using Ubuntu Linux 8.04.1, with kernel 2.6.24-16-server and Squid version 2.6.STABLE18. I have configured squid to work in transparent mode by using the, 'transparent' option after the 'http_port 3128' command in squid.conf.

When I set the proxy settins in my browser, squid works fine, but if I remove them, it does not work transparently. I have read about doing forwarding in the firewall, and I have set the following parameters there:

-A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to 192.168.1.1:3128
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128

My eth0 is my Internet interface, while eth1 is my LAN interface.

Where am I going wrong?

I have noticed that the access.log is empty when computers try squid in transparent mode, whereas with the proxy settings entered in the browser, the access.log gets data in there.

The client computer are browsing in either mode.
 
Old 11-17-2008, 11:00 AM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,004
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Hi,

And welcome to LQ!

Could you try with just one pre-routing rule?
Code:
iptables -A PREROUTING -i "eth1" -p tcp –dport 80 -j REDIRECT –to-port 3128
Cheers,
Tink
 
Old 11-17-2008, 12:01 PM   #3
Frank Ng'andwe
Member
 
Registered: Nov 2008
Location: Lusaka, Zambia
Distribution: ubuntu
Posts: 33

Original Poster
Rep: Reputation: 16
I can just instert that code in the iptables.up.rules file?
 
Old 11-17-2008, 02:13 PM   #4
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,004
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Sorry, I cannot answer this; I have no idea how ubuntu handles
iptables. Maybe someone else can chime in?



Cheers,
Tink
 
Old 11-17-2008, 02:24 PM   #5
Frank Ng'andwe
Member
 
Registered: Nov 2008
Location: Lusaka, Zambia
Distribution: ubuntu
Posts: 33

Original Poster
Rep: Reputation: 16
Tinkster,

I think I have an idea how to insert that command, I will let you know the result tomorrow. Thanks for your response.

Regards,

Frank
 
Old 11-18-2008, 02:07 AM   #6
Frank Ng'andwe
Member
 
Registered: Nov 2008
Location: Lusaka, Zambia
Distribution: ubuntu
Posts: 33

Original Poster
Rep: Reputation: 16
Hi Tinkster,

I inserted that code, and the result was that all clients could have have access to the Internet. Client computers stopped browsing.

What's the difference between the code you gave me...

iptables -A PREROUTING -i "eth1" -p tcp –dport 80 -j REDIRECT –to-port 3128

and the one I had in earlier...

iptables -A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128?

They seem identical except towards the end.


Regards,

Frank

Last edited by Frank Ng'andwe; 11-18-2008 at 02:11 AM.
 
Old 11-18-2008, 02:43 AM   #7
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,004
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
What I was trying to get at is that the line with the DNAT
might have been wrong. It's been a while that I set-up
squid as transparent proxy, but I couldn't remember DNATing
it ...


Have you still got that rule loaded?
 
Old 11-18-2008, 03:04 AM   #8
Frank Ng'andwe
Member
 
Registered: Nov 2008
Location: Lusaka, Zambia
Distribution: ubuntu
Posts: 33

Original Poster
Rep: Reputation: 16
What I have now is this rule...

-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128

And the client PC's are browising, but I doubt whether the transparent proxying/caching is working.
 
Old 11-18-2008, 03:29 AM   #9
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Stop squid and try browsing. That'll tell you if it's working

Here's my firewall rule btw, which looks pretty much the same (and it works)

$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3128
 
Old 11-18-2008, 04:51 AM   #10
Frank Ng'andwe
Member
 
Registered: Nov 2008
Location: Lusaka, Zambia
Distribution: ubuntu
Posts: 33

Original Poster
Rep: Reputation: 16
Hi Billy,

I stopped squid and guess what? The client computers were still browsing. The squid box is also my gateway to the Internet. I want to try your code now, since it has the '-t nat' command which was not in Tinkster's code.

Could that make a difference?

Regards,

Frank
 
Old 11-18-2008, 05:09 AM   #11
Frank Ng'andwe
Member
 
Registered: Nov 2008
Location: Lusaka, Zambia
Distribution: ubuntu
Posts: 33

Original Poster
Rep: Reputation: 16
Billy,

I've tried your code and when I did, the firewall did not like the '-t nat' command did it did not work.

Regards,

Frank
 
Old 11-18-2008, 05:14 AM   #12
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
-t nat

isn't a command. What exactly did it say? Have you enabled nat?
 
Old 11-18-2008, 05:43 AM   #13
Frank Ng'andwe
Member
 
Registered: Nov 2008
Location: Lusaka, Zambia
Distribution: ubuntu
Posts: 33

Original Poster
Rep: Reputation: 16
Yes, NAT is working fine. Like stated above, even without squid, the client PC's are able to browse. However, I would like squid to work in transparent mode so that I do not have to configure their browsers for proxy settings.

It seems squid is not working in transparent mode, even though my squid.conf has the 'transparent' option added to the 'http_port' command. When I enter the proxy settings in the browser, then squid works fine because I can see entries in the access.log file.
 
Old 11-18-2008, 05:59 AM   #14
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,628

Rep: Reputation: Disabled
But I guess even if your squid is not working in transparent mode, if squid id turned off, clients should not be able to access net. If they are able to do that, you need to sort out this issue first. And if the squid is your gateway to internet for clients, they should not go to internet if it is off.
You may want to look into this link for transparent squid configuration.

http://www.cyberciti.biz/tips/linux-...uid-howto.html
 
Old 11-18-2008, 07:53 AM   #15
Frank Ng'andwe
Member
 
Registered: Nov 2008
Location: Lusaka, Zambia
Distribution: ubuntu
Posts: 33

Original Poster
Rep: Reputation: 16
Linuxlover,

The link you have directed me uses an old version of squid. With the current version I have, these commands are not longer applicable...

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora Transparent mode netguy2000 Linux - Networking 3 05-13-2009 08:53 AM
transparent squid gabsik Linux - Networking 3 08-10-2008 08:01 PM
transparent squid missamoune Linux - Server 2 08-10-2008 07:58 PM
Squid Transparent win32sux Linux - Networking 2 08-05-2005 12:57 PM
Squid Transparent Proxy 1jamie Linux - Security 7 09-26-2003 07:09 AM


All times are GMT -5. The time now is 04:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration