RE: [squid-users] Transparent Proxying from a Cisco

Hi,

I'm no expert, but I have got it working before. Except that my yahoo
and hotmail stuff still don't work, but here is what I can help with.

I presume you are running Linux of some sort and not FreeBSD. The setup
is slightly different depending you your kernel version, either 2.2 or
2.4. Im running on 2.2 and this is the setup I have.

        http_port 3128
        httpd_accel_host virtual
        httpd_accel_port 80
        httpd_accel_with_proxy on
        httpd_accel_uses_host_header on

Also, on the same machine, this is the output of ipchains -L

hansa:/etc# ipchains -L
Chain input (policy ACCEPT):
target prot opt source destination ports
ACCEPT tcp ------ hansa anywhere any
-> www
ACCEPT tcp ------ mymachine.myhost.co.za anywhere any ->
www
REDIRECT tcp ------ anywhere anywhere any ->
www => 3128
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

Although the last redirect doesn't really make sense to me, because the
packets have already been redirected on the firewall / router, if its
not there, it doesn't work. Hansa, and mymachine.myhost.co.za are the
same machine.

Im using a FreeBSD machine to do all the routing, so I cant help on the
routing side of it.

Hope this helps in any way.

Regards

David Norton

-----Original Message-----
From: Mark.H.Price@AOC.STATE.NC.US [mailto:Mark.H.Price@AOC.STATE.NC.US]

Sent: 18 June 2002 05:35 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Transparent Proxying from a Cisco

Hello list. I am looking for some help.

I have configured a squid proxy with:

httpd_accel_host virtual
httpd_accel_port 0
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

I set http_port to 80 , and on the Cisco router that is the gateway for
the 10.91.254.0/24 network, we added:

route-map proxy-redirect permit 10
match ip address 110
set ip next-hop 10.91.254.24

(10.91.254.24 is the squid proxy)

access-list 110 deny tcp any any neq www
access-list 110 deny tcp host 10.91.254.24 any
access-list 110 permit tcp any any

interface ethernet2/1
ip policy route-map proxy-redirect

But, when we tried to surf, the transparent proxy did not work for users
on the 10.91.254.0/24 network. Any website we tried to access got no
response.

I also tried moving the squid http_port to 3128, and enabling ip_forward
in /proc/sys/net/ipv4 and using the iptables rule mentioned in part 17
of
the FAQ to redirect port 80 to 3128.. this didn't work either.

Most of the documentation I have read only deals with a proxy
that is on the same machine as the gateway machine.. We want to keep
our Cisco router as the gateway for the network. We are testing this,
and we want to deploy this configuration for about 3000+ users.

I guess the next step if this doesn't work is to try wccp

Any insight, suggestions, or comments would be appreciated!!

Thanks

Mark
Received on Tue Jun 18 2002 - 13:33:26 MDT