Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Hi folks your help with the following would be appreciated.
I've already trawled through some of the previously posted queries about this same problem, but nothing seems to be able to help me so far.
I have a router doing SNAT. Has a proxy server running (squid). I'm using iptables. The routing is great, evrything is fine in that regard.
Squid works great too if I go into client machine web browsers and set up proxy manually. Directing web traffic through the router's proxy port 3128 works fine. I'm able to see entries in squid's access.log
But removing these manual configurations from web browsers and and trying transparent proxying with:
It's not critical coz I only have limited number of host PCs and manual configuration isn't too much of a problem. But I like to get the technology performing as it's supposed too. That's the fun, right?
Thanks for your reply cli_man. I have two NICs on my router, the external NIC is eth0 and the internal one is eth1. So I need to bind this prerouting command on interface eth1 which is the internal one, I think?
Yeah I have ip forwarding enabled and I checked out the link. I edited my squid.conf file with the following, based on what I read:
There was no "default" section in the squid.conf file for the entry
httpd_accel_host so i just added it to it.
The syntax at the cli is ok when i enter iptables...-j REDIRECT etc...coz i get no error messages, and when I save it it shows up in my iptables script. SNAT's working fine and I have used port redirection before with ssh too.
Would appreciate any input. I've thrown myself at it, scoured the internet, but sometimes things just don't work out.
ps the router is also doing DNS caching, apache, samba, xinetd, webmin. It's on the cheap coz we can't afford lots of servers. This shouldn't be effecting things though. But then you never know. What I'm really hoping from squid is bandwidth savings and load balancing. If the NZ$ keeps strong maybe we'll be able to afford some new servers :-)
I have set up a transparent proxy with Squid on RedHat 9 and used exactly the iptables rule you listed. Assuming you placed the right interface in the iptables rule, the next place I would examine is the Squid configuration file. In RedHat 9, this is located in /etc/squid/squid.conf.
On my server I opened the configuration file and performed the following steps.
1. Go to the section titled HTTPD-ACCELERATOR OPTIONS and make sure the following options are enabled. If an option does not exist, add it.
2. Go to the section titled ACCESS CONTROLS. The last line of this section denies all traffic through Squid by default with the following line.
http-access deny all
Unless we change this, no one will reach a web page through Squid. Since all traffic is originating on our LAN, the simplest solution is to allow all traffic by changing this line to the following.
http-access allow all
I hope this helps. This is the only configuration I performed besides the iptables rule.
Thanks cli_man. I've been doing this all by remote admin and I was testing the config from the router itself using lynx. Now I'm here on site and it's working like a charm - I can test the actual client machines and not just doing it using the router itself, whch I think was giving me grief coz it's coming through 127.0.0.1 and that ain't in the REDIRECT statement!