Squid transparent proxy with iptables

cksoo · 06-09-2008, 08:10 PM

HI,

I just setup a squid transparent proxy with iptables, however, when I check the log i found that all the proxy traffic will just take down the ip for iptables no the original traffic which come from the clients ip address.

May I know how can I over come this problem so that my proxy log will show the the original ip that traffic come from instead of the ip address for the iptables box.

thanks.

ramram29 · 06-11-2008, 11:33 PM

I use a combination of transparent squid, sarg and webmin to log my squid clients. Try sarg.

ledow · 06-12-2008, 03:31 AM

Well, I think you're missing an option somewhere.

Standard squid transparent proxy here (no "plugins"/redirectors installed), with IPtables redirection and I get the clients IP in all my squid logs.

I'd check that you have the right options installed for transparent proxying in squid.conf and that you are using a fairly recent version.

dbmacartney · 06-12-2008, 03:37 AM

Just so I am understanding this correctly. your clients browse the internet like the below text diagram?

client>>>>Transparent Proxy(iptables redirects 80 to 8080 to be logged by squid) >>> internet gateway/modem

if this is the case, what rule are you using in IP tables to redirect port 80? You will need to add a prerouting DNAT rule so that the source IP information is maintained. A normal redirect rule will change the packet header so that the packet will appear to be coming from the transparent proxy and not the requesting client, in this situation.

dbmacartney · 06-12-2008, 03:48 AM

further to my previous post. the below rule should be what you are after. However I dont have a box I can confirm this on available at the moment. I hope it helps anywawy.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

eth0 is the interface accepting the requests from your network.
80 is the port for standard http traffic from your clients.
8080 is the port that is configured for squid, unless you have changed it to something else to suite your environment.

ledow · 06-12-2008, 03:53 AM

Quote:

Originally Posted by dbmacartney

You will need to add a prerouting DNAT rule so that the source IP information is maintained. A normal redirect rule will change the packet header so that the packet will appear to be coming from the transparent proxy and not the requesting client, in this situation.

Mmm. Okay, I don't know what the original poster has but I'm not sure this is 100% true.

I have a basic transparent proxy running into a couple of places and one in particular that I can access at the moment - it's a long time since I set this system up and I have only sparse access to it (it's a production server for a school) but I *don't* have DNAT rules, only REDIRECT's on my particular setup, although I don't doubt that they may have an effect in some configurations.

However, I do seem to have Squid 3.0STABLE1, which may make a difference, and "transparent" on the http_port line. I don't ever remember doing anything specific to make logging of IP's work on any version of squid I've used to do transparent proxying.