Dear Amos,
Thanks a lot! By looking at your URL, I have enter the following
commands in my squid3 machine (my HTTP service is at PORT 8080), the
squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at
10.0.2.1, HTTP client (nodes) is at 10.0.1.1:
yeung_at_nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp
--dport 8080 -j ACCEPT
yeung_at_nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080
-j DNAT --to-destination 10.0.3.1:3128
yeung_at_nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
yeung_at_nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport
3128 -j DROP
yeung_at_nodec1:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- nodec1-tblink-l9 anywhere tcp dpt:http-alt
DNAT tcp -- anywhere anywhere tcp
dpt:http-alt to:10.0.3.1:3128
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
yeung_at_nodec1:~$ sudo iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:3128
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
However, the proxy still has some problem, when we start wget from the
HTTP client
yeung_at_nodes:~$ wget 10.0.2.1:8080
--2012-03-04 09:31:39-- http://10.0.2.1:8080/
Connecting to 10.0.2.1:8080... ^C
yeung_at_nodes:~$
We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the
following message:
09:31:39.384558 IP nodes-links.51902 > noder-linkr.http-alt: Flags
[S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
38022185 ecr 0,nop,wscale 6], length 0
09:31:42.379034 IP nodes-links.51902 > noder-linkr.http-alt: Flags
[S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
38022935 ecr 0,nop,wscale 6], length 0
It seems that there were some HTTP-alt traffic coming in from the
switch, but no HTTP traffic going out of the squid3 machine.
I am really sorry for continuing this problem.
Best regards!
On Fri, Mar 2, 2012 at 7:39 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 3/03/2012 12:51 p.m., pplive wrote:
>>
>> Dear all,
>>
>> I try to configure a transparent web proxy through squid 3, here is
>> the network topology
>>
>> Users -> Switch -> Internet
>>
>> Users means a couple of PCs, all of them have public IP, all of them
>> are connected to a switch. One PC among them is designed to be a proxy
>> machine. The switch is programmable, thus for the TCP packets with
>> destination address 80, it can be re-directed to the proxy machine.
>> For other packets, it will be forwarded further to the Internet. The
>> programmable switch has been tested and works well.
>>
>> The proxy machine has installed squid3, the listening port is 3128,
>> and we have configure 'http_port 3128 transparent' in squid.conf . One
>> problem is this machine has only one NIC (eth0), thus we can not use
>> the method proposed in
>>
>> http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables
>> (using a bridge)
>>
>> I have tried several iptable settings, such as
>>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
>> xx.yy.zz.ii:3128
>>
>> Neither of them works.
>
>
> There are several other iptables rules involved, along with sysctl
> requirements. See
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
>
> the Squid 3.1 ptions is "intercept" for NAT interception proxy. Transparent
> proxy is something else.
>
> If you have any other problems after fixing all that check the switch is
> bypassing the redirect when the packets for port 80 come *out* of the squid
> box.
>
> Amos
Received on Sun Mar 04 2012 - 17:40:49 MST
This archive was generated by hypermail 2.2.0 : Mon Mar 05 2012 - 12:00:02 MST