Re: [squid-users] Building a Squid Cache Brouter

From: Amos Jeffries <>
Date: Fri, 14 Nov 2008 00:51:32 +1300

Dumpolid Exeplish wrote:
> Hello All,
> I am trying to build a transparent squid server on a Linux 2.6 kernel
> using the bridging code (br-nf)
> INTERNET_GW <====== BRIDGE/SQUID <======= Client Nat Router
> in this setup, the Client Nat router has the entire LAN behind it and
> the Client nat router will have its default gateway as the
> INTERNT_GW's IP address.
> The BRIDGE/SQUID box will have two Ethernet cards, one connecting to
> the "client Nat Router" and the other connected to the INTERNET_GW.
> The BRIDGE/SQUID box will have one IP address on which Squid will be
> listening of connections on.
> My aim is to transparently redirect http traffic passing from the
> "Client Nat Router" to the squid process configured on the router
> without altering the gateway of the Client NAt Router.
> Here are some of the ebtables/iptables that i have tried out but at
> this point... i am not sure of how proceed
> ebtables -t broute -A BROUTING --in-if $BR_IN -p IPv4 --ip-protocol
> tcp --ip-dport 80 -j redirect --redirect-target ACCEPT
> ebtables -t broute -A BROUTING --in-if $BR_IN -p IPv4 --ip-protocol
> tcp --ip-dport 21 -j redirect --redirect-target ACCEPT
> iptables -F
> iptables -X
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> iptables -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -i $BR_IN -j ACCEPT
> iptables -t nat -A PREROUTING -i br0 -p tcp –-dport 80 -j REDIRECT
> -–to-port $CACHE_PORT
> iptables -t nat -A PREROUTING -i br0 -p tcp –-dport 21 -j REDIRECT
> -–to-port $CACHE_PORT
> iptables -t nat -A PREROUTING -i $BR_IN -p tcp –dport 80 -j REDIRECT
> –to-ports $CACHE_PORT
> iptables -t nat -A PREROUTING -i $BR_IN -p tcp –dport 21 -j REDIRECT
> –to-ports $CACHE_PORT
> could anyone out there help me to explain how to progress? is this
> even possible at all?

One note before you start. Port 21 - Squid is an FTP client only, it
cannot accept FTP traffic.
For the port 80 traffic its usable on all 2.6+ Squid.

Pic your combo of interception and transport methods:
though it looks like you already need the iptables REDIRECT config.

My own experience with this exact box layout, you should not have to use
a bridge. A relay router is sufficient. Depends on your specs though.

If you do get this going as a bridge, would you mind submitting back the
ebtabels part and any variation in iptables config for the wiki please?
It sounds like that would be a useful one to add.

The core ideas are that:
  - the NAT _should_ happen on the squid box or loose client tracking
  - NAT _must_ exclude the squid outbound traffic or cause fatal traffic
  - routers should forward/tunnel traffic unaltered to the squid box for


Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
   Current Beta Squid
Received on Thu Nov 13 2008 - 11:51:40 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 13 2008 - 12:00:03 MST