[squid-users] Bridging/Tproxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 08 Jul 2009 18:07:54 +1200

johan firdianto wrote:
> You're right Jefrries,
>
> after compiling connection tracking NAT, it doesn't make sense.
> I mean, i can't see my browsing log in access.log
> no error in cache.log
> counter iptables is incrementing. But I still can browse. When i dump
> the packet, no header squid appended at response, so the response
> didn't come from squid.
> how to check that packet from iptables hits squid ?.
> or in bridging environment need different solution ?

Looking for an answer for you I found an old tutorial that may still
have some relevance. The rest is long and non-relevant so I quote the
bridging portion:

"Bridge Setup

We configure our system as a network bridge, which means that it sits
between two physical devices on our network and relays the packets
between them. However, there's a twist: we intercept certain packets
(those destined for port 80) and shunt them to Squid for processing.

You'll need two ethernet cards in your machine to bridge between (one
"in" and one "out", as it were). You can use another card for a
management IP address, or you can actually assign an address to the
bridge itself and reach the machine just as you would a "real" interface.

In order to set up the bridge, we need to make a few tweaks to the
system. First, we need to install some software that's necessary for
setting up a bridge:

apt-get install bridge-utils

Next, edit /etc/network/interfaces. You should already have a stanza for
a statically configured interface (e.g., eth0). Keep the settings for
the stanza, but replace the interface name with br0. Also, add the line
bridge_ports ethXXX ethYYY to add them to the bridge. For example:

auto br0
iface br0 inet static
     bridge_ports eth0 eth1
     address 192.168.0.100
     netmask 255.255.255.0
     gateway 192.168.0.1

Additionally, if your setup is like ours you'll need to add some routing
to the box so it knows where to send packets. Our Squid box sits just
between our firewall/router and LAN. Thus, it needs to be told how to
route packets to the LAN and packets to the outside world. We do this by
specifying the firewall as the "gateway" in the interfaces file, and
adding a static route for our LAN. Thus, you would add the following
lines to /etc/network/interfaces in the br0 stanza:

     up route add -net 192.168.1.0/24 gw 192.168.1.1
     down route del -net 192.168.1.1/24 gw 192.168.1.1

We'll need to tell the kernel that we're going to forward packets, so
make sure the following are set in /etc/sysctl.conf:

net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1

Once you're all set, the easiest thing to do is reboot for the bridge
config to take effect. The other settings should now be working also.
cat /proc/sys/net/ipv4/ip_forward to confirm that the machine is in
forwarding mode.
"

iptables appeared to be setup as per normal on top of that.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.9
Received on Wed Jul 08 2009 - 06:08:02 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 08 2009 - 12:00:03 MDT