RE: transparent proxy with LINUX 2.0.29 and CISCO IOS 11.1

From: Chris Keladis <chrisk@dont-contact.us>
Date: Wed, 11 Mar 1998 12:25:12 +1000

Hi Brian,

Am i reading this correctly, aren't you redirecting traffic via ipfwadm to
port 3128, yet Squid is still listening on port 80?

Has anyone got squid to successfully listen to _cache_ requests on port 80
when doing transperant proxy?

Reason i'd like the cache port listening on port 80 is because some of our
users have the proxy server address installed allready, and we would like
the proxies to continue working for them, as well as people with no proxy
addresses in their browsers.

Is there some firewall trickery we can use to safely use port 80 as the
cache and accelerator port?

During some mucking about with it, i did get it working, but, yes, Squid did
get into an endless loop and end up caching itself. I was just curious if
anyone has managed to get it working properly.

Thanks,

Chris.

-----Original Message-----
From: Brian [mailto:signal@shreve.net]
Sent: Wednesday, March 11, 1998 8:16 AM
To: Chuck Pitre
Cc: Squid Users
Subject: Re: transparent proxy with LINUX 2.0.29 and CISCO IOS 11.1

>From signal@shreve.net Mon Feb 9 14:08:28 1998
Date: Mon, 9 Feb 1998 14:08:11 -0600 (CST)
From: Brian <signal@shreve.net>
To: jcostom@jasons.org
Subject: Cisco redirection

Here is how I have Transparent proxying working for me, in an enviroment
where my router is a Cisco 2501 running IOS 11.1, and Squid machine is
running Linux 2.0.33.

Many thanks to the following individules and the squid-users list for
helping me get redirection and transparent proxying working on my
Cisco/Linux box.

Lincoln Dale
Riccardo Vratogna
Mark White
Henrik Nordstrom

First, here is what I added to my Cisco, which is running IOS 11.1. In
IOS 11.1 the route-map command is "process switched" as opposed to the
faster "fast-switched" route-map which is found in IOS 11.2 and later.
You may wish to be running IOS 11.2. I am running 11.1, and have had no
problems with my current load of about 150 simultaneous connections to
squid.:

!
interface Ethernet0
 description To Office Ethernet
 ip address 208.206.76.1 255.255.255.0
 no ip directed-broadcast
 no ip mroute-cache
 ip policy route-map proxy-redir
!
access-list 110 deny tcp host 208.206.76.44 any eq www
access-list 110 permit tcp any any eq www
route-map proxy-redir permit 10
 match ip address 110
 set ip next-hop 208.206.76.44

So basically from above you can see I added the "route-map" declaration,
and an access-list, and then turned the route-map on under int e0 "ip
policy route-map proxy-redir"

ok, so the Cisco is taken care of at this point. The host above:
208.206.76.44, is the ip number of my squid host.

My squid box runs Linux, so I had to do the following on it:

my kernel (2.0.33) config looks like this:

#
# Networking options
#
CONFIG_FIREWALL=y
# CONFIG_NET_ALIAS is not set
CONFIG_INET=y
CONFIG_IP_FORWARD=y
CONFIG_IP_MULTICAST=y
CONFIG_SYN_COOKIES=y
# CONFIG_RST_COOKIES is not set
CONFIG_IP_FIREWALL=y
# CONFIG_IP_FIREWALL_VERBOSE is not set
CONFIG_IP_MASQUERADE=y
# CONFIG_IP_MASQUERADE_IPAUTOFW is not set
CONFIG_IP_MASQUERADE_ICMP=y
CONFIG_IP_TRANSPARENT_PROXY=y
CONFIG_IP_ALWAYS_DEFRAG=y
# CONFIG_IP_ACCT is not set
CONFIG_IP_ROUTER=y

You will need Firewalling and Transparent Proxy turned on at a minimum.

Then some ipfwadm stuff:

# Accept all on loopback
ipfwadm -I -a accept -W lo
# Accept my own IP, to prevent loops (repeat for each interface/alias)
ipfwadm -I -a accept -P tcp -D 208.206.76.44 80
# Send all traffic destinated to port 80 to Squid on port 3128
ipfwadm -I -a accept -P tcp -D 0/0 80 -r 3128

it accepts packets on port 80 (redirected from the Cisco), and redirects
them to 3128 which is the port my squid process is sitting on. I put all
this in /etc/rc.d/rc.local

and the squid is configured as:

http_port 80
icp_port 3130
httpd_accel virtual 80
httpd_accel_with_proxy on

I am using v1.1.20 of the squid with the patch at:

http://hem.passagen.se/hno/squid/squid-1.1.20.host_and_virtual.patch

installed. You will want to install this patch if using a setup similar
to mine.

This works great. Many thanks again to all of those listed above in
helping me.

Brian

/-------------------------- signal@shreve.net -----------------------------\
| Brian Feeny | USR TC Hubs | ShreveNet Inc. (318)222-2638 |
| Network Administrator | Perl, Linux | Web hosting, online stores, |
| ShreveNet Inc. | USR Pilot | Dial-Up 14.4-56k, ISDN & LANs |
| 89 CRX DX w/MPFI, lots of |-=*:Quake:*=-| http://www.shreve.net/ |
| mods/Homepage coming soon |LordSignal/SN| Quake server: 208.206.76.47 |
\-------------------------- 318-222-2638 x109 -----------------------------/

/-------------------------- signal@shreve.net -----------------------------\
| Brian Feeny | USR TC Hubs | ShreveNet Inc. (318)222-2638 |
| Network Administrator | Perl, Linux | Web hosting, online stores, |
| ShreveNet Inc. | USR Pilot | Dial-Up 14.4-56k, ISDN & LANs |
| 89 CRX DX w/MPFI, lots of |-=*:Quake:*=-| http://www.shreve.net/ |
| mods/Homepage coming soon |LordSignal/SN| Quake server: 208.206.76.47 |
\-------------------------- 318-222-2638 x109 -----------------------------/
Received on Tue Mar 10 1998 - 17:34:27 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:14 MST