Re: [squid-users] howto forward to squid proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 12 Nov 2010 22:09:48 +1300

On 12/11/10 20:36, Arturas Kurlavicius wrote:
> Thanx For Reply
>
> On Fri, Nov 12, 2010 at 9:15 AM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
>> On 12/11/10 19:54, Arturas Kurlavicius wrote:
>>>
>>> Hello
>>> First i want say sorry for bad english :(
>>> Here mine situation
>>>
>>> I work in huge gonoverment netowk. Mine network uses proxy to acces
>>> internet. Shame that proxy not transparent... so i must every time
>>> tipe setting in every PC. Thats anoying. SO i want to change
>>> situation.
>>>
>>> I made a bit stupid gateway PC (debian). With single network adapter.
>>> Mess a bit with IP tables. And simple gateway working.
>>> network Cnfig:
>>> [CODE]
>>> auto lo
>>> iface lo inet loopback
>>>
>>> # The primary network interface
>>> auto eth0
>>> allow-hotplug eth0
>>> #iface eth0 inet dhcp
>>> iface eth0 inet static
>>> address 10.0.8.226
>>> netmask 255.255.255.0
>>> gateway 10.0.8.1
>>> [/CODE]
>>> iptables Config:
>>> [CODE]
>>> ###Flush iptables configurations
>>> iptables -F
>>> iptables -X
>>> iptables -t nat -F
>>> iptables -t nat -X
>>> iptables -t mangle -F
>>> iptables -t mangle -X
>>> iptables -P INPUT ACCEPT
>>> iptables -P FORWARD ACCEPT
>>> iptables -P OUTPUT ACCEPT
>>>
>>> ###Enable IP forwarding
>>> echo 1> /proc/sys/net/ipv4/ip_forward
>>>
>>> ###Enable ip masquerading
>>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>> [/CODE]
>>> And all seemes working.. i can browse sies (with proxie esttings).
>>>
>>> So now i want with that Gateway make proxie transparent. So i'm
>>> tryeing to forward 80 port to proxie.
>>> Config:
>>> [CODE]
>>> ###Flush iptables configurations
>>> iptables -F
>>> iptables -X
>>> iptables -t nat -F
>>> iptables -t nat -X
>>> iptables -t mangle -F
>>> iptables -t mangle -X
>>> iptables -P INPUT ACCEPT
>>> iptables -P FORWARD ACCEPT
>>> iptables -P OUTPUT ACCEPT
>>>
>>> ###Enable IP forwarding
>>> echo 1> /proc/sys/net/ipv4/ip_forward
>>>
>>> ###Enable ip masquerading
>>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>>
>>> ###bandau forwardint 80 porta
>>> iptables -A FORWARD -j ACCEPT
>>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
>>> --to-destination 212.59.6.119:80
>>
>> Use an uncommon randomly picked --to-destination port here to avoid the
>> security problems introduced by NAT. It is only used between this firewall
>> and Squid, so can be firewalled in the "mangle" table to prevent external
>> machines sending traffic directly there.
>>
>>> [/CODE]
>>>
>>> Well it seems forwarding working... but i try to get page (for example
>>> www.inuxforums.org)... i get from proxy error
>>> [CODE]
>>> ERROR
>>> The requested URL could not be retrieved
>>>
>>> --------------------------------------------------------------------------------
>>> While trying to retrieve the URL: /
>>>
>>> The following error was encountered:
>>>
>>> •Invalid URL
>>> Some aspect of the requested URL is incorrect. Possible problems:
>>>
>>> •Missing or incorrect access protocol (should be `http://'' or similar)
>>> •Missing hostname
>>> •Illegal double-escape in the URL-Path
>>> •Illegal character in hostname; underscores are not allowed
>>>
>>> --------------------------------------------------------------------------------
>>> Generated Thu, 11 Nov 2010 11:02:48 GMT by duke.cust.lt
>>> (squid/3.0.STABLE25)
>>> [/CODE]
>>> But if i put proxie setting in browser (212.59.6.119:80) all again works
>>> fine.
>>>
>>> So i want to advice what i'm doing wrong..
>>
>> You needs to create an http_port for the NAT traffic to enter Squid. It
>> needs identical IP:port details identical to the firewall --to-destination.
>> In 3.0 and older squid it has the flag "transparent" that tells Squid how
>> to find and replace the missing hostname.
>>
>
> So... you saying i need to change squid configuration... Well that not
> possible for me. I'm only user.

Oh, okay, you said you assembled a gateway box. You can run your own
Squid on there as part of the gateway software. You have control over
that config and setup the NAT interception bits there.
It passes requests on to the network parent machine as proper HTTP.

Though if you are "only a user" be aware that the next step to getting
it working is to update the network routing structure to pass traffic
through the gateway box.

Try hard, very hard to talk with the administrator of the network you
work in about this netbook problem. They can help.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.9
   Beta testers wanted for 3.2.0.3
Received on Fri Nov 12 2010 - 09:09:57 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 12 2010 - 12:00:02 MST