[squid-users] Transparent proxy using Policy Route Maps

hey list...

i am trying to setup my squid server for transparent proxying, using Cisco's ip policy route-map but without much luck...

i have setup my squid.conf as follows:

http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

i have setup my Cisco router as follows:

interface Ethernet0
 ip address 1.1.1.1 255.255.255.0
 ip policy route-map proxy-redir
!
access-list 102 permit tcp 1.1.1.0 0.0.0.255 any eq www
route-map proxy-redir permit 20
 match ip address 102
 set ip default next-hop 1.1.1.3
!

i have setup my Linux firewall as follows:

$IPCHAINS -I input -s 0/0 80 -p tcp -l -i $OUTERIF -j REDIRECT 3128

when i enable the firewall like this, even before configuring the Cisco router, i get these logs from my firewall:

Aug 18 12:28:14 cache kernel: Packet log: input REDIRECT 3128 eth0 PROTO=6 216.136.131.247:80 1.1.1.3:3820 L=219 S=0x00 I=43593 F=0x4000 T=50 (#1)

Aug 18 12:28:14 cache kernel: Packet log: input REDIRECT 3128 eth0 PROTO=6 216.136.173.148:80 1.1.1.3:3816 L=426 S=0x00 I=2926 F=0x4000 T=50 (#1)

Aug 18 12:28:14 cache kernel: Packet log: input REDIRECT 3128 eth0 PROTO=6 209.52.22.52:80 1.1.1.3:3785 L=1500 S=0x00 I=65002 F=0x4000 T=51 (#1)

Aug 18 12:28:14 cache kernel: Packet log: input REDIRECT 3128 eth0 PROTO=6 198.5.142.82:80 1.1.1.3:3499 L=52 S=0x00 I=6923 F=0x4000 T=56 (#1)

Aug 18 12:28:14 cache kernel: Packet log: input REDIRECT 3128 eth0 PROTO=6 198.5.142.82:80 1.1.1.3:3499 L=52 S=0x00 I=6924 F=0x4000 T=56 (#1)

Aug 18 12:28:14 cache kernel: Packet log: input REDIRECT 3128 eth0 PROTO=6 64.4.43.7:80 1.1.1.3:3821 L=206 S=0x00 I=9361 F=0x0000 T=109 (#1)

but when i enable the Cisco router's ip policy route-map directive.. this what i get on my firewall:

Aug 18 12:15:05 cache kernel: Packet log: input DENY eth0 PROTO=6 1.1.1.163:3251 192.249.77.233:80 L=48
S=0x00 I=30878 F=0x4000 T=127 SYN (#39)

Aug 18 12:15:05 cache kernel: Packet log: input DENY eth0 PROTO=6 1.1.1.163:3250 192.218.138.189:80 L=48
S=0x00 I=30879 F=0x4000 T=127 SYN (#39)

Aug 18 12:15:05 cache kernel: Packet log: input DENY eth0 PROTO=6 1.1.1.163:3399 130.18.92.213:80 L=48 S
=0x00 I=30880 F=0x4000 T=127 SYN (#39)

Aug 18 12:15:05 cache kernel: Packet log: input DENY eth0 PROTO=6 1.1.1.163:3400 192.168.240.243:80 L=48
S=0x00 I=30881 F=0x4000 T=127 SYN (#39)

Aug 18 12:15:05 cache kernel: Packet log: input DENY eth0 PROTO=6 1.1.1.163:3114 192.168.141.237:80 L=48
S=0x00 I=30882 F=0x4000 T=127 SYN (#39)

Aug 18 12:15:05 cache kernel: Packet log: input DENY eth0 PROTO=6 1.1.1.163:3115 192.242.47.211:80 L=48
S=0x00 I=30883 F=0x4000 T=127 SYN (#39)

Aug 18 12:15:05 cache kernel: Packet log: input DENY eth0 PROTO=6 1.1.1.163:3402 192.168.199.98:80 L=48
S=0x00 I=30884 F=0x4000 T=127 SYN (#39)

Aug 18 12:15:05 cache kernel: Packet log: input DENY eth0 PROTO=6 1.1.1.163:3403 192.168.166.64:80 L=48
S=0x00 I=30885 F=0x4000 T=127 SYN (#39)

Aug 18 12:15:05 cache kernel: Packet log: input DENY eth0 PROTO=6 1.1.1.163:3404 192.168.244.119:80 L=48
S=0x00 I=30886 F=0x4000 T=127 SYN (#39)

Aug 18 12:15:06 cache kernel: Packet log: input DENY eth0 PROTO=6 1.1.1.163:3405 192.110.250.31:80 L=48
 
as u can see, the router sends the port 80 destined packet back to the squid server, but the squid server denies it access.. do u think that this could be why the transparent proxy setting is not working... as u see above, the source packet is from one of my users on my network.. ip 1.1.1.163... i already have a line in my firewall rules allowing my entire net [1.1.1.0/24] access to my squid server, and also an ACL in the squid.conf allowing access...

any one have any idea of what could be wrong?.. all help appreciated... thanks.

AKNIT

_____________________________________________________________
Be different Get yourself a Globenetcafe.net email ID
Uganda's Newest internet cafe www.globenetcafe.net
Received on Fri Aug 17 2001 - 03:40:07 MDT