Setup:
OS: Ubuntu 8.04
==> squid & squidGuard on localhost.
Goal: Force traffic through squid using iptables thereby
eliminating need for FF preferences. The intended host
to proxy is the box housing squid & co.
Squid works fine if I use the settings in Firefox but does not work if I try to use it transparently.
Here's my squid.conf sans comments.
Code:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
visible_hostname localhost
always_direct allow all
hosts_file /etc/hosts
coredump_dir /var/spool/squid
I would think that a simple rule such as:
Code:
sudo iptables -A PREROUTING -t nat -p tcp –dport 80 -j REDIRECT –to-port 3128
Would do the trick ...
It does not work as expected.
Any thoughts?
Thanks for reading!
Bub
UPDATE: I gave up on IPTABLES and installed the firehol package. It works and that is good. Here is my firehol.conf for those also struggling with this:
Code:
version 5
transparent_squid 3128 "proxy root" inface eth0
# Accept all client traffic on any interface
interface "eth0" Internet
protection strong
server "ssh" accept
client all accept
PS: I am still curious as to how one would get the same results with vanilla IPTABLES.