Re: [squid-users] tansparent proxy on a firewall

Hi Liu Mei,
I also had a similar problem, You have got to the end of the search of what you
are looking for.
Just follow the following commands.....
ipchains -A input -p tcp -d 192.168.2.0/24 www -j ACCEPT
ipchains -A input -p tcp -d 192.168.3.0/24 www -j ACCEPT
ipchains -A input -p tcp -d 127.0.0.1/32 www -j ACCEPT
ipchains -A input -p tcp -d 0.0.0.0/0.0.0.0 www -j REDIRECT 8080

And also make sure that your http daemon is running
 Then watch your access.log in the logs directory of squid. That must satisfy
you the way it has satified me ....

All in PeacE

> Hi,
>
> There are many posts about transparent proxy in the
> mailing list. However I still could not find a
> solution to my problem. I am sorry to disturb you for
> the old common question.
>
> Origianlly, our private subnet was 192.168.1.0/24. We
> are using a cable modem to connect to the IPS's
> gateway which is 192.168.1.254. I think ISP has done
> something over its side because we don't need to setup
> anything in our web browser.
>
> Now things become complex. we used redhat 7.2 to build
> our own firewall, which is sitting between the modem
> and our LAN. And for some reasons, we have to divide
> the lan into two subnets, which are 192.168.2.0/24 and
> 192.168.3.0/24.
> Thus the firewall machine has three network cards.
> Eth0 (1.253) connects to the modem, eth1(2.1) connects
> to the subnet 2.0/24, eth2(3.1) connects to the subnet
> 3.0/24. By using two ipchains rules
> -A forward -s 192.168.2.0/24 -i eth0 -j MASQ
> -A forward -s 192.168.3.0/24 -i eth0 -j MASQ
> ,the two subnets can access internet properly.
>
> Then we plan to setup a transparent proxy and caching
> server on the same firewall machine as well.
>
> After reading some menu, we followed the instructions
> to setup the squid (2.5 stable1).
>
> The options in squid.conf changed are:
>
> http_port 8080
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
>
> Also two new ipchains rules have been added in front
> of the MASQ rules.
> -A input -s 192.168.2.0/24 -d 0/0 www -p tcp -i eth0
> -j REDIRECT 8080
> -A input -s 192.168.3.0/24 -d 0/0 www -p tcp -i eth0
> -j REDIRECT 8080
>
> However, it seems that no request will be sent to the
> proxy by running cachemgr.cgi.
>
> In terms of double checking, we moved http_access deny
> all in front of other http_access allow rules and
> restart the squid by running two commands
> /usr/local/squid/sbin/squid -k kill
> /usr/local/squid/sbin/squid.
>
> But the workstations in the subnets can still access
> the internet.
>
> I guess the problem may be due to the forward ipchains
> rules which MASQ the request from the two subnets to
> eth0 and thus go directly to the internet. Then I
> changed the previous REDIRECT rules to be one
>
> -A input -d 0/0 www -p tcp -i eth0 -j REDIRECT 8080
>
> but still no package can be sent to Squid.
>
> How can I fix the problem? If you need more
> information to help me to identify the problem, I will
> be very glad to do that.
>
> Many thanks.
>
> Liumei
>
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
>
Received on Tue Oct 22 2002 - 22:05:05 MDT