Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to configure transparent squid(testing) on my workstation but every time I get a negative result.
Here are the details of my distro and scenario
my server IP is 10.10.10.97
client ip range is 10.10.10.0/24
squid version : squid-2.6.STABLE6-3.el5
distro : RHEL 5.2
I am very weak with iptables
I did a bit of search and tried few rules but nothing to feel happy about
You don't want $'s for your iptables IP addresses (unless they are a bash variable of course)
You will also need ip_forward enabled in the kernel.
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward
But more importantly, unless running the iptables rule on a router, you wont be able to intercept traffic from other lan hosts.. Since the http traffic doesn't travel to your workstation, so your workstation cant intercept it.
For testing, you should be able to transparently intercept your own http traffic, with
the NAT table, PRE/POST ROUTING chains, are for modifying the packet header information, source/destination IP and port, before and after routing, respectively.
Since your workstation, is not acting as a router, the PRE/POST ROUTING chains arent going to be used.
Because traffic from a LAN client, goes to the router, and then out to the internet, the lan clients are effectively unaware of your workstations presence.
The NAT table / OUTPUT chain, is for modifying headers of packets generated by the host itself. So the rule is modifying http packets (port 80) generated by local host, and redirecting them to squid, running on localhost port 3128. Squid then does its thing, and sends the traffic out to the internet.
You COULD, add the same rule, with your workstation (the squid servers) IP instead of 127.0.0.1, but this would negate one of the major benefits of using a transparent proxy, which is the fact you dont have to configure each host on the lan to use the proxy.
If you ran the rule in PREROUTING (as your original rule was, minus the $'s, and changing the --to IP to the host running squid, in this case, your workstation), on a router (that sees all traffic from all hosts, heading for the internet), you could implement it for the entire LAN.
You may not necessarily have to set up a PC as a dedicated router. Depending on how your network is set up, you should be able to do it with the existing router.
For example, a conventional household with a DSL modem and a couple of computers, the DSL modem will act as a modem, router, firewall, etc. On that modem, it SHOULD (depending on the make/model etc) be possible to set up a rule that would achieve the same thing, via the modems configuration webpage. That being said, i have never tried to do this, but theoretically it should be possible.
Another example, using a linux based router (dedicated PC), my home network.
I have a DSL modem, which runs in bridged mode, connected to a CentOS "gateway".
My gateway, maintains the connection to my ISP, and handles the authentication.
My gateway also acts as a router between my subnets, (WAN, LAN, WLAN, DMZ, VPN), firewall for all those subnets, DNS, DHCP, and squid servers. So any traffic that goes to the internet, HAS to pass through my gateway, in the same sense it would through a modem in a conventional setup in my first example. As this traffic is passed through my gateway, iptables analyses the packets, and anything destined for port 80, is redirected to squid, running on the gateway itself (although this could be redirected to a dedicated squid server, just as easily).
Quote:
It is not possible to add the firewall rules in one of the machine which is connected to all other employees?
It would have to be connected, in such a way that it sees ALL the traffic from ALL the other machines. ie: a router.
This is the same as if you were to start pinging PC2 from PC1, and then run tcpdump on PC3, you wont see the ping packets on your computer, because they go from PC1, to the ip address you are pinging, via whatever routers are in between PC1 and PC2.
Am I making a little more sense?? I am probably not doing the best job of explaining it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.