[squid-users] squid + iptables

Dear all,

I would like to setup a transparent web proxy with squid and iptables. I am using squid package from linuxpackges (squid-2.5.STABLE9-i486-1maew), and I am going through some troubles!
I have followed few howtos, and my squid is starting ok (squid -NCd1), but other machines for my isolated lan cannot access to the web.
My netwrok configuration is a bit more complex, and I have few constrains that I have to follow :

Isolated Lan -----| Proxy Box |-------Lan------| Firewall |-------INTERNET

The firewall (linux/iptables) is doing regular nat, and port forwarding. I cannot changed this configuration.

My Proxy box (slackware10.1 / 2.6.11.6) has 2 ip :
* Iso Lan : 192.168.2.1 (eth1)
* Lan : 192.168.0.80 (eth0)

I have a standard squid configuration with such acl :

*******
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
....
acl our_networks src 192.168.2.0/24
http_access allow our_networks
*****

and I have setup 1 rule for iptable :
iptables -t nat -A PREROUTING -i eth1 -p TCP --dport 80 -j REDIRECT --to-port 3128

*******
root@margaritas:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
*******

The configuration does not work as a transparent proxy, but, if I setup my web browser to connect via my proxy, it works! (at least I know my proxy works).
If anyone has any ideas, that would be great!

Regards,

Kevin.

Kevin Thackray
C&T Paradigm NV
BTW BE 0465.030.272 RPR Antwerpen
G. LeGrellelaan 10, B - 2020 Antwerpen
Tel +32(3)259 2266

mailto:kthackray@ctparadigm.be

This email is for the use of the intended recipient only. It may contain information that is legally privileged or confidential. If you are not the intended recipient, any disclosure, distribution or copying of this email is strictly prohibited and may be unlawful. If received in error, please reply to the sender confirming this, then delete the email.
 <<Kevin Thackray.vcf>>