Squid as Transparent Proxy
Sir
I tried to configure Squid as Transparent Proxy, but I failed 1. I am using CentOS 2. Broad band dial up connection in Centos(ADSL Setup) 3. using open dns 208.67.222.222 4. local lan ip 172.16.11.10/255.255.0.0 What I have done so far A. add in squid.conf 1. acl all src 172.16.0.0/255.255.0.0 2. http_access allow all 3. http_port 3128 transparent 4. Service squid start B. IPtables rule 1. iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 172.16.11.10:3128 2. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 3. iptables -I INPUT -s 172.16.0.0/255.255.0.0 -p tcp --dport 3128 -j ACCEPT in my windows box 1. ip address 172.16.11.55/255.255.0.0 2. gateway 172.16.11.10 3. dns 208.67.222.222 That's it but now I can not access internet, if I configure my browser and set browser proxy I can access easily. Please help. |
I'm not sure what the REDIRECT statement is for. is eth0 your inside network address? and the DNAT entry uses eth1 which is confusing to me.
a transparent proxy would mean from eth0 (inside) to eth1 (outside interface) where in PREROUTING, coming in from eth0 should be DNAT to port 3128, which you do (on eth1 that is). can you clarify the interface configuration? |
Thanks for your reply.
In my centos server there are two lan card. 1. eth0 a. Automatically obtain IP address setting with: Dialup b. Inactive 2. eth1 a. Static IP: 172.16.11.10/255.255.0.0 b. active Now I have a broadband connection PPP0 on eth0 (adsl setup) |
I have followed http://www.broexperts.com/2013/03/sq...on-centos-6-4/
|
Dear All
I did not get any response yet. |
Then ppp0 is the device you need to use in your iptables, as eth0 is just the carrier to facilitate ppp0. ppp0 is the actual internet connection (to be verified that ppp0 obtains a public IP address once connected, and not eth0).
A 1. why 'acl all' instead of 'acl lan' as mentioned in the tutorial? - I don't imply this is an issue though. B 2. I still don't understand why to redirect traffic coming from Internet, with dport 80 (as stated on the tutorial, as you are not running your own web server with this configuration, but okay: it should be about connection ppp0, not eth0. I think this is on error. I think you need either the DNAT, OR the REDIRECT statement, as REDIRECT effectively is the same as DNAT to localhost (the REDIRECT should have the interface of local lan (-i eth1) instead of the internet interface, though). B 3. I would suggest using INPUT chain, to be selective on which interface it applies. I suggest you include '-i eth1' to the statement to specify it has to come from the local network. Also, the port 3128 won't be accessed by the client, rather port 80. so open up port 80 and not 3128. As http://www.karlrupp.net/en/computer/...t-proxy-en.gif shows, you need to open port 80 on the INPUT chain on the eht1 interface (your local lan), and not port 3128. port 3128 is not accessed through the process of 'transparent proxying'. I assume you don't configure a proxy on the client and that you are connecting to HTTP, not HTTPS. For more reading on the differences in DNAT and REDIRECT, you could check http://www.karlrupp.net/en/computer/nat_tutorial, which I found while looking up your issue, and getting familiar with REDIRECT at all, coz I didn't know that target yet. Please let me know if you still are unable to get this to work. |
Dear rhoekstra
Thanks for your reply. Now you please tell the steps to configure transparent proxy, so that we need not set proxy in my browser. Please guide me. |
I think you're almost there actually..
you seem to have configured squid about right. in iptables you have to open up port 80 Code:
iptables -I INPUT -i eth1 -p tcp --dport 80 -j ACCEPT Code:
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 Please also try reading the above mentioned documentation, and this site could be valuable to read as well: http://www.tldp.org/HOWTO/TransparentProxy.html Next to all this, consider using transparent proxy settings through the PAC standard, which about all browsers support these days, if not all.. To read about this, check http://en.m.wikipedia.org/wiki/Proxy_auto-config for a good start on the subject. This is more flexible and incorporates automatic configuration of a browser, so a user doesn't need to know a thing, yet you can tell the browser to use the proxy. plus you can make browsers behave differently based on the url they are trying to request, may this be necessary. Both ways should work, but I would definitely recommend going the PAC method |
Quote:
And you've been 'guided' MANY times about Squid and proxies, going back years. How much more do you need? Some of your squid questions go back to 2009...after five years, have you not gained ANY knowledge about squid? Read the documentation? http://www.linuxquestions.org/questi...-proxy-897362/ http://www.linuxquestions.org/questi...access-886470/ http://www.linuxquestions.org/questi...outing-886210/ http://www.linuxquestions.org/questi...server-882978/ http://www.linuxquestions.org/questi...server-802497/ http://www.linuxquestions.org/questi...id-acl-759767/ http://www.linuxquestions.org/questi...how-to-717091/ http://www.linuxquestions.org/questi...-squid-714291/ |
Dear TB0ne
Thank for your reply. But let me tell you one thing you please stop answering me, because what ever you replied earlier that did not work for me, So please let other experts to guide me. |
soumalya, you haven't gotten back whether my suggestions made any sense to you.
|
Quote:
The guide you posted is VERY clear, and has step-by-step directions. If you still, after several years, can't follow step-by-step directions with examples, there's not much anyone can help you with. AGAIN:
|
dear rhoekstra
Please let know can I user dialup connection (adsl-start) to connetct internet or I have use direct connection for transparent proxy. |
So seeing some of you above comments:
What if someone asks you about an issue with no information about it and still want you to help? Or if you gave them lots of idea of how to fix and they again come back and say it wont work so you stop helping? Here's what i do raise while referring to your post: Gave the config info but no info on how did you come to conclusion thats not working ? what did you see and where, what logs you referred ? |
Quote:
But if you want help from the community, you're going to have to show effort of your own, and engage in the conversation. |
All times are GMT -5. The time now is 11:42 PM. |