Re: [squid-users] squid transparent proxy

From: Wennie V. Lagmay <wlagmay@dont-contact.us>
Date: Thu, 24 Apr 2008 09:49:48 +0300 (AST)

Hi all,

I am reading the procedure for transparent proxy but I am hesitant to implement it because I am not sure what will be the impact to my system. Ok I am looking at 2 options,

option 1:
   iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to quid-box:3128
   iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
   iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

option 2:
    
    * iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s squid-box
    * iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
    * ip rule add fwmark 3 table 2
    * ip route add default via squid-box dev eth1 table 2
    
  For squid box
    * iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

As I mentioned I have a separate boxes for firewall and squid. My firewall is a Fedora core 4 and my squid-2.6-Stable19 is running on Fedora Core 8. My Firewall has 2 interfaces eth0=xxx.xxx.184.33/27 which connects to my local network and eth1=xxx.xxx.184.18/28 which connects to the internet. the firewall also act as the NAT server which actually the gateway of all traffics except 80/8080. The firewall and squid communicates via internet connection which is the eth0 for firewall

In option2 I am worried that If I implement the rule all traffic will be forwarded to squid, Also I am not sure what is line #2 and #3. Another thing how can I make sure if the following requirements are already ready to my system:

    * P: advanced router
    * IP: policy routing
    * IP: use netfilter MARK value as routing key
    * IP: Netfilter Configuration -> Packet mangling
    * IP: Netfilter Configuration -> MARK target support
    and iproute2 tools.

Can you please help me, which options is best for me and how can I do it smoothly. If you need more information about my setup or if you want see any of my configuration please let me know

Thank you very,

Wennie

----- Original Message -----
From: "Wennie V. Lagmay" <wlagmay@yanbulink.net>
To: wennielagmay@yahoo.com
Sent: Thursday, April 3, 2008 2:36:42 PM (GMT+0300) Asia/Kuwait
Subject: Fwd: [squid-users] squid transparent proxy

----- Forwarded Message -----
From: "Indunil Jayasooriya" <indunil75@gmail.com>
To: "Wennie V. Lagmay" <wlagmay@yanbulink.net>
Cc: "squid-users" <squid-users@squid-cache.org>
Sent: Thursday, April 3, 2008 12:58:27 PM (GMT+0300) Asia/Kuwait
Subject: Re: [squid-users] squid transparent proxy

> You are right I am using port 8080. As I mentioned I have 2 machine the 1st machine is my Firewall/NAT server wherein the iptables configuration already stated that it should redirect port 80 to 8080

Oh , Squid is Not running on this box. then, REDIRECT will not work.
What Your firewall can do is MARK port 80 traffic and route it via
squid box. that is Known As Transparent Proxy to a Remote Box

you need both iptables and ip route2 pkgs.

Okay, below are the rules, you need to add.

On your firewall, pls add below rules

    iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s
ipaddressofsquid-box
    iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
    ip rule add fwmark 3 table 2
    ip route add default via ipaddressofsquid-box dev eth1 table 2

dev eth1 is connected to squidbox. pls change it accodingly.

On your squid Box, Pls add beow rules.

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 8080

this is where REDIRECT takes place.

In addition to that, you will have to make sure, port 8080 is open on
this squid box , since squid is running on port 8080.

I thinkeverything is open on squid box.

Now, clients gateway is the ip of the firewall/NAT box. and also check
Dns in clients.

here's another useful urls

http://www.mail-archive.com/squid-users@squid-cache.org/msg53662.html

http://tldp.org/HOWTO/TransparentProxy-6.html

Good luck

-- 
Thank you
Indunil Jayasooriya
Received on Thu Apr 24 2008 - 06:40:17 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT