There was a mistake with my posting, and that was the squid http_port
should read 3128 instead of port 80 if following my config exactly.
On Fri, 13 Mar 1998, Enric wrote:
> Hello,
>
> I have read the thread about "Transparent proxy with Linux 2.0.29 and
> CISCO IOS 11.1", and in particular the message from Brian
> [mailto:signal@shreve.net].
>
> We have the same configuration that Brian:
>
> squid 1.1.20 on a Linux (RH 5.0) box 2.0.33 kernel version and a router
> from 3Com (Netbuilder II) (not CISCO as Brian).
> The Linux kernel is configured the same way Brian says.
> Also, the same lines for ipfwadm and the same for the squid.conf parameters.
>
> We have some subnets defined (I don't know if Brian also) and the _problem
> is here_ (I think).
>
> The following scheme shows some of our subnets:
>
> Subnet: 150.128.120.0 / 24
> /---------------------------\
> +-------+ +-------------+
> | pipa |--------------------| NetBuilder |-----> To Internet
> +-------+ +-------------+
> 150.128.120.11 |
> |
> +--------------------------+
> | |
> +-------+ +-------+
> | Squid | | Conto |
> +-------+ +-------+
> 150.128.98.17 150.128.98.13
> \--------------------------------/
> Subnet: 150.128.98.0 / 24
>
>
> - The NetBuilder permits outgoing 150.128.98.17/32 traffic and redirects the
> www traffic from 150.128.120.0 and 150.128.98.0 subnets to Squid box
> (150.128.98.17).
>
> - The IP Firewall installed on linux box redirects the www traffic to
> their local port 3128 ( on this port is listening the Squid software ).
>
>
> The results are:
>
> - From 150.128.98.0 / 24 subnet all works fine (the browsers with
> direct connections and squid sofware)
>
> - From 150.128.120.0 / 24 subnet does not. Opera(3.0 demo version) browser
> seems work fine. Netscape (4.04) and IE (4.0) does not. The data seems to
> reach the squid box (soem times) but not returns to the client
> browsers. And sometimes seems no data arrive to squid.
> The error Netscape says is: A network error occurred while Netscape was
> receiving data. Network error: connection reset by peer. And in the squid
> access.log file appears the lines showing the conection is done
> (TCP_MISS, GET and DIRECT). When I clik on the OK button on the previous
> error message, the browser seems to continue receiving data but finally
> the connection finish anf the data is not totally retieved.
> If then, I click th reload button, in the access log appears
> TCP_CLIENT_REFRESH, GET and DIRECT and seems get some chunks of data.
> When later I try again, only receive the error message and no data is
> received.
>
> This is a rare behaviour. I can say it not works at all.
>
> In short:
>
> from the clients on the same subnet that the squid box, works OK, and
> from any other subnet does not.
>
> Please, can someone help me ?
> Thank you.
>
> -----Original Message----
> From: Brian [mailto:signal@shreve.net]
> Sent: Wednesday, March 11, 1998 8:16 AM
> To: Chuck Pitre
> Cc: Squid Users
> Subject: Re: transparent proxy with LINUX 2.0.29 and CISCO IOS 11.1
>
>
> Here is how I have Transparent proxying working for me, in an enviroment
> where my router is a Cisco 2501 running IOS 11.1, and Squid machine is
> running Linux 2.0.33.
>
> Many thanks to the following individules and the squid-users list for
> helping me get redirection and transparent proxying working on my
> Cisco/Linux box.
>
> Lincoln Dale
> Riccardo Vratogna
> Mark White
> Henrik Nordstrom
>
> First, here is what I added to my Cisco, which is running IOS 11.1. In
> IOS 11.1 the route-map command is "process switched" as opposed to the
> faster "fast-switched" route-map which is found in IOS 11.2 and later.
> You may wish to be running IOS 11.2. I am running 11.1, and have had no
> problems with my current load of about 150 simultaneous connections to
> squid.:
>
> !
> interface Ethernet0
> description To Office Ethernet
> ip address 208.206.76.1 255.255.255.0
> no ip directed-broadcast
> no ip mroute-cache
> ip policy route-map proxy-redir
> !
