RE: [squid-users] Transparent proxy questions.

From: Chris Oxenreider <oxenreid@dont-contact.us>
Date: Sun, 13 Oct 2002 12:37:29 -0500 (CDT)

I have the squid server setup as a transparent cache. I have it on the
same path (via a switching hub). According to the squid FAQ
(http://www.squid-cache.org/Doc/FAQ/FAQ-17.html) Section 17.0.4 says
that getting the packets to the squid box via the packet path.

Since this is not the firewall, nor a router it makes it a little
harder. Looking at it from a protocol perspective I would like it
essentially do the work of a layer 4 switch/bridge. Forwarding packets
in either direction unmodified except for port 80 (or other web ports
like 8080) which get redirected to the squid proxy.

    NOTE: From what I have been reading a layer 4 switch is sounding
          more suitable, but not inexpensive.

It looks as though I can not get packets to the squid box with out some
sort of switch or dual interface option.

Does anyone have a FAQ or outline or scripts to turn a dual interface
Linux box + squid + options in to a transparent filtering device?

At first though, I would need to set the default route from Router 1 to
eth0 and from eth0 to router 1. Then set the default route from eth1
(external interface) to the firewall, and vice versa. Configure squid
to send it's queries only out the ip address of eth1. Then using
iptables configure Linux to pass all packets between eth0 and eth1 in
both directions. Then add an iptables element to REDIRECT all outbound
connections via port 80 to the eth0 port 3128. What I am a little weak
on is the routing table that would need to be configured on the Linux
box. Since I am unfamiliar with the iptables it could be that I don't
need to do that much complicated routing. I could take the IP address
of the firewall and put it on eth0 and the ip address of router1 and put
it on eth1 and do some sort of 'magic' with iptables to make the Linux
box seem invisible.

Someone must have done something like this before. Does anyone have any
advice or pointers to do this? This seems like something that would be
candidate for inclusion in the FAQ.

On Sun, 13 Oct 2002 mailinglists@belfin.ch wrote:

> Why not take figure 2 make the linux box a normal ip forwarder and
> setting a couple of static routes? Then you make a redirect iptables
> rule to squid that runs in transparent mode.
>
> If you really need bridging, here's what you're looking for:
> http://bridge.sourceforge.net/download.html
>
> I once used that with kernel 2.2. It is bidirectional.
>
> I just can't tell you whether squid runs on it and how to configure it. But
> I think yes.
>
> HTH
> Philipp

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Christopher G. Oxenreider | http://www.state.net/~oxenreid
oxenreid@state.net        | "You only get what you give"  -- New Radicals
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Received on Sun Oct 13 2002 - 11:37:30 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:40 MST