LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-25-2003, 05:56 PM   #1
1jamie
LQ Newbie
 
Registered: Aug 2003
Location: NZ
Distribution: redhat 9
Posts: 15

Rep: Reputation: 0
Question Squid Transparent Proxy


Hi folks your help with the following would be appreciated.

I've already trawled through some of the previously posted queries about this same problem, but nothing seems to be able to help me so far.

I have a router doing SNAT. Has a proxy server running (squid). I'm using iptables. The routing is great, evrything is fine in that regard.

Squid works great too if I go into client machine web browsers and set up proxy manually. Directing web traffic through the router's proxy port 3128 works fine. I'm able to see entries in squid's access.log

But removing these manual configurations from web browsers and and trying transparent proxying with:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

fails miserably. I've tried

--to-port 192.168.1.10:3128

but it too fails.

It's not critical coz I only have limited number of host PCs and manual configuration isn't too much of a problem. But I like to get the technology performing as it's supposed too. That's the fun, right?

Any help?

jamie (NZ)
 
Old 09-25-2003, 08:04 PM   #2
cli_man
Member
 
Registered: Apr 2002
Location: New York, USA
Distribution: Redhat 7.2, 9.0 Slackware 9.1
Posts: 428

Rep: Reputation: 30
One thing that sticks out, do you have 2 ethernet cards in the server? I see you have it using eth0 so I thought I might ask, The command for iptables I am using is:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Also you might want to check out the following page:

http://squid.visolve.com/white_paper...#aboutiptables

Read the iptables and the section after it, that might shed some light on your transperant proxy problems.
 
Old 09-25-2003, 08:43 PM   #3
1jamie
LQ Newbie
 
Registered: Aug 2003
Location: NZ
Distribution: redhat 9
Posts: 15

Original Poster
Rep: Reputation: 0
Thanks for your reply cli_man. I have two NICs on my router, the external NIC is eth0 and the internal one is eth1. So I need to bind this prerouting command on interface eth1 which is the internal one, I think?

Squid is listening on the internal NIC only.

jamie (NZ)
 
Old 09-25-2003, 08:55 PM   #4
cli_man
Member
 
Registered: Apr 2002
Location: New York, USA
Distribution: Redhat 7.2, 9.0 Slackware 9.1
Posts: 428

Rep: Reputation: 30
Do you have routing enabled? If not just run as root:

echo 1 > /proc/sys/net/ipv4/ip_forward

Also did you check out the link I gave above, it has the settings needed to run transparent caching

Also one more thing, is the clients default gateway that of the squid server? and if it is can you do a tracert www.google.com and see that it is going through the cache server?
 
Old 09-25-2003, 10:46 PM   #5
1jamie
LQ Newbie
 
Registered: Aug 2003
Location: NZ
Distribution: redhat 9
Posts: 15

Original Poster
Rep: Reputation: 0
Yeah I have ip forwarding enabled and I checked out the link. I edited my squid.conf file with the following, based on what I read:

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

There was no "default" section in the squid.conf file for the entry
httpd_accel_host so i just added it to it.

The syntax at the cli is ok when i enter iptables...-j REDIRECT etc...coz i get no error messages, and when I save it it shows up in my iptables script. SNAT's working fine and I have used port redirection before with ssh too.

Would appreciate any input. I've thrown myself at it, scoured the internet, but sometimes things just don't work out.

jamie (NZ)

ps the router is also doing DNS caching, apache, samba, xinetd, webmin. It's on the cheap coz we can't afford lots of servers. This shouldn't be effecting things though. But then you never know. What I'm really hoping from squid is bandwidth savings and load balancing. If the NZ$ keeps strong maybe we'll be able to afford some new servers :-)
 
Old 09-25-2003, 10:55 PM   #6
viz
LQ Newbie
 
Registered: Sep 2003
Posts: 4

Rep: Reputation: 0
I have set up a transparent proxy with Squid on RedHat 9 and used exactly the iptables rule you listed. Assuming you placed the right interface in the iptables rule, the next place I would examine is the Squid configuration file. In RedHat 9, this is located in /etc/squid/squid.conf.

On my server I opened the configuration file and performed the following steps.

1. Go to the section titled HTTPD-ACCELERATOR OPTIONS and make sure the following options are enabled. If an option does not exist, add it.

httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

2. Go to the section titled ACCESS CONTROLS. The last line of this section denies all traffic through Squid by default with the following line.

http-access deny all

Unless we change this, no one will reach a web page through Squid. Since all traffic is originating on our LAN, the simplest solution is to allow all traffic by changing this line to the following.

http-access allow all

I hope this helps. This is the only configuration I performed besides the iptables rule.
 
Old 09-25-2003, 11:07 PM   #7
1jamie
LQ Newbie
 
Registered: Aug 2003
Location: NZ
Distribution: redhat 9
Posts: 15

Original Poster
Rep: Reputation: 0
Thanks cli_man. I've been doing this all by remote admin and I was testing the config from the router itself using lynx. Now I'm here on site and it's working like a charm - I can test the actual client machines and not just doing it using the router itself, whch I think was giving me grief coz it's coming through 127.0.0.1 and that ain't in the REDIRECT statement!

THANKS, Kia Ora as we say down here!

jamie (NZ)
 
Old 09-26-2003, 06:09 AM   #8
cli_man
Member
 
Registered: Apr 2002
Location: New York, USA
Distribution: Redhat 7.2, 9.0 Slackware 9.1
Posts: 428

Rep: Reputation: 30
I am glad that worked for you, Probably what you ran into when using lynx was you didn't have a proper acl setup for 127.0.0.1 but the rest of your network works fine.

I have been setting up transperant proxies left and right so I am glad to be able to help someone else.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
WCCP and Transparent Proxy with Squid tech-ninja Linux - Networking 4 03-29-2005 10:25 AM
transparent squid proxy server alvi2 Linux - Networking 4 02-24-2005 01:18 PM
Squid as a transparent proxy kemplej Linux - Software 2 12-08-2004 05:00 PM
Squid with Transparent Proxy MarleyGPN Linux - Networking 1 08-28-2003 02:51 PM
squid transparent proxy...... hitesh_linux Linux - Networking 1 06-13-2003 03:24 AM


All times are GMT -5. The time now is 01:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration