Re: [squid-users] squid transparent proxy still not working

Adrian Chadd wrote:
> Have you followed http://wiki.squid-cache.org/ConfigExamples/ and setup
> the forwarding, et al, correctly?
>
> Just so you know, I can build a proxy from a default debian install
> by following one of the examples there and transparent proxying "just"
> works.
>
>
>
> Adriank
>
> On Sat, Feb 09, 2008, kang ason wrote:
>> Dear All
>> I was succesfully installing squid 2.6 STABLE 18 in
>> debian 4.0 with
>> command and option bellow
>> ./configure --prefix=/usr/local/squid
>> --enable-delay-pools--enable-poll
>> --disable-indent-lookup --enable-truncate
>> --enable-cache-digests --enable-linux-netfilter
>> --enable-async-io=16 --enable-removal-policies\
>>
>> ./make all
>> ./make install
>>
>> This server have two interfaces, eth0 to internet &
>> eth1 to LAN
>> And this is my squid.conf
>>
>> http_port 8080 transparent
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl Safe_ports port 631 # cups
>> acl Safe_ports port 873 # rsync
>> acl Safe_ports port 901 # SWAT
>> acl purge method PURGE
>> acl CONNECT method CONNECT
>> acl apache rep_header Server ^Apache
>>
>> ## client IP Address
>> acl vlan10 src 192.168.10.0/24
>> icp_access allow all
>> hierarchy_stoplist cgi-bin ?
>> cache_mem 64 MB
>> maximum_object_size_in_memory 4096 KB
>> memory_replacement_policy heap GDSF
>> cache_replacement_policy heap LFUDA
>> cache_dir ufs /usr/local/squid/var/cache 5000 18 256
>> minimum_object_size 0 KB
>> maximum_object_size 51200 KB
>> cache_swap_low 98
>> cache_swap_high 99
>> access_log /usr/local/squid/var/logs/access.log squid
>> cache_log /dev/null
>> cache_store_log /dev/null
>> emulate_httpd_log off
>> log_ip_on_direct on:
>> mime_table /usr/local/squid/etc/mime.conf
>> log_mime_hdrs off
>> pid_filename /usr/local/squid/var/logs/squid.pid
>> log_fqdn off
>> client_netmask 255.255.255.0
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern (cgi-bin|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>> http_access deny CONNECT !SSL_ports
>> http_access deny !Safe_ports
>> http_access allow localhost
>> http_access allow manager localhost
>> http_access allow purge localhost
>> http_access allow vlan10
>> http_access deny manager
>> http_access deny all
>> broken_vary_encoding allow apache
>> cache_vary on
>> cache_effective_user proxy
>> cache_mgr wifiproxy2008
>> ipcache_size 2048
>> ipcache_low 98
>> ipcache_high 99
>> fqdncache_size 2048
>> coredump_dir /usr/local/squid/var/cache
>> visible_hostname wifi2008
>> cache_effective_group proxy
>> always_direct allow all
>> store_dir_select_algorithm round-robin
>> extension_methods REPORT MERGE MKACTIVITY CHECKOUT
>> ##---- end of squid.conf ----
>> Squid Running No error
>>
>> and this is my iptables for squid transparent
>> iptables -t nat -A PREROUTING -i eth0 -s 192.168.10.10
>> -p tcp --dport 80 -j ACCEPT

Is that meant to be eth0 or eth1?

>> iptables -t nat -A PREROUTING -i eth1 -s 192.168.10/24
>> -p tcp --dport 80 -j REDIRECT --to-port 8080
>> iptables -t filter -A FORWARD -i eth1 -s 192.168.10/24
>> -p tcp --dport 80 -j REJECT
>>
>> what wrong with my squid.conf or iptables rules?
>> why transparent proxy not working, & why client must
>> setting using proxy in their browser if the want
>> using proxy

Do you have any block on -t filter -L INPUT/OUTPUT that could block this
traffic?

>>
>> thaks
>>
>> regards
>> ason
>> Cah Kopeng
>> Lereng Utara Gunung Merbabu
>>
>>
>> ____________________________________________________________________________________
>> Never miss a thing. Make Yahoo your home page.
>> http://www.yahoo.com/r/hs
>

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.