Hi,
i have installed and tried both squid version as transparent proxy but they just don't work.
i have eth0 which is where my internet comes in and eth1 which is my local network 192.168.1.0/255.255.255.0.
My default firewall policy is to drop input output and forward, i have already set my firewall to accept and workout the squid and it is working.
Here is the relevant rules i have on my firewall:
Code:
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --dport 3128 -m conntrack --ctstate NEW -j ACCEPT
#$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.254:3128
$IPT -t nat -A PREROUTING -p tcp -i $INTIF --dport 80 -j REDIRECT --to-port 3128
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Here is the sample conf i am using for squid:
Code:
http_port 3128 transparent
#https_port 3129 transparent ssl-bump cert=/etc/squid/cert/server.crt key=/etc/squid/cert/server.key
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow localnet
http_access deny all
always_direct allow all
When using version 2.7.x i was able to make it transparent when i used the below rules:
Code:
#via off
#forwarded_for off
#header_access From deny all
#header_access Server deny all
#header_access WWW-Authenticate deny all
#header_access Link deny all
#header_access Cache-Control deny all
#header_access Proxy-Connection deny all
#header_access X-Cache deny all
#header_access X-Cache-Lookup deny all
#header_access Via deny all
#header_access Forwarded-For deny all
#header_access X-Forwarded-For deny all
#header_access Pragma deny all
#header_access Keep-Alive deny all
I readed the Docs on the squid page but the above rules can't be reproduced to 3.1 and i don't wish to use such rules to make it transparent or hidden so i want some help to figure out why it inst transparent.
if you need any extra information let me know, appreciate any help.
Best regards.