Urgent and imp. Making Squid 2.6 stable as tranpsarent proxy

mikdadhussain · 08-03-2006, 06:24 AM

Hello,
Dear All.
I wanted to make a request to help from all of you guys.
Actually i work for an organization, where Squid is used as Transparent proxy,
Static Ip's have been assigned for the Clients, so here no need for Nating or Masquerading, but just Tranparent proxying is required,
I have tested Squid 2.6 stable 2 as Tranparent proxy as testing on a single network and it works fine.
with this configuration
[http_port 192.168.254.252:3128 transparent
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo 1 > /proc/sys/net/ipv4/ip_forward]
and this works for a single network as Tranparent proxy
means all clients having Ips [192.168.254.x] use the 192.168.254.252 as gateway and their request is fullfilled,
but now the demand is that
the client should use the 192.168.253.x and squid should use the 192.168.254.252 , ie. different Networks [here again, no Nating is required simply tranparent proxy].
I have created another virtual interface of squid server having ip 192.168.253.252 and forwarded the user's requests to it.
But it doesn't work , i think there is some problem with the iptalbes.
[Remember that in the squid 2.5 the tranparent proxy features were
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on]
and these all have been deprecated in the Squid 2.6 stable 2.
{in the private networks shown above, u can also consider to be subsituted the Real IP, i have replaced them. coz i m still testing it.}

So, plz help me out for this task.

Thanks a lot.
Shoaib Akbar.
JNE WOL Lahore.

ALInux · 08-03-2006, 07:47 AM

I think you might need to clarify more...I mean if the clients are directly connected to the squid server y would you want them on diff networks..however if you use Prerouting ..you can route all the requests from the client network to squid.

You said : "But it doesn't work , i think there is some problem with the iptalbes. "

Maybe it would help if you post your iptables

mikdadhussain · 08-03-2006, 08:14 AM

The situation is this that we are using two different network classess
one is 202.x.x.x and assign the users Dynamic ip form this range (used as uplink to for requests)
and the other network is 80.x.x.x, we are using only one and one ip from this class [we actually use this network classs for downlink i.e. DVB] and then the user's request is forwarded by the 202.x.x.x ip but it comes back through satellite link through 80.x.x.x and we are using NAT in the squid server as well.

this is my /etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

and i m using this command in my /etc/rc.local

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo 1 > /proc/sys/net/ipv4/ip_forward

peter_robb · 08-03-2006, 08:17 AM

For transparent proxying using a REDIRECT rule, squid should only listen on 127.0.0.1