RE: [squid-users] Transparent Proxy, Bridged interfaces & SQUID

From: Siew Wing Loon <wlsiew@dont-contact.us>
Date: Fri, 28 Mar 2003 02:04:46 -0800 (PST)

Shane,

This command will redirect all traffic accessing on
interface br0 destination port 80 to your squid
server.

Rgds,
Siew

--- "Blaser, Shane" <SBlaser@corp.untd.com> wrote:
> I have not,
>
> What does this camand do ???
>
> Thanks
>
> Shane
>
> -----Original Message-----
> From: Siew Wing Loon
> To: Steven Bourque; squid-users@squid-cache.org
> Sent: 3/27/2003 5:03 PM
> Subject: Re: [squid-users] Transparent Proxy,
> Bridged interfaces & SQUID
>
> Hi,
>
> Have you try this: -
>
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport
> 80
> -j REDIRECT --to-port 3128
>
> Rgds,
> Siew
>
> --- Steven Bourque <sbourque@packetworks.net> wrote:
> > Hello,
> >
> > I was hoping someone could help me:
> >
> > I have linux (debian) kernel 2.4.20 compiled with
> > everything mentioned
> > in the transparent proxy/squid HOWTO and iptables
> > working properly:
> >
> > eth0 is connected to the LAN
> > eth1 is connected to the WAN
> >
> > both are setup as a memeber of the bridge br0
> > br0 has an IP address of 10.10.6.231/24 (part of
> our
> > local IP's for
> > monitoring and configuration)
> >
> > the Bridging is working, however, it will not grab
> > the port 80 traffic:
> >
> > I have added the following as stated in the howto:
> >
> > iptables -t nat -A PREROUTING -i eth0 -p tcp
> --dport
> > 80 -j REDIRECT
> > --to-port 3128
> >
> > iptables -A INPUT -i br0 -p tcp -d 10.10.6.231 -s
> > 10.10.6.0/24 --dport
> > 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
> >
> > (so I can SSH to the box)
> > iptables -A INPUT -i br0 -p tcp -d 10.10.6.231 -s
> > 10.10.6.0/24 --dport
> > 22 -m state --state NEW,ESTABLISHED -j ACCEPT
> >
> > I have also tried the first iptable with -j DNAT
> > --to 10.10.6.231:3128
> >
> > Neither table gets a hit when viewed with iptable
> -t
> > nat -v -n -L or
> > iptable -v -n -L
> >
> > Those are the only entries in the iptables, the
> SSH
> > command does work.
> > Squid is configured with the entries has noted in
> > the HOWTO, otherwise
> > they are defaults.
> >
> > Squid is version 2.5.STABLE1
> >
> > iptables -L -n -v -t nat
> >
> > Chain PREROUTING (policy ACCEPT 31 packets, 5420
> > bytes)
> > pkts bytes target prot opt in out
> source
> > destination
> > 0 0 REDIRECT tcp -- eth0 *
> > 0.0.0.0/0 0.0.0.0/0
> > tcp dpt:80 redir ports 3128
> >
> > Chain POSTROUTING (policy ACCEPT)
> > ...
> > (empty)
> > Chain OUTPUT (policy ACCPEPT)
> > ...
> > (empty)
> >
> > iptables -L -n -v
> > Chain DROP (policy ACCEPT 136 packets, 16195
> bytes)
> > pkts bytes target prot opt in out source
>
> > destination
> > 0 0 ACCEPT tcp -- br0 *
> > 0.0.0.0/0 10.10.6.231
> > tcp dpt:3128 state NEW,ESTABLISHED
> > 14 1651 ACCEPT tcp -- br0 *
> > 0.0.0.0/0 10.10.6.231
> > tcp dpt:22 state NEW,ESTABLISHED
> > Chain FORWARD (policy ACCEPT)
> > ...
> > (empty)
> > Chain OUTPUT (policy ACCEPT)
> > ...
> > (empty)
> >
> > We do not want any firewalling on this box, hense
> > the default are all
> > ACCEPT except the actual connections to the box,
> > which has two accepts
> > (SQUID and SSH)
> >
> > With this setup, I am able to surf the web, but it
> > is bypassing SQUID.
> > Everhything is continuing to be bridged.
> >
> > I spent a few days reading everything I can about
> > this.
> >
> > I found the program divert (I have divert enabled
> in
> > my kernel) does
> > that have anything to do with it?
> >
> > I tried it with divert on eth0 enable tcp add dst
> > 80,
> > that just seemed to kill my browsing as well as
> not
> > hitting squid or the
> > filters, although it a tcpdump -ne -i eth0 tcp dst
> > port 80, I do see the
> > MAC address change from that of my next hop router
> > to the MAC of the
> > eth0 (which should then get redirected by the
> > iptable, shouldn't it?)
> >
> > any help would be much appreciated! :)
> >
> > Thanks
> > --
> >
> > \Steven.
> >
> > /*
> > | Steven R.
> > Bourque, CCNA
> > /"\ | Network
> > Engineer
> > \ / ASCII ribbon campaign | Packet
> > Works Inc.
> > X against HTML email |
> > p:519.579.4507. f:519.579.8475.
> > / \ |
> > http://www.packetworks.net
> > | PGP ID:
> > 0x373AB23B
> > *\
> >
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Platinum - Watch CBS' NCAA March Madness,
> live on your desktop!
> http://platinum.yahoo.com
>
>
> .

__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
Received on Fri Mar 28 2003 - 03:04:57 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:24 MST