Re: [squid-users] Quickbooks updates and Squid

On Tue, 2 Oct 2001, Henrik Nordstrom wrote:

> Brian wrote:
>
> > Yes, I checked that, and tried to compile with the support. I tried
> > ipchains and also got the same results.
>
> So what kernel are you using actually using?

Linux constellation 2.4.3-12 #1 Fri Jun 8 15:05:56 EDT 2001 i686 unknown

>
> Please note that using ipchains on Linux-2.4 then it is still netfilter
> and thus still requires Squid to be compiled with support for netfilter.
> The fact that it looks like the old ipchains does not make the kernel
> implementation identical to ipchains on Linux-2.2, in fact there are
> rather subtle differences, especially for traffic interception (REDIRECT
> target).

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

And squid is configured with:

%configure \
   --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid \
   --localstatedir=/var --sysconfdir=/etc/squid \
   --enable-poll --enable-snmp --enable-heap-replacement \
   --enable-delay-pools --enable-linux-netfilter

Here is something for concern though. I grepped the entire source tree of
the squid and found nothing that hit on "netfilter". So that leads me
wondering a) did I spell/name the configure directive wrong or b) is it
just not supported in my 2.4 source tree?

>
> > I will recheck everything. Been running squid for years under linux in
> > transparent proxy mode. True, I am new to ipfilter, but I don't believe
> > the config is wrong, but I will verify everything.
>
> If you are using Linux-2.4 with iptables or any of the ipchains/ipfwadm
> backward compability modules then Squid MUST be compiled with support
> for netfiler, or it won't find the correct destination address on
> requests not having a Host header. Support for Linux netfilter is only
> available in Squid-2.4 or later. Squids earlier than Squid-2.4 requires
> some patching for Linux netfilter support. (no, I do not have the
> required patch)

Well, I am using squid 2.3 so that appears to be my problem :/. Ok, so I
have pulled down redhats rawhide 2.4, which has netfilter in its
configure by default, and I am rebuilding as I type. Thanks for helping
me with this!

>
> If you are using Linux-2.2 with ipchains then no special compiletime
> options is required. All the details of transparent proxying is "hidden"
> by the kernel, making the application think that it can accept requests
> for anyone (well.. actualy it can, so...)

Brian

>
> Regards
> Henrik Nordström
> Squid Hacker
>

-----------------------------------------------
Brian Feeny, CCIE #8036 email:signal@shreve.net
Network Engineer phone:318.222.2638x109
ShreveNet Inc. fax: 318.221.6612
Received on Mon Oct 01 2001 - 17:58:51 MDT