[squid-users] Squid Transparent Proxy not work

i have server running squid (transparent proxy) in
Ubuntu linux server (squid installed using apt-get)
this server have two interfaces, eth0 to internet &
eth1 to LAN

this is my squid.conf

## --- squid.conf -----
http_port 192.168.10.1:3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_vary on
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 8 MB
cache_swap_low 98
cache_swap_high 99
maximum_object_size 51200 KB
minimum_object_size 0 KB
ipcache_size 2048
ipcache_low 98
ipcache_high 99
fqdncache_size 2048
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_dir ufs /var/spool/squid 5000 18 256
access_log /var/log/squid/access.log squid
cache_log /dev/null
cache_store_log /dev/null
emulate_httpd_log off
log_ip_on_direct on
mime_table /usr/share/squid/mime.conf
log_mime_hdrs off
pid_filename /var/run/squid.pid
log_fqdn off
ftp_user admin@server
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

## Client IP Address
acl client01 src 192.168.10.11/32
acl client02 src 192.168.10.12/32

## Client MAC Address
acl client01-mac arp 00:16:17:BB:2B:AF
acl client02-mac arp 00:1A:4D:44:F5:2E

# user01
http_access allow client01 client01-mac
http_access deny client01 !client01-mac
# user02
http_access allow client02 client02-mac
http_access deny client02 !client02-mac

http_access allow localhost
http_access deny all
icp_access allow all
cache_mgr admin@server
cache_effective_user proxy
cache_effective_group proxy
visible_hostname Proxy.server
always_direct allow all
coredump_dir /var/spool/squid
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
store_dir_select_algorithm round-robin
## ---- end of squid.conf ----

and this is my iptables for squid transparent

#### USER 1
$IPT -A PREROUTING -t nat -i $LAN -s $USER1 -m mac
--mac-source $MAC_USER1 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -s $USER1 -p tcp
--dport 80 -j REDIRECT --to-port 3128
$IPT -A PREROUTING -t nat -i $LAN -s ! $USER1 -m mac
--mac-source $MAC_USER1 -j DROP

#### USER 2
$IPT -A PREROUTING -t nat -i $LAN -s $USER2 -m mac
--mac-source $MAC_USER2 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -s $USER2 -p tcp
--dport 80 -j REDIRECT --to-port 3128
$IPT -A PREROUTING -t nat -i $LAN -s ! $USER2 -m mac
--mac-source $MAC_USER2 -j DROP

$IPT -A FORWARD -i $LAN -s $USER1 -m mac --mac-source
$MAC_USER1 -j ACCEPT
$IPT -A FORWARD -i $LAN -s ! $USER1 -m mac
--mac-source $MAC_USER1 -j DROP
$IPT -A FORWARD -i $LAN -s $USER2 -m mac --mac-source
$MAC_USER2 -j ACCEPT
$IPT -A FORWARD -i $LAN -s ! $USER2 -m mac
--mac-source $MAC_USER2 -j DROP

$IPT -t nat -A POSTROUTING -o $INTERNET -s $USER1 -j
MASQUERADE
$IPT -t nat -A POSTROUTING -o $INTERNET -s $USER2 -j
MASQUERADE

when i look into /var/log/squid/access.log, i can
found client access squid.
if client setting browser using proxy into
192.168.1.10, i can see client in
/var/log/squid/access.log

what wrong with my squid.conf or iptables rules?
why transparent proxy not working, & why client must
setting using proxy in their browser if the want using
proxy?

thanks in advanced

      ____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
Received on Fri Jan 25 2008 - 20:17:30 MST