On 3/03/2012 12:51 p.m., pplive wrote:
> Dear all,
>
> I try to configure a transparent web proxy through squid 3, here is
> the network topology
>
> Users -> Switch -> Internet
>
> Users means a couple of PCs, all of them have public IP, all of them
> are connected to a switch. One PC among them is designed to be a proxy
> machine. The switch is programmable, thus for the TCP packets with
> destination address 80, it can be re-directed to the proxy machine.
> For other packets, it will be forwarded further to the Internet. The
> programmable switch has been tested and works well.
>
> The proxy machine has installed squid3, the listening port is 3128,
> and we have configure 'http_port 3128 transparent' in squid.conf . One
> problem is this machine has only one NIC (eth0), thus we can not use
> the method proposed in
> http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables
> (using a bridge)
>
> I have tried several iptable settings, such as
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
> xx.yy.zz.ii:3128
>
> Neither of them works.
There are several other iptables rules involved, along with sysctl
requirements. See
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
the Squid 3.1 ptions is "intercept" for NAT interception proxy.
Transparent proxy is something else.
If you have any other problems after fixing all that check the switch is
bypassing the redirect when the packets for port 80 come *out* of the
squid box.
Amos
Received on Sat Mar 03 2012 - 00:39:58 MST
This archive was generated by hypermail 2.2.0 : Sun Mar 04 2012 - 12:00:02 MST