Dear All,

I have to machines running as transparent proxys at 2 different cyber cafes. Same configuracion, same network layout, same ISP. They are running Red Hat and Squid 2.5.STABLE1.

Yesterday i had to reinstall 1 of the machines, so I installed linux, copied all the configuration files from the other linux (list bellow), and restarted it.

/etc/sysctl.conf (enabled packet forwarding)
/etc/sysconfig/network-scripts/ifcfg-eth0 (dhcp internet)
/etc/sysconfig/network-scripts/ifcfg-eth1 (static network)
/etc/resolv.conf
/etc/rc.d/rc.local
/etc/squid/squid.conf

But now i have a problem, the machine connects to the internet, and to the network, but the proxy is now listening on port 3160 only, and not as a transparent proxy as it should.

If I configure any of the computers in the network to connect to the proxy to the port 3160 it works perfect. But i need it to work as a transparent proxy as I have another isp for online games and it won't work if i change ie configuration.

I tryed to redirect port (comented line in rc.local) 3160 to 80 but it dint work.

There must be something i forgot to configure but i can't find out what it is, i mean both machines should work as they have the same configuration.

In case it helps here are the contents of the files in the list.

I would really apreciate any help.

Thanks, Ezequiel

===========

/etc/sysctl.conf

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 1

kernel.sysrq = 0

kernel.core_uses_pid = 1

===========

/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
USERCTL=no
USERDNS=no
TYPE=Ethernet

===========

/etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth0
DEVICE=eth1
BOOTPROTO=static
BROADCAST=192.0.0.255
IPADDR=192.0.0.254
NETMASK=255.255.255.0
NETWORK=192.0.0.0
ONBOOT=yes

===========

/etc/resolv.conf

; generated by /sbin/dhclient-script
nameserver 200.49.156.3
nameserver 200.49.159.69
nameserver 200.49.156.4
nameserver 24.232.0.69

===========

/etc/rc.d/rc.local

touch /var/lock/subsys/local

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_LOG
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3160

===========

/etc/squid/squid.conf

http_port 3160
icp_port 3160
acl QUERY urlpath_regex cgi-bin \? (url goes here but it wont let me post urls)
no_cache deny QUERY
cache_mem 32 MB
cache_dir ufs /var/spool/squid 2000 8 128

cache_log /var/log/squid/cache.log
cache_access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/swap.log

logfile_rotate 10

#redirect_rewrites_host_header off
#cache_replacement_policy GDSF
acl localnet src 192.0.0.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl Safe_ports port 80 443 210 119 70 20 21 1025-65535
acl CONNECT method CONNECT
acl all src 0.0.0.0/0.0.0.0
http_access allow localnet
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT
http_access deny all
maximum_object_size 10000 KB
store_avg_object_size 100 KB

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

cache_mgr nixo@nixo.com.ar
cachemgr_passwd secret_password all

visible_hostname xago

log_icp_queries off
buffered_logs on

=================

Can you post the output from:
iptables -nL
iptables -nL -t nat

Here they are...

========
iptables -nL
========

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Lokkit-0-50-INPUT (2 references)
target prot opt source destination
ACCEPT udp -- 24.232.0.69 0.0.0.0/0 udp spt:53 dpts:1025:65535
ACCEPT udp -- 200.49.156.4 0.0.0.0/0 udp spt:53 dpts:1025:65535
ACCEPT udp -- 200.49.159.69 0.0.0.0/0 udp spt:53 dpts:1025:65535
ACCEPT udp -- 200.49.156.3 0.0.0.0/0 udp spt:53 dpts:1025:65535
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 flags:0x16/0x02 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7100 flags:0x16/0x02 reject-with icmp-port-unreachable


=============
iptables -nL -t nat
=============

Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

It looks like your redirect rule didn't work, try it again with:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3160

You may also need to allow incomming connections to port 3160.

I added all the iptables rules in rc.local manualy, and it is working now, THANKS A LOT !

Do i allways have to add them manually or just adding them to rc.local is enought ?

If you add them to rc.local then they will be run each time the system boots.

What i don't undestand is that i added them in rc.local from the begining, and rebooted several times.

Anyway , i must have done something wrong =S, much to lean yet i guess .

Again THANK YOU very much !

Can you post a copy of your rc.local file again.

Here it is
======

touch /var/lock/subsys/local

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_LOG
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3160

Try using the full path to iptables - ie /sbin/iptables

I tryed changing the path, but nothing changes, its like rc.local is not being executed. Every time i reboot iptable's rules are lost. The only thing that works is running each line in the console manually.

Try adding a command like this to rc.local:
date > /tmp/boottime

Do you get the date recorded in that file? If not then rc.local isn't being executed.

Added the line at /etc/rc.d/rc.local , rebooted , but boottime was not created.

How do i get rc.local to be executed at startup ?

Ok... I finally found out what the problem was.

When i copied rc.local from the other linux , some how i managed to turn it into a regular file instead or an executable file (don't ask me how =S).

Now, how do i turn it into an executable file ?


> EDIT

Found out how

chmod a=r+w+x file_name .... right ?

Problem Solved for now =)


Anyway how can i copy files betwen the linux boxes ?

read the man page of chmod to change file-dir permissions:
if ssh enabled for linux boxes (by the defult yes). u can transfer files via ssh easyly.
good luck.