Re: [squid-users] transparent proxy from Jan Humme on 2002-08-19 (squid-users)

From: Jan Humme <jan.humme@dont-contact.us>
Date: Mon, 19 Aug 2002 20:46:12 +0200

On Monday 19 August 2002 14:53, PayalR wrote:
> Hi all,
> I want to use squid as a transparent proxy. So, I read a few docs
> including white paper of visolve and did accordingly. I use Mandrake Linux
> 8.2 with default kernel 2.4.18-6mdk.
>
> Here are the steps I followed.
> 1. I installed squid-2.4.STABLE1 using tar.gz with options
> ./configure --enable-linux-netfilter
> [ here I found that makefile created with ./configure
> --enable-linux-netfilter and just ./configure didn't have any difference ]
>
> 2. I edited the squid.conf properly to suit my requirements and started
> squid. It was working proeprly, a fact which I saw from access.log.

Just in case (so this 100% clear to me): did you verify that squid was in
fact running properly, eg. by configuring another PC in the network to use
this PC as a proxy server (non-transparant proxying)?

If so: the problem seems to be with netfilter.

> 3. Then,
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
>
> 4. My rules were correct which was verified by,
> #iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> REDIRECT tcp -- anywhere anywhere tcp dpt:http
> redir ports
> 3128
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination

Looks all perfectly OK to me.

> 5. Then I tried to browse without setting the cache in browser (links)
> settings. I could browse alright, but squid's logs were not getting filled.
> That meant squid was not being used.

So the first thing to figure out is:
=> is the problem with netfilter, or
=> is the problem with squid

Now assuming that you have verified that squid is running properly as a
non-transparant proxy-server, add some logging rules to see if your rule is
being used, eg.

iptables -t nat -I PREROUTING -j LOG --log-prefix "Before proxy redirect: "
iptables -t nat -A PREROUTING -j LOG --log-prefix "After proxy redirect: "

Try to connect to a web-site and monitor your syslogger (eg. "tail -f
/var/log/messages") to see where the packets go.

Oh, yes: before doing all of this, type "cat /proc/sys/net/ipv4/ip_forward"
to check this kernel parameter; and remember that in many Linux flavors (eg.
RH7.x) it will be reset to 0 every time the system is rebooted or the network
is brought down!

JH.
Received on Mon Aug 19 2002 - 12:46:15 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:44 MST