Re: [squid-users] Transparency

Here is the output:

[root@kalproxy logs]# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 49710 packets, 8766K bytes)
 pkts bytes target prot opt in out source destination
    1 52 REDIRECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp
dpt:80 redir ports 8000
    1 52 REDIRECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp
dpt:21 redir ports 21

Chain POSTROUTING (policy ACCEPT 103 packets, 6335 bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 92 packets, 5707 bytes)
 pkts bytes target prot opt in out source destination

Thanx for your additional info, Antony.

Regards,

Tim Rainier

Antony Stone <Antony@Soft-Solutions.co.uk>
11/17/2003 09:09 AM

 
        To: squid-users@squid-cache.org
        cc:
        Subject: Re: [squid-users] Transparency

On Monday 17 November 2003 1:53 pm, trainier@kalsec.com wrote:

> I'm running Squid 2.5 STABLE4 in Transparency.
> The proxy server is my gateway.
>
> My NAT table looks as follows:
>
> [root@kalproxy logs]# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> REDIRECT tcp -- anywhere anywhere tcp dpt:http
> redir ports 8000
> REDIRECT tcp -- anywhere anywhere tcp dpt:ftp
> redir ports 21
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination

If you're going to post netfilter rules, it's better to post either the
original rules which went into the table, or else the output of "iptables
-t
nat -L -n -v". The -n makes everything numeric so we can see what
addresses
are involved, and the -v shows more detail including the interfaces which
the
rules apply to.

> Web browsing and ftping both work, at the moment.
> I cannot get other internet connections to pass through the box. i.e.:
> irc connections, telnet connections, etc.
>
> I imagine I need to be speaking with a linux person about this, but had
a
> couple of questions about squid and transparency mode.

You could try the netfilter mailing list for a bunch of people who really
know about this sort of thing.

> First. I understand that squid proxies http traffic, only. Is this
> correct?

Yes. Squid will handle ftp requests over http, but only if the browser
is
configured to use the proxy. In transparent mode http is all you get.

> So, all I should need are some redirects and forwards on the nat table
and
> the other internet stuff should work.
> ie: I shouldn't need to go into my client programs (putty, mIRC, etc)
and
> tell them it's a proxy connection.

For anything except http it isn't a proxy connection - those protocols go
directly through your firewall to the Internet, nothing to do with a Squid

proxy being around the place.

Also, the whole point about transparent mode is that even for http, the
client doesn't know there's a proxy - if it did, it wouldn't be
transparent :)

Antony.

-- 
"I'm doing a (free) operating system (just a hobby, won't be big and 
professional like gnu) for 386(486) AT clones.
It is NOT portable , and it probably never will support anything other 
than 
AT-harddisks, as that's all I have :-(."
 - Excerpt from posting to comp.os.minix by Linus Torvalds, 25 Aug 1991
                                                     Please reply to the 
list;
                                                           please don't CC 
me.