Re: [squid-users] Transparent Proxy & IPTables from Squid Support (Henrik Nordstrom) on 2002-05-15 (squid-users)

From: Squid Support (Henrik Nordstrom) <hno@dont-contact.us>
Date: Wed, 15 May 2002 15:56:21 +0200

Should work (except for the issue mentioned in my previous reply), but you
may need to disable ICMP REDIRECT for the eth0 interface on the firewall..

But also verify your firewalling rules. Perhaps your firewall rules do not
allow "My network" to talk to "Squid".

Regards
Henrik

Tiago Fioreze wrote:
> Hi everybody !!!
>
> I have one problem with my project and I would like some help.
>
> I'm implemanting transparent proxy in my network. I'm using
> SQUID and IPtables for this.
>
> The scenario:
> |----------| eth1|----------|eth0 |------------|
> | Internet |------| Firewall |--------|---------| My Network |
> |----------| |----------| | |------------|
> |
> |-------|
> | SQUID |
> |-------|
>
> The idea (project):
>
> The users in my network must to access http through of squid instead
> directly.
>
> The rules:
>
> --> SQUID:
>
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_single_host off
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
>
> --> IPTables:
>
> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> --dport 80 -j DNAT --to squid-box:8080
> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0
> -p tcp --dport 8080 -j ACCEPT
>
>
> The problem:
>
> The iptables changes the destination (from anywhere:80 to
> squid-box:8080), but the SQUID didn't receive none packets on port 8080.
>
> Ps.: If I add, between the rules of the IPTables, the rule below:
>
> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
> squid-box -j SNAT --to iptables-box
>
> the transparent proxy works very well, but my squid only receives
> connection from firewall (because of the rule above). So, I don't have
> control (by squid) of that my users are accessing in the internet.
>
> Can somebody help me ?
>
> Thanks in advance,
>
> Tiago Fioreze
>
> ********************************************
> * Administrador da Rede *
> * *
> * Núcleo de Ciência da Computação *
> * Universidade Federal de Santa Maria *
> * Santa Maria - Rio Grande do Sul - Brasil *
> ********************************************

-- 
Basic free Squid support provided thanks to MARA Systems AB
Your source of advanced reverse proxy solutions or customized
Squid solutions. http://www.marasystems.com/products/

Received on Wed May 15 2002 - 07:56:25 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:07 MST