On 12/11/10 19:54, Arturas Kurlavicius wrote:
> Hello
> First i want say sorry for bad english :(
> Here mine situation
>
> I work in huge gonoverment netowk. Mine network uses proxy to acces
> internet. Shame that proxy not transparent... so i must every time
> tipe setting in every PC. Thats anoying. SO i want to change
> situation.
>
> I made a bit stupid gateway PC (debian). With single network adapter.
> Mess a bit with IP tables. And simple gateway working.
> network Cnfig:
> [CODE]
> auto lo
> iface lo inet loopback
>
> # The primary network interface
> auto eth0
> allow-hotplug eth0
> #iface eth0 inet dhcp
> iface eth0 inet static
> address 10.0.8.226
> netmask 255.255.255.0
> gateway 10.0.8.1
> [/CODE]
> iptables Config:
> [CODE]
> ###Flush iptables configurations
> iptables -F
> iptables -X
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
>
> ###Enable IP forwarding
> echo 1> /proc/sys/net/ipv4/ip_forward
>
> ###Enable ip masquerading
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> [/CODE]
> And all seemes working.. i can browse sies (with proxie esttings).
>
> So now i want with that Gateway make proxie transparent. So i'm
> tryeing to forward 80 port to proxie.
> Config:
> [CODE]
> ###Flush iptables configurations
> iptables -F
> iptables -X
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
>
> ###Enable IP forwarding
> echo 1> /proc/sys/net/ipv4/ip_forward
>
> ###Enable ip masquerading
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> ###bandau forwardint 80 porta
> iptables -A FORWARD -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
> --to-destination 212.59.6.119:80
Use an uncommon randomly picked --to-destination port here to avoid the
security problems introduced by NAT. It is only used between this
firewall and Squid, so can be firewalled in the "mangle" table to
prevent external machines sending traffic directly there.
> [/CODE]
>
> Well it seems forwarding working... but i try to get page (for example
> www.inuxforums.org)... i get from proxy error
> [CODE]
> ERROR
> The requested URL could not be retrieved
> --------------------------------------------------------------------------------
> While trying to retrieve the URL: /
>
> The following error was encountered:
>
> •Invalid URL
> Some aspect of the requested URL is incorrect. Possible problems:
>
> •Missing or incorrect access protocol (should be `http://'' or similar)
> •Missing hostname
> •Illegal double-escape in the URL-Path
> •Illegal character in hostname; underscores are not allowed
> --------------------------------------------------------------------------------
> Generated Thu, 11 Nov 2010 11:02:48 GMT by duke.cust.lt (squid/3.0.STABLE25)
> [/CODE]
> But if i put proxie setting in browser (212.59.6.119:80) all again works fine.
>
> So i want to advice what i'm doing wrong..
You needs to create an http_port for the NAT traffic to enter Squid. It
needs identical IP:port details identical to the firewall
--to-destination. In 3.0 and older squid it has the flag "transparent"
that tells Squid how to find and replace the missing hostname.
>
> P.s. Auto proxie seetings not possible. And i hawe a lot of
> notebooks.. so they every time need to change setting.. and thats bad
> :(
Do you mean transparent configuration aka WPAD/PAC? that would really be
the best way. NAT interception adds some annoying security problems and
restrictions.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3Received on Fri Nov 12 2010 - 07:15:32 MST
This archive was generated by hypermail 2.2.0 : Fri Nov 12 2010 - 12:00:02 MST