-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 12 Jun 2007 13:22:40 +0530
"Indunil Jayasooriya" <indunil75@gmail.com> wrote:
> Hi ALL,
>
> I want to setup Transpaent Proxy on the box running iptables Firewall.
>
> With iptables, I have given below rules.
>
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
> iptables -F -t nat
> iptables -F -t mangle
>
> #Enabling ip forwarding
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> #enable syn cookies (prevent against the common 'syn flood attack')
> echo "1" > /proc/sys/net/ipv4/tcp_syncookies
>
> #do source validation by reversed path
> echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
>
> #Enable tracking mechanism
> /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A INPUT DROP
> iptables -A FORWARD DROP
> iptables -A OUTPUT DROP
Hi Indunil,
You can make the above rules default policy to DROP.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
>
> in addition to that, There are many rules , ALL work fine.
>
You can provide all your firewall rules to make your problem more clear and concise.
> in squid.conf file, I have added below rules,
>
> http_port 3128
> cache_mem 64 MB
> cache_dir ufs /var/spool/squid 100 16 256
> cache_access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
>
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
If you are using Squid-2.5, then Squid transproxy should work with the above options.
>
> And, Then, I did below command.
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
This rule should work.
You can also try:
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 --dport 80 -j REDIRECT --to-port 3128
But I think it produces the same effect.
I think you may need the rule below too.
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 3128 -j ACCEPT
>
> But, When I browse Internet , request will not get ridirected to 3128
> port. So I can not use squid as a Transpaent Proxy.
What is the exact error that you get when you try to browse the Internet using your web browser?
>
> Where have I gone wrong?
>
> I reffered to below URL.
> http://www.tldp.org/HOWTO/TransparentProxy.html#toc2
>
> Pls help me.
>
Try using tcpdump to analyze where or which port the clients' web traffic is going to. I guess your Squid box is either a gateway or you have some sort of load balancer in front of squid.
> --
> Thank you
> Indunil Jayasooriya
>
- --
With best regards and good wishes,
Yours sincerely,
Tek Bahadur Limbu
(TAG/TDG Group)
Jwl Systems Department
Worldlink Communications Pvt. Ltd.
Jawalakhel, Nepal
http://www.wlink.com.np
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFGbl1RVrOl+eVhOvYRApo4AJ0ZrhcPa5sYMc+k22HG4fIFSxaoQQCfcH1O
TGfXB05lj03J8xTJi+lmbt4=
=5iPF
-----END PGP SIGNATURE-----
Received on Tue Jun 12 2007 - 02:46:47 MDT
This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT