Re: [squid-users] Transparent proxy issues...

From: Jon Newman <jnewman@dont-contact.us>
Date: Tue, 12 Apr 2005 09:53:56 -0500 (CDT)

> Is your squid running in 8080 port to get 80 requests?
> Check it with netstat -na | grep '8080'

Yes, this is the output of that command:
root@filter:~# netstat -na | grep '8080'
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 1 2654 216.90.3.137:8080 66.101.59.243:45942 CLOSING
tcp 1 11967 216.90.3.137:8080 66.101.59.243:45940
CLOSE_WAIT
tcp 1 2654 216.90.3.137:8080 66.101.59.243:45941 CLOSING
tcp 1 2654 216.90.3.137:8080 66.101.59.243:45944 CLOSING
tcp 0 0 216.90.3.137:8080 66.101.59.243:45945 TIME_WAIT

As you can see there is something bound to that port and listening on all
IP addresses on the box. Currently I have my PC pointed at port 8080
(manually setup), using dansguardian as I type this email, so it
definitely is working. I do have port 8080 and 3128 blocked from outside
access only to prevent users not on our network from using the cache and
filter.

> Is /proc/sys/net/ipv4/ip_forward file havine an entry
> as 1 (or) Is sysctl net.ipv4.ip_forward equal to 1

root@filter:~# cat /proc/sys/net/ipv4/ip_forward
1

I currently have the PC I am on now, routed through the transparent proxy.
When I manually configure my browser to use the proxy via port 8080,
everything is fine and I am able to browse the web. However, when I try to
connect straight through to the internet and have the iptables rule to
route my destination port 80 packets through port 8080, I get nothing. The
DNS still is looked up successfully (as it should, since I am not touching
those packets) but it just sits as it is 'waiting for reply from XXXXXX'.

Here is the iptables nat table setup:
root@filter:~# iptables-save -t nat
# Generated by iptables-save v1.2.10 on Tue Apr 12 09:38:04 2005
*nat
:PREROUTING ACCEPT [29252743:1621473381]
:POSTROUTING ACCEPT [29250710:1621356573]
:OUTPUT ACCEPT [188:13722]
-A PREROUTING -s 66.101.59.243 -p tcp -m tcp --dport 80 -j REDIRECT
--to-ports 8080
COMMIT
# Completed on Tue Apr 12 09:38:04 2005

Shouldn't I supply the destination IP address when redirecting to port
8080? In other words, doesn't the current setup redirect the client to
port 8080 on the ORIGINAL, INTERNET based server (which would be
incorrect)? If so, how would I do so with iptables?

Just an idea....thanks for any responses.

-- 
Jon Newman (jnewman@oplink.net)
Systems Administrator/Software Engineer
The Optimal Link (http://www.oplink.net)
Received on Tue Apr 12 2005 - 08:44:36 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:03 MDT