transparent squid proxy not working
Dear friends,
I try to implement transparent proxy with my squid proxy server and iptables on the same machine but somehow it doesn't work although it looks relatively easy from what i have googled through. From what i read, I simply need the following configurations to build a transparent proxy. ON squid: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on ON IPTABLES: note: eth3 = internal interface $IPT -t nat -A PREROUTING -i eth3 -p tcp --dport 80 -j REDIRECT --to-ports 3128 But it doesn't work .... It seems like it just doens't detect the squid proxy when i do not set it manually. Below is the complete iptables if useful: note: eth3 = internal interface for table in mangle filter nat do $IPT -t $table -F $IPT -t $table -X $IPT -t $table -Z done $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP $IPT -F $IPT -X $IPT -t nat -A PREROUTING -i eth3 -p tcp --dport 80 -j REDIRECT --to-ports 3128 $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -m state --state NEW -p tcp --dport 3128 -j ACCEPT $IPT -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT $IPT -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT $IPT -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT $IPT -A INPUT -m state --state NEW -p tcp --dport 389 -j ACCEPT $IPT -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT $IPT -A INPUT -m state --state NEW -p tcp --dport 23 -j ACCEPT $IPT -A INPUT -m state --state NEW -p udp --dport 21 -j ACCEPT $IPT -A INPUT -m state --state NEW -p udp --dport 20 -j ACCEPT $IPT -A INPUT -m state --state NEW -p tcp --dport 20 -j ACCEPT $IPT -A INPUT -m state --state NEW -p tcp --dport 10000 -j ACCEPT $IPT -A INPUT -p icmp -j ACCEPT $IPT -A INPUT -j DROP $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --state NEW -p tcp --dport 3128 -j ACCEPT $IPT -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT $IPT -A OUTPUT -m state --state NEW -p tcp --dport 389 -j ACCEPT $IPT -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT $IPT -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT $IPT -A OUTPUT -m state --state NEW -p tcp --dport 23 -j ACCEPT $IPT -A OUTPUT -m state --state NEW -p udp --dport 21 -j ACCEPT $IPT -A OUTPUT -m state --state NEW -p udp --dport 20 -j ACCEPT $IPT -A OUTPUT -m state --state NEW -p tcp --dport 20 -j ACCEPT $IPT -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT $IPT -A OUTPUT -j DROP $IPT -A FORWARD -o lo -j ACCEPT $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -j DROP thanks for taking time helping! |
What version of Squid are you running and have you looked through the Squid FAQ on this at http://wiki.squid-cache.org/SquidFaq/InterceptionProxy?
Firstly you need a compiled version of Squid that supports this. Also, if you're using version 2.6 or 3.0 you only need the following in the .conf file: Code:
http_port 3128 transparent Code:
http_port 3128 Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 |
Hi gilead,
thanks for your reply. I am running squid-2.5.STABLE14-1.RHEL4. so i use: http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on and also have corrected ports to port but still no luck... |
Does the Squid process start? You can check this with:
Code:
netstat -tanp | grep 3128 If it started correctly, then you can check whether connections are reaching it by looking in /var/log/squid/access.log |
Quote:
Niceman2005, additionally to the log file information, please post the output of these three commands: Code:
squid -v Code:
cat /etc/squid/squid.conf | grep -v ^# | grep -v ^$ Code:
cat /proc/sys/net/ipv4/ip_forward |
Quote:
|
All times are GMT -5. The time now is 04:11 PM. |