> access-list 110 deny tcp host 208.206.76.44 any eq www
> access-list 110 permit tcp any any eq www
> route-map proxy-redir permit 10
> match ip address 110
> set ip next-hop 208.206.76.44
>
> So basically from above you can see I added the "route-map" declaration,
> and an access-list, and then turned the route-map on under int e0 "ip
> policy route-map proxy-redir"
>
> ok, so the Cisco is taken care of at this point. The host above:
> 208.206.76.44, is the ip number of my squid host.
>
> My squid box runs Linux, so I had to do the following on it:
>
> my kernel (2.0.33) config looks like this:
>
> #
> # Networking options
> #
> CONFIG_FIREWALL=y
> # CONFIG_NET_ALIAS is not set
> CONFIG_INET=y
> CONFIG_IP_FORWARD=y
> CONFIG_IP_MULTICAST=y
> CONFIG_SYN_COOKIES=y
> # CONFIG_RST_COOKIES is not set
> CONFIG_IP_FIREWALL=y
> # CONFIG_IP_FIREWALL_VERBOSE is not set
> CONFIG_IP_MASQUERADE=y
> # CONFIG_IP_MASQUERADE_IPAUTOFW is not set
> CONFIG_IP_MASQUERADE_ICMP=y
> CONFIG_IP_TRANSPARENT_PROXY=y
> CONFIG_IP_ALWAYS_DEFRAG=y
> # CONFIG_IP_ACCT is not set
> CONFIG_IP_ROUTER=y
>
> You will need Firewalling and Transparent Proxy turned on at a minimum.
>
> Then some ipfwadm stuff:
>
> # Accept all on loopback
> ipfwadm -I -a accept -W lo
> # Accept my own IP, to prevent loops (repeat for each interface/alias)
> ipfwadm -I -a accept -P tcp -D 208.206.76.44 80
> # Send all traffic destinated to port 80 to Squid on port 3128
> ipfwadm -I -a accept -P tcp -D 0/0 80 -r 3128
>
> it accepts packets on port 80 (redirected from the Cisco), and redirects
> them to 3128 which is the port my squid process is sitting on. I put all
> this in /etc/rc.d/rc.local
>
> and the squid is configured as:
>
> http_port 80
> icp_port 3130
> httpd_accel virtual 80
> httpd_accel_with_proxy on
>
> I am using v1.1.20 of the squid with the patch at:
>
> http://hem.passagen.se/hno/squid/squid-1.1.20.host_and_virtual.patch
>
> installed. You will want to install this patch if using a setup similar
> to mine.
>
> This works great. Many thanks again to all of those listed above in
> helping me.
>
> Brian
>
> /-------------------------- signal@shreve.net -----------------------------\
> | Brian Feeny | USR TC Hubs | ShreveNet Inc. (318)222-2638 |
> | Network Administrator | Perl, Linux | Web hosting, online stores, |
> | ShreveNet Inc. | USR Pilot | Dial-Up 14.4-56k, ISDN & LANs |
> | 89 CRX DX w/MPFI, lots of |-=*:Quake:*=-| http://www.shreve.net/ |
> | mods/Homepage coming soon |LordSignal/SN| Quake server: 208.206.76.47 |
> \-------------------------- 318-222-2638 x109 -----------------------------/
>
> Enric Navarro Sanchis.Analista Sistemas.http://nti.uji.es/~navarro
> | Do Not Buy Ivory |
> | Ivory Belongs Only | (And Walrus Also)
> | To Elephants |
>
>
/-------------------------- signal@shreve.net -----------------------------\
| Brian Feeny | USR TC Hubs | ShreveNet Inc. (318)222-2638 |
| Network Administrator | Perl, Linux | Web hosting, online stores, |
| ShreveNet Inc. | USR Pilot | Dial-Up 14.4-56k, ISDN & LANs |
| 89 CRX DX w/MPFI, lots of |-=*:Quake:*=-| http://www.shreve.net/ |
| mods/Homepage coming soon |LordSignal/SN| Quake server: 208.206.76.47 |
\-------------------------- 318-222-2638 x109 -----------------------------/
Received on Fri Mar 13 1998 - 06:46:52 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:21 MST