Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a squid server (squid-2.6.STABLE16) running on Fedora 7 standalone box.
Squid is up and running and I can set Firefox to use proxy server 127.0.0.1 and port 3128 to access the net through squid.
I can also set Firefox not to use any proxy which case it directly connects to the net without going through squid.
My problem is that I want all traffic to go through squid, irrespective whether i set the proxy or not.
Searching the net revealed that it is a two step process
1. to set squid to run as a transparent server, and
2. use iptable to redirect all 80. 8080 traffic to 3128.
In version 2.6 it appears we just need to add transparent to http_port line
which I have done.
And I am redirecting traffic by setting the following iptable rules
Getting Squid to work transparently on localhost is a little tricky compared to how simple it is to get it to work transparently on a LAN. I tried to figure it out once but got impatient and just dropped it. I ended-up using an iptables rule to make sure any outgoing HTTP/HTTPS traffic was generated by the Squid user. So if my parents would disable the proxy setting in Firefox, they wouldn't be able to access the WWW. They are forced to use Squid, just not transparently. So I'll be monitoring this thread in the hopes that I too can learn the proper way to do a transparent setup on localhost.
Thanks for bumping this. I decided to give the whole "transparent proxy on localhost" thing another shot and I got it working. It was basically just a matter of adding a couple rules to the OUTPUT chain of the nat table. I also had to tweak a Squid ACL, as the source IP turns up as the IP of the NIC, not localhost. Anyhow, here's the rules:
The first rule just makes sure that if the packet was generated by Squid nothing should be done to it (otherwise we'll end-up in an infinite loop). The second rule redirects any other matching packets. That said, considering that transparent redirection is only good for HTTP, I won't be doing this on my box. It would be kinda pointless, as I'd have to specify the HTTPS proxy in Firefox anyway. I'll just stick with my old iptables rules that do nothing but make sure the outgoing packets come from Squid. So basically I'm just posting this in case it helps you.
Also the iptable rules mentioned by win32sux above give me an access denied error as compared to page not found without the rules. So I guess the rules must be doing something right... :-)
Please tell me more about.
Code:
I also had to tweak a Squid ACL, as the source IP turns up as the IP of the NIC, not localhost.
Also the iptable rules mentioned by win32sux above give me an access denied error as compared to page not found without the rules. So I guess the rules must be doing something right... :-)
Please tell me more about.
Look at your Squid's access log when you get the error. You'll see what the request looks like, and then you can determine what needs to be changed in the ACLs. For me the only thing that had changed was that instead of a 127.0.0.1 (localhost) the requests now had my NIC's source IP.
Access log says instead of localhost (127.0.0.1) the request is now coming from my external ip address, that is dynamically given by my ISP whenever I connect to the net. I am using PPPoE. So I guess that is then end of transparent connection through squid for me... Or is there still hope?
Access log says instead of localhost (127.0.0.1) the request is now coming from my external ip address, that is dynamically given by my ISP whenever I connect to the net. I am using PPPoE. So I guess that is then end of transparent connection through squid for me... Or is there still hope?
I would think there is hope. I'm sure this has been worked-around before. My guess is that with the proper iptables rules you might be able to get the requests to look like they are from 127.0.0.1, but I haven't had time to tinker with that. One rather nasty workaround I can think of is to install a dynamic DNS update client on your box (such as those offered by DynDNS.com, NoIP.com, etc), so that their is always a domain name assigned to your IP. That way, you can just ACL the domain name. But like I said, it's a nasty workaround IMHO.
That said, I'd like to ask you two questions: 1) Considering that you will still have to manually specify the proxy for HTTPS regardless, are you still willing to do this localhost transparent proxy thing? 2) What is the main objective you wish to accomplish by doing this localhost transparent proxy thing?
I would think there is hope. I'm sure this has been worked-around before. My guess is that with the proper iptables rules you might be able to get the requests to look like they are from 127.0.0.1, but I haven't had time to tinker with that. One rather nasty workaround I can think of is to install a dynamic DNS update client on your box (such as those offered by DynDNS.com, NoIP.com, etc), so that their is always a domain name assigned to your IP. That way, you can just ACL the domain name. But like I said, it's a nasty workaround IMHO.
That said, I'd like to ask you two questions: 1) Considering that you will still have to manually specify the proxy for HTTPS regardless, are you still willing to do this localhost transparent proxy thing? 2) What is the main objective you wish to accomplish by doing this localhost transparent proxy thing?
I guess it now worth installing dynamic DNS etc...
Secondly, I changed my rental plan from the month of October from an unlimited one to a limited one, therefore, I now manually connect to the net when required, instead of connecting automatically whenever I switch on the machine. This means I have to manually start squid also when I connect.
So having a manual step in between kind of beats the whole point of transparency.
I am trying to use squid as a cache, so that I appear to have a faster connection and also save some bandwidth cost.
I am trying to make it transparent because I learned on the net that I can. I thought well lets give it a try, and also I will learn something new. Transparent proxy is not my main objective, proxy is, and I have achieved that, thanks to everyone who took the time to reply to this thread
what I did (as a workaround) is I put this to squid.conf:
acl localnet1 src 10.0.0.0/24
acl localnet2 src 192.168.0.0/16
http_access allow localnet1
http_access allow localnet2
what I did (as a workaround) is I put this to squid.conf:
acl localnet1 src 10.0.0.0/24
acl localnet2 src 192.168.0.0/16
http_access allow localnet1
http_access allow localnet2
That doesn't really help someone with a dynamic public IP, though. Yes, for those of us behind a router it's a no-brainer, but for those who are directly connected to the Internet it's a different story.
EDIT: I'm thinking that since this is on an individual PC, one could simply allow everything (in Squid). In other words, have something like "http_access allow Safe_ports all" in there. It sucks, I know, but one would simply be more reliant on the local firewall to handle the network access aspect of security, and one would never have to worry about the IP changing, etc. With the proper INPUT rules, nobody from the outside would be able to connect to Squid.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.