Squid In Transparent Mode...
Hi there all,
I have checked that this question has not been dealt with before on the latest kernel version of Linux. I am using Ubuntu Linux 8.04.1, with kernel 2.6.24-16-server and Squid version 2.6.STABLE18. I have configured squid to work in transparent mode by using the, 'transparent' option after the 'http_port 3128' command in squid.conf. When I set the proxy settins in my browser, squid works fine, but if I remove them, it does not work transparently. I have read about doing forwarding in the firewall, and I have set the following parameters there: -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to 192.168.1.1:3128 -A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128 My eth0 is my Internet interface, while eth1 is my LAN interface. Where am I going wrong? I have noticed that the access.log is empty when computers try squid in transparent mode, whereas with the proxy settings entered in the browser, the access.log gets data in there. The client computer are browsing in either mode. |
Hi,
And welcome to LQ! Could you try with just one pre-routing rule? Code:
iptables -A PREROUTING -i "eth1" -p tcp –dport 80 -j REDIRECT –to-port 3128 Tink |
I can just instert that code in the iptables.up.rules file?
|
Sorry, I cannot answer this; I have no idea how ubuntu handles
iptables. Maybe someone else can chime in? Cheers, Tink |
Tinkster,
I think I have an idea how to insert that command, I will let you know the result tomorrow. Thanks for your response. Regards, Frank |
Hi Tinkster,
I inserted that code, and the result was that all clients could have have access to the Internet. Client computers stopped browsing. What's the difference between the code you gave me... iptables -A PREROUTING -i "eth1" -p tcp –dport 80 -j REDIRECT –to-port 3128 and the one I had in earlier... iptables -A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128? They seem identical except towards the end. Regards, Frank |
What I was trying to get at is that the line with the DNAT
might have been wrong. It's been a while that I set-up squid as transparent proxy, but I couldn't remember DNATing it ... Have you still got that rule loaded? |
What I have now is this rule...
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128 And the client PC's are browising, but I doubt whether the transparent proxying/caching is working. |
Stop squid and try browsing. That'll tell you if it's working
Here's my firewall rule btw, which looks pretty much the same (and it works) $IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3128 |
Hi Billy,
I stopped squid and guess what? The client computers were still browsing. The squid box is also my gateway to the Internet. I want to try your code now, since it has the '-t nat' command which was not in Tinkster's code. Could that make a difference? Regards, Frank |
Billy,
I've tried your code and when I did, the firewall did not like the '-t nat' command did it did not work. Regards, Frank |
-t nat
isn't a command. What exactly did it say? Have you enabled nat? |
Yes, NAT is working fine. Like stated above, even without squid, the client PC's are able to browse. However, I would like squid to work in transparent mode so that I do not have to configure their browsers for proxy settings.
It seems squid is not working in transparent mode, even though my squid.conf has the 'transparent' option added to the 'http_port' command. When I enter the proxy settings in the browser, then squid works fine because I can see entries in the access.log file. |
But I guess even if your squid is not working in transparent mode, if squid id turned off, clients should not be able to access net. If they are able to do that, you need to sort out this issue first. And if the squid is your gateway to internet for clients, they should not go to internet if it is off.
You may want to look into this link for transparent squid configuration. http://www.cyberciti.biz/tips/linux-...uid-howto.html |
Linuxlover,
The link you have directed me uses an old version of squid. With the current version I have, these commands are not longer applicable... httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on acl lan src 192.168.1.1 192.168.2.0/24 http_access allow localhost http_access allow lan |
All times are GMT -5. The time now is 09:19 PM. |