|
Squid Transparent Proxy
Hi folks your help with the following would be appreciated.
I've already trawled through some of the previously posted queries about this same problem, but nothing seems to be able to help me so far. I have a router doing SNAT. Has a proxy server running (squid). I'm using iptables. The routing is great, evrything is fine in that regard. Squid works great too if I go into client machine web browsers and set up proxy manually. Directing web traffic through the router's proxy port 3128 works fine. I'm able to see entries in squid's access.log But removing these manual configurations from web browsers and and trying transparent proxying with: iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 fails miserably. I've tried --to-port 192.168.1.10:3128 but it too fails. It's not critical coz I only have limited number of host PCs and manual configuration isn't too much of a problem. But I like to get the technology performing as it's supposed too. That's the fun, right? Any help? jamie (NZ) |
One thing that sticks out, do you have 2 ethernet cards in the server? I see you have it using eth0 so I thought I might ask, The command for iptables I am using is:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 Also you might want to check out the following page: http://squid.visolve.com/white_paper...#aboutiptables Read the iptables and the section after it, that might shed some light on your transperant proxy problems. |
Thanks for your reply cli_man. I have two NICs on my router, the external NIC is eth0 and the internal one is eth1. So I need to bind this prerouting command on interface eth1 which is the internal one, I think?
Squid is listening on the internal NIC only. jamie (NZ) |
Do you have routing enabled? If not just run as root:
echo 1 > /proc/sys/net/ipv4/ip_forward Also did you check out the link I gave above, it has the settings needed to run transparent caching Also one more thing, is the clients default gateway that of the squid server? and if it is can you do a tracert www.google.com and see that it is going through the cache server? |
Yeah I have ip forwarding enabled and I checked out the link. I edited my squid.conf file with the following, based on what I read:
httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on There was no "default" section in the squid.conf file for the entry httpd_accel_host so i just added it to it. The syntax at the cli is ok when i enter iptables...-j REDIRECT etc...coz i get no error messages, and when I save it it shows up in my iptables script. SNAT's working fine and I have used port redirection before with ssh too. Would appreciate any input. I've thrown myself at it, scoured the internet, but sometimes things just don't work out. jamie (NZ) ps the router is also doing DNS caching, apache, samba, xinetd, webmin. It's on the cheap coz we can't afford lots of servers. This shouldn't be effecting things though. But then you never know. What I'm really hoping from squid is bandwidth savings and load balancing. If the NZ$ keeps strong maybe we'll be able to afford some new servers :-) |
I have set up a transparent proxy with Squid on RedHat 9 and used exactly the iptables rule you listed. Assuming you placed the right interface in the iptables rule, the next place I would examine is the Squid configuration file. In RedHat 9, this is located in /etc/squid/squid.conf.
On my server I opened the configuration file and performed the following steps. 1. Go to the section titled HTTPD-ACCELERATOR OPTIONS and make sure the following options are enabled. If an option does not exist, add it. httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on 2. Go to the section titled ACCESS CONTROLS. The last line of this section denies all traffic through Squid by default with the following line. http-access deny all Unless we change this, no one will reach a web page through Squid. Since all traffic is originating on our LAN, the simplest solution is to allow all traffic by changing this line to the following. http-access allow all I hope this helps. This is the only configuration I performed besides the iptables rule. |
Thanks cli_man. I've been doing this all by remote admin and I was testing the config from the router itself using lynx. Now I'm here on site and it's working like a charm - I can test the actual client machines and not just doing it using the router itself, whch I think was giving me grief coz it's coming through 127.0.0.1 and that ain't in the REDIRECT statement!
THANKS, Kia Ora as we say down here! jamie (NZ) |
I am glad that worked for you, Probably what you ran into when using lynx was you didn't have a proper acl setup for 127.0.0.1 but the rest of your network works fine.
I have been setting up transperant proxies left and right so I am glad to be able to help someone else. |
| All times are GMT -5. The time now is 09:52 PM. |