Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 04-28-2005, 02:55 PM   #1
LQ Newbie
Registered: Apr 2005
Location: Orlando, FL
Posts: 3

Rep: Reputation: 0
Transparent Proxying on Squid

I appreciated Jeremy Garcia's article in Linux Magazine entitled "Transparent Proxying with Squid". I have been trying to implement a Transparent Proxy with squid. I am running a Gentoo box running Linux v2.6.11 with Squid v2.5.9. The Gentoo box has a single network interface (IP which I hope to be a transparent proxy for a Cisco router (IOS: v12.3 Internal IP: External IP: X.X.X.X). If I manually set the proxy IP address of a client PC browser to the IP of squid, it works fine -- access.log/cache.log report proper results. If however, I unset the proxy IP in my client browser, the request times out. I do see GRE messages on squid and if I stop the squid services (once the router detects that squid is down) the request goes through. I believe I have followed Jeremy's instructions correctly (although I have not installed a the module ip_wccp because I believe this is not necessary because I am running kernel 2.6.11). From the output of a few commands I am sending, it looks like this should be working. No entries appear in my access.log file (however) the squid box is seeing the request, it just does not appear to be acting on it.

show ip wccp on router
Router information:
Router Identifier:
Protocol Version: 1.0

Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 704
Redirect access-list: 112
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0

Snip from router config
ip wccp version 1
ip wccp web-cache redirect-list 112
interface FastEthernet0/0
ip address X.X.X.X ip wccp web-cache redirect out ip nat outside ip virtual-reassembly duplex auto speed auto !

squid2 root # ifconfig
eth0 Link encap:Ethernet HWaddr 00:0F:1F:F8:79:AA
inet addr: Bcast: Mask:
inet6 addr: fe80::20f:1fff:fef8:79aa/64 Scope:Link
RX packets:3841 errors:0 dropped:0 overruns:0 frame:0
TX packets:3867 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:732606 (715.4 Kb) TX bytes:735382 (718.1 Kb)

gre1 Link encap:UNSPEC HWaddr C0-A8-C8-C8-00-00-00-00-00-00-00-00-00-00-00-00
inet addr: P-t-P: Mask:
RX packets:192 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9216 (9.0 Kb) TX bytes:0 (0.0 b)

lo Link encap:Local Loopback
inet addr: Mask:
inet6 addr: ::1/128 Scope:Host
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:216 (216.0 b) TX bytes:216 (216.0 b)

squid2 root # netstat -in
Kernel Interface table
eth0 1500 0 3813 0 0 0 3833 0 0 0 BMRU
gre1 1476 0 192 0 0 0 0 0 0 0 OPRU
lo 16436 0 2 0 0 0 2 0 0 0 LRU

squid2 root # tcpdump -n -i gre1
tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
15:33:27.448919 IP > S 4107953532:4107953532(0) win 65535 <mss 1260,nop,nop,sackOK>
15:33:27.449064 IP > S 4107953532:4107953532(0) win 65535 <mss 1260,nop,nop,sackOK>
15:33:27.449234 IP > S 4107953532:4107953532(0) win 65535 <mss 1260,nop,nop,sackOK>
15:33:27.449399 IP > S 4107953532:4107953532(0) win 65535 <mss 1260,nop,nop,sackOK>
Old 04-28-2005, 03:07 PM   #2
Senior Member
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167

Rep: Reputation: 45
None of that crap you just posted matters.

A transparent proxy is an internal loopback with a specific port- typically 1080/8080 for the internal proxy- with forwarding on 80. It's just a setting in /etc/squid/squid.conf. Read up on squid first and understand what you are doing.

Or else install a distro made for this like clarkconnect or ipcop or another.
Old 04-28-2005, 03:38 PM   #3
LQ Newbie
Registered: Apr 2005
Location: Orlando, FL
Posts: 3

Original Poster
Rep: Reputation: 0
I set up the squid.conf according to the article:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_access <my subnet>

I created an iptables entry as such:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

I kept the squid port set to its default 3128 and used the gre tunnel configuration as detailed in Jeremy's article.

I made sure packet forwarding was on:
net.ipv4.ip_forward = 1

I made sure NAT/REDIRECT and other related KERNEL modules were active in the kernel.

I made sure the gre tunnel was setup (and I thought I included the output I did to endure readers that gre was functional and begin seen by the Cisco router)

Although the distros you mentioned may be better for this type of application, I do not believe any of the technologies used (squid/iptables/gre) are exclusive to them.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid Transparent win32sux Linux - Networking 2 08-05-2005 11:57 AM
Squid as a transparent proxy kemplej Linux - Software 2 12-08-2004 05:00 PM
Squid Transparent Proxy 1jamie Linux - Security 7 09-26-2003 06:09 AM
squid transparent proxy...... hitesh_linux Linux - Networking 1 06-13-2003 03:24 AM
transparent squid problem Steave Linux - Networking 7 05-05-2003 12:51 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:29 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration