Re: [squid-users] Transparency from Antony Stone on 2003-11-17 (squid-users)

From: Antony Stone <Antony@dont-contact.us>
Date: Mon, 17 Nov 2003 14:09:45 +0000

On Monday 17 November 2003 1:53 pm, trainier@kalsec.com wrote:

> I'm running Squid 2.5 STABLE4 in Transparency.
> The proxy server is my gateway.
>
> My NAT table looks as follows:
>
> [root@kalproxy logs]# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> REDIRECT tcp -- anywhere anywhere tcp dpt:http
> redir ports 8000
> REDIRECT tcp -- anywhere anywhere tcp dpt:ftp
> redir ports 21
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination

If you're going to post netfilter rules, it's better to post either the
original rules which went into the table, or else the output of "iptables -t
nat -L -n -v". The -n makes everything numeric so we can see what addresses
are involved, and the -v shows more detail including the interfaces which the
rules apply to.

> Web browsing and ftping both work, at the moment.
> I cannot get other internet connections to pass through the box. i.e.:
> irc connections, telnet connections, etc.
>
> I imagine I need to be speaking with a linux person about this, but had a
> couple of questions about squid and transparency mode.

You could try the netfilter mailing list for a bunch of people who really
know about this sort of thing.

> First. I understand that squid proxies http traffic, only. Is this
> correct?

Yes. Squid will handle ftp requests over http, but only if the browser is
configured to use the proxy. In transparent mode http is all you get.

> So, all I should need are some redirects and forwards on the nat table and
> the other internet stuff should work.
> ie: I shouldn't need to go into my client programs (putty, mIRC, etc) and
> tell them it's a proxy connection.

For anything except http it isn't a proxy connection - those protocols go
directly through your firewall to the Internet, nothing to do with a Squid
proxy being around the place.

Also, the whole point about transparent mode is that even for http, the
client doesn't know there's a proxy - if it did, it wouldn't be transparent :)

Antony.

-- 
"I'm doing a (free) operating system (just a hobby, won't be big and 
professional like gnu) for 386(486) AT clones.
It is NOT portable , and it probably never will support anything other than 
AT-harddisks, as that's all I have :-(."
 - Excerpt from posting to comp.os.minix by Linus Torvalds, 25 Aug 1991
                                                     Please reply to the list;
                                                           please don't CC me.

Received on Mon Nov 17 2003 - 07:09:53 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:21 MST