Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am using Fedora 9, I have compile the squid with source code, i also deleted the old RPM of squid. i then edited the squid.conf in /usr/local/squid/etc and set http_port 3128 transparent and allowed in my acl to my local network but the transparent proxy is not working. if i remove transparent proxy then squid works fine. when i try to make it transparent the squid access.log file does not show any request coming to it (no activity). i have also forwarded all the incoming traffic to squid port 3128. my port forwarding script is as under:
#squid server IP
SQUID_SERVER="192.168.5.1"
# Interface connected to Internet
INTERNET="eth1"
# Interface connected to LAN
LAN_IN="eth0"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Can anybody tell me why my transparent proxy is not functional.
Thanx
Last edited by myasir_genious; 06-03-2009 at 12:45 PM.
I would look at putting all rules first then the default drop last. IP tables processes in sequential order so if it finds a drop first it drops that packet
I would look at putting all rules first then the default drop last. IP tables processes in sequential order so if it finds a drop first it drops that packet
I have done all that still not working. . I put the drop at the end but still the same condition
Last edited by myasir_genious; 06-05-2009 at 06:27 AM.
Am no expert at what you are asking but,,,transparent proxy using squid requires that you have tproxy support compiled in your kernel and i think that if ure using the stock fedora kernel it wont be there,,,so i think you need to apply tproxy patch to a supported kernel and recompile it with tproxy supprt enabled, then you'll need to patch iptables with a tproxy patch also,, i think there are only certain versions of iptables that are supported..am not up to date with the lattest stuff out there.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.