Dear slackers,

I would like some of your guys advice on using squid and netfilter on the same box. I have read several howtos so far but none of them did actually talk about this (note that by netfilter I mean firewall and Snat).

The main downside of doing it so far, is that it seems a bit confusing as to if the proxy will be on the inside or the outside of the trusted network. Actually I can't even figure out what would be the way to direct the traffic via one program before the other. I'm sure it is possible though...

I own a spare box in a corner that's not doing anything, it needs is a hdd and some ram so it shouldn't be much of a problem to get it ready, but I'd prefer to have 1 computer running rather than two!!

Thanks

well what kind of advice do you want? the two are totally happy together. obviosuly a certain set of iptables netfilter rules can bugger up a squid service, but that's just configuration logic...

Ok thanks. I mainly wanted to know if they could coexist

Hopefully someone can help me on this.

Squid succefully installed and configured, I used it in manual mode and works fine. However my main goal was to use it as a transparent proxy, and in this case it does not work.
I looked at the cache.logs as well as access.logs but there is no information there. I did enable netfilter when running configure and also typed iptables -t nat -A PREROUTING -i ath1 -p tcp --dport 80 -j REDIRECT --to-port 3128, it didn't work. I normally use shorewall to configure my iptables so also tried it this way with the same results.

In the past I have experienced problems with my iptables configuration (using shorewall again, never tried it manually) were using a policy to drop outgoing traffic to the net and adding a rule to allow tcp on port 80 out wouldn't let me browse the web. So in the end I had to change the whole policy to allow all outgoing traffic!!
No idea if this is related to my problem with squid, but my point is that I can't find out if the problem comes from squid or iptables or both.

Any help on this would be well appreciated! thanks

Just for extra information,

some the options in the core netfilter configuration (kernel 2.6.18) are actually turned off, they are:

- "Connmark" target support
- "Notrack" target support
- "Connbytes" per-connection counter match support
- "Connmark" connection mark match support

No idea if it could be why my iptable isn't behaving as expected but it's worth rebuilding a kernel just to see ^^

Well, rebuilding the kernel with those options enabled, hasn't changed anything, neither did rebuilding squid on top of it...

Dear,

I've recently installed squid on a machine that I also use as a firewall, WAP. Squid works perfectly well as a manual proxy but refuses to work as a transparent proxy.

What I did:

- configured squid with the enable-linux-netfilter option
- edited the config file to add transparent next to the http_port option
- iptables -t nat -A PREROUTING -i ath1 (for mawifi) -p tcp --dport 80 -j REDIRECT --to-port 3128
- some of the options under netfilter configuration in the kernel config weren't enabled, so I rebuilt a kernel with all the netfilter options enabled
- downloaded the last iptables from netfliter
- rebuilt squid on top of it

and it still isn't working transparently, I am going through the whole squid.conf file at the moment to see if I missed something but appart from this I am sort of running out of ideas....

Also if the admins would be kind enough not to move this thread to another forum since there isn't much action in the networking forum.

Thanks

//thread merged

ok well are you really aware of whether the packets are being redirected? you can try using an additional LOG target before the redirect itself, or just tcpdump on the interface to see what port it's being redirected to.

I don't know if this will help, BUT here is a link to a wiki that AlienBob setup based on our work getting dansguardian and tinyproxy configured as a web filter.

http://alien.slackbook.org/dokuwiki/...lackware:proxy

Our finished product was a transparent proxy that was used as a content filter at the school I teach at (at least until they decided to hire someone to redo everything....ugh....we have more problems now....but I digress. )

I have merged your threads as they are pretty much the same and keeping the discussion in one place is what we're all about.

Pro-Tip: If you don't like the forum your thread is in, you have 2 courses of action: post again somewhere else or report your own thread and request a move. The first is frowned upon.

Ok thanks for the tip

No I am not. tcpdump, I've seen that package in slackware but never got to use it, that might be the right time! Is it a sniffer like ethereal? I am asking because I did use ethereal a few months back, but not extensively. Any ideas why the packets don't get redirected?

Thanks that's a good link!!! Unfortunately when doing ./configure for tinyproxy with all the options, the system failed a cpp check, it's not the first time this happens to me since lately I got down and dirty trying to reduce the size taken by slackware on the hdd. Well that was last night and I just reinstalled all the packages recently uninstalled, so I'm going to give it another go.

if you have ethereal (now called wireshark) then yeah that's even better if you want the gui part. tcpdump is just a simple console equivelent, useful for routers and things without x windows running.

Ok it was better for me then since I don't want to run X on this. Do you need ethereal to read the capture file you get from tcpdump though? I tried to open it with pico and it all came out with something unreadable...
Anyway, I have to say that I am very surprised. Packet redirection does work, what I did was to run this command on the router:

iptables -t nat -A PREROUTING -i ath1 (for mawifi) -p tcp --dport 80 -j REDIRECT --to-port 3128

and tried again without configuring the web browser, it failed. Then I configured the browser to connect to port 80 of the router and it worked. I thought web browsers connected to port 80, actually I'm pretty sure about this.... I will do some research on this later on