-   Linux - Networking (
-   -   transparent proxy with squid problem (

philipph 03-29-2004 10:35 AM

transparent proxy with squid problem
Hi there!

I want to build a transparent proxy with squid under SuSE Linux 9.0.
The System first:
eth0: for internal network traffig (ip-addr:, subnetmask:
eth1: for external traffic, complete configuration over DHCP form ISP
All machines should get their ip-configuration form my server, so i set up an DHCPD Server. This works fine. Here the config-file (dhcpd.conf)

option routers;
option broadcast-address;
option domain-name-servers;
# I am not shure if i should use the ISPs DNS here???????
subnet netmask {

so far so good. All clients get an ip-address and an standard gateway, so they try to communicate over my linux box.

Then i set up squid. I first tried with standard config. The result:
When i config the clients browsers to access the internet over a proxy server ( port 3128) everything works great.
But i want to have an transparent proxy, so the clients donīt have to change their configuration.
So i changed in squid.conf (as SuSE Handbook says)
httpd_accel-host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Then i set up the kernel to do ip-forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
and gave it iptables rule
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

And now the problems start:
When i type an ip-address in a clients-browser i get a squid-error page (The requested URL could not be retrieved)
When i type an url, it cannot be resolved

So i think i have some problems with the dns (as mentioned in the dhcp config already)

i think i should add an iptables rule for the dns-servers too, but i donīt know how :Pengy:

Any ideas?

ugge 03-29-2004 04:29 PM

You should not have to make a iptables rule for DNS. No forwarding of DNS querries occur in this setup.

My setup at home uses the DNAT target for the transparent proxy thing.

philipph 03-30-2004 07:30 AM

thanks for your help, i didn't get out what you ment :-(

but I got another solution.

I set up an caching dns (with bind)
just added my ISPs dns ips in the forward section of named.conf

now I'm getting closer to what i want. Transparent proxy for http works now, everbypdy can surf without knowing about the linux server. (because i just want to log those M$ boxes)


linuxboy_inside 04-19-2004 02:51 AM

i want the same setup with you as a transparent proxy, my problem is when i trying to browse "The requested URL could not be retrieved" appear..i follow your said solution by adding your ISPs dns ip, but im confused where is tje forwarding section in named.conf.

can you please give me a hint to fix and work my transparent proxy just what you did in your proxy?


maxut 04-19-2004 03:06 AM

do not change any named config files. just start it. it will work as a caching name server. linux and your clients can use it as a DNS server.

philipph 04-19-2004 09:03 AM

In named.conf i have the line

forwarders {;;};

which are the DNS servers of my ISP.

(as line in the options section)

the just start bind and give the ip-address of the caching proxy (and dns) server
as dns - server to your workstations.

All times are GMT -5. The time now is 05:14 PM.