prophetmr wrote:
> i can save you the trouble of looking at the conf file everything is default
> except i set it to
>
> http_port 192.168.3.107:3128 transparent
>
> using 2.7 defaults,the reason i did that is im divorced and running squid
> transparent is so i dont have to set the browsers to proxy everytime i have
> the kids and reset it before they go to their mothers. It may be something
> in my router that is making everything show as 192.168.3.1 in the logs i
> have the firewall running this script on boot
>
> # nvram set rc_firewall="
> #!/bin/sh
> INTERNAL_NETWORK="192.168.3.1/24"
> ROUTER_IP="192.168.3.1"
> PROXY_SERVER="192.168.3.107"
> PROXY_PORT="3128"
> if [ -z $TRANSPARENT_PROXY ]; then
> /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK \
> -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT
> /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp
> --dport 80 \
> -j DNAT --to $PROXY_SERVER:$PROXY_PORT
> /usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s $INTERNAL_NETWORK -p
> tcp -d \
> $PROXY_SERVER -j SNAT --to $ROUTER_IP
> /usr/sbin/iptables -t filter -I FORWARD -s $INTERNAL_NETWORK -d
> $PROXY_SERVER -i br0 \
> -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT
> export TRANSPARENT_PROXY="1"
> else
> echo /"This script has already run!"
> echo /"If it hasn't, unset \$TRANSPARENT_PROXY manually via the shell."
> fi
> "
> [Ctrl+D]
> # nvram commit
There you go. It's the way you are doing interception.
NAT is a destructive process, it drops the original source IPs from the
IP-layer information. Thats just the way NAT operates.
What you want to do instead is selectively route the port 80 traffic to
the squid box and do the intercept NAT there instead of on the router.
see
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
for an example of how to set that up at the router.
The linked REDIRECT page has rules for the Squid box setup.
Amos
>
> the way its set up now i have the kids connect via wireless to the router on
> the lan side and the wan side is the squid router which is connected to a
> repeater from my neighbors who let me split the bill with them since i cant
> get broadband.
>
>
>
>
>
> Amos Jeffries-2 wrote:
>> prophetmr wrote:
>>>
>>> currently its set to default client_netmask 255.255.255.255 if i change
>>> it
>>> to 255.255.255.0 will it pass the ips thru?
>> No, setting it to 255.255.255.0 will cause the last numeric of the IP to
>> not be logged. Thats why we thought it might be set.
>>
>> If you don't mind can you post your whole squid.conf (minus the comment
>> # lines) so we can get a look and check for unexpected things.
>>
>> Cheers
>> Amos
>>
>>>
>>> Chris Robertson-2 wrote:
>>>> prophetmr wrote:
>>>>> Im new to squid and i have the same problem im running squid
>>>>> transparently
>>>>> primarily to keep tabs on what my kids are up to on the internet and i
>>>>> have
>>>>> set the kids laptops to static ips but in the logs i only show the
>>>>> network
>>>>> ip not the users ip. Daily i run srg with a date range of the day and
>>>>> examine where the kids have been but without there ips it makes it
>>>>> kinda
>>>>> hard to figure out what kid did what. Is there any way to pass the ips
>>>>> of
>>>>> the users into the logs?
>>>>>
>>>> Have you set "client_netmask" in your squid.conf?
>>>>
>>>>> I checked and #emulate_httpd_log off is a default setting
>>>> Chris
>>>>
>>>>
>>
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE12
>> Current Beta Squid 3.1.0.3
>>
>>
>
-- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE12 Current Beta Squid 3.1.0.3Received on Sat Jan 24 2009 - 01:39:19 MST
This archive was generated by hypermail 2.2.0 : Sun Jan 25 2009 - 12:00:02 MST