Hello everyone,

I am trying to configure transparent squid(testing) on my workstation but every time I get a negative result.
Here are the details of my distro and scenario
my server IP is 10.10.10.97
client ip range is 10.10.10.0/24
squid version : squid-2.6.STABLE6-3.el5
distro : RHEL 5.2

I am very weak with iptables
I did a bit of search and tried few rules but nothing to feel happy about

here is the rule which I added in squid.conf
iptables rule
also followed some links
http://www.cyberciti.biz/tips/linux-...uid-howto.html

http://www.delodder.be/blog/ubuntu/t...-with-one-nic/

but no luck
Earlier I was trying with these lines in my squid file but it returned with error

Code:

#service squid restart

So what am I suppose to do to make my squid working on my client in transparent mode?

You don't want $'s for your iptables IP addresses (unless they are a bash variable of course)

You will also need ip_forward enabled in the kernel.
But more importantly, unless running the iptables rule on a router, you wont be able to intercept traffic from other lan hosts.. Since the http traffic doesn't travel to your workstation, so your workstation cant intercept it.
For testing, you should be able to transparently intercept your own http traffic, with

1 members found this post helpful.

Yes now after adding that firewall rule my transparent squid seems to be working

Can you elaborate me the meaning of the rule you have specified?

and is it not possible to check it on my network 10.10.10.0/24?

the NAT table, PRE/POST ROUTING chains, are for modifying the packet header information, source/destination IP and port, before and after routing, respectively.

Since your workstation, is not acting as a router, the PRE/POST ROUTING chains arent going to be used.

Because traffic from a LAN client, goes to the router, and then out to the internet, the lan clients are effectively unaware of your workstations presence.

The NAT table / OUTPUT chain, is for modifying headers of packets generated by the host itself. So the rule is modifying http packets (port 80) generated by local host, and redirecting them to squid, running on localhost port 3128. Squid then does its thing, and sends the traffic out to the internet.

You COULD, add the same rule, with your workstation (the squid servers) IP instead of 127.0.0.1, but this would negate one of the major benefits of using a transparent proxy, which is the fact you dont have to configure each host on the lan to use the proxy.

If you ran the rule in PREROUTING (as your original rule was, minus the $'s, and changing the --to IP to the host running squid, in this case, your workstation), on a router (that sees all traffic from all hosts, heading for the internet), you could implement it for the entire LAN.

1 members found this post helpful.

Please don't mind if my question sounds foolish

According to you I need to configure a machine as router and then implement the firewall rules to make it work on all other employee in LAN?

It is not possible to add the firewall rules in one of the machine which is connected to all other employees?

You may not necessarily have to set up a PC as a dedicated router. Depending on how your network is set up, you should be able to do it with the existing router.

For example, a conventional household with a DSL modem and a couple of computers, the DSL modem will act as a modem, router, firewall, etc. On that modem, it SHOULD (depending on the make/model etc) be possible to set up a rule that would achieve the same thing, via the modems configuration webpage. That being said, i have never tried to do this, but theoretically it should be possible.

Another example, using a linux based router (dedicated PC), my home network.
I have a DSL modem, which runs in bridged mode, connected to a CentOS "gateway".
My gateway, maintains the connection to my ISP, and handles the authentication.
My gateway also acts as a router between my subnets, (WAN, LAN, WLAN, DMZ, VPN), firewall for all those subnets, DNS, DHCP, and squid servers. So any traffic that goes to the internet, HAS to pass through my gateway, in the same sense it would through a modem in a conventional setup in my first example. As this traffic is passed through my gateway, iptables analyses the packets, and anything destined for port 80, is redirected to squid, running on the gateway itself (although this could be redirected to a dedicated squid server, just as easily).

It would have to be connected, in such a way that it sees ALL the traffic from ALL the other machines. ie: a router.
This is the same as if you were to start pinging PC2 from PC1, and then run tcpdump on PC3, you wont see the ping packets on your computer, because they go from PC1, to the ip address you are pinging, via whatever routers are in between PC1 and PC2.

Am I making a little more sense?? I am probably not doing the best job of explaining it.

1 members found this post helpful.

I think I understand what you are trying to explain.

That was really helpful.

Thanks.

I am just trying to make my networking part strong starting from basics.