topic Re: squid transparent proxy in Operating System - Linux

squid transparent proxy

Marco_113 — Thu, 16 Sep 2004 06:45:53 GMT

hi,
i've another problem with squid; this time with transparent.

My firewall and my squid server are both Linux rh 8.0.

On the firewall:

1) IPTABLES -t nat -A PREROUTING -i $ETH_LAN -p tcp --doprt 80 -j DNAT --to $IP_squid:3128 -s ! $IP_squid

On the squid

1) httpd_accel_host virtual
2) httpd_accel_port 80
3) httpd_accel_with_proxy on
4) httpd_accel_uses_host_header on

But from my client with default gateeway IP_firewall i'm unable to go in INTERNET on 80 port

Thanks in advance

Re: squid transparent proxy

Muthukumar_5 — Thu, 16 Sep 2004 06:55:15 GMT

Your problem is because of firewell setting of
1) IPTABLES -t nat -A PREROUTING -i $ETH_LAN -p tcp --doprt 80 -j DNAT --to $IP_squid:3128 -s ! $IP_squid

Gateway contains two ip-address as public one and private one. Try to check on gateway about the running of squid http_port informations as,

netstat -na | grep -w '3128'

And else try to use as,
1) IPTABLES -t nat -A PREROUTING -i $ETH_LAN -p tcp --dport 80 -j DNAT --to-port 3128 -s ! $IP_squid

A good document writing about T-proxy over,
http://squid.visolve.com/squid/trans_caching.htm

Re: squid transparent proxy

Senthilmurugan — Thu, 16 Sep 2004 07:07:02 GMT

Hello

/sbin/iptables -t nat -A PREROUTING -i $ETH_LAN -p tcp --dport 80 -s -d ! $IP_squid -j REDIRECT --to-port 3128

Replace by your LAN
network number/netmaskvalue.

If you don't want to give the network number just give the following:

/sbin/iptables -t nat -A PREROUTING -i $ETH_LAN -p tcp --dport 80 -d ! $IP_squid -j REDIRECT --to-port 3128

Also Check the following things:

* Check Whether $ETH_LAN is your Local LAN's Ethernet port number and also check whether $IP_squid is your GATEWAY/SQUID's IPaddress.

* Check whether squid is listening to 3128 using netstat:

#netstat -nap |grep 3128

Regards,
Senthil Murugan

Re: squid transparent proxy

Marco_113 — Thu, 16 Sep 2004 08:56:24 GMT

my squid server a nd my firewall are different machines on the same lan

on squid, netstat:

tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN

my def gateway is firewall (ip of internal lan)

Re: squid transparent proxy

Senthilmurugan — Thu, 16 Sep 2004 09:47:57 GMT

Try the following in your gateway,

#iptables -t nat -A PREROUTING -i $ETH_LAN -p tcp -s ! $IP_squid --dport 80 -d ! 172.16.1.194 -j DNAT --to $IP_squid:3128

Replace $ETH_LAN with the local network IP (eg: eth0) and $IP_squid with the Squid machines IP .

If the problem still exist

* Send the iptable entries in the firewall with the
#iptables -L -t nat -n

* Monitor the packets at the squid machine with the tcpdump command:

#tcpdump -n |grep

Send the above two outputs if the problem still exists.

Regards,
Senthil Murugan

Re: squid transparent proxy

Marco_113 — Thu, 16 Sep 2004 10:05:54 GMT

I think the problem is on squid server because:

1) Logging the traffic on firewall i see that the nat works;
i see the packet going from IP of my client redirect to IP_squid port 3128

2) On squid seever i don't see any access in /var/log/squid/access.log file

Re: squid transparent proxy

Marco_113 — Thu, 16 Sep 2004 11:57:07 GMT

This is the output of tcpdump | grep 192.168.10.54 on squidtcpdump -n | grep 192.168.10.54
tcpdump: listening on eth0
18:52:05.541536 192.168.10.32.ssh > 192.168.10.54.1567: P 2051682319:2051682363(44) ack 1373344404 win 6432 (DF) [tos 0x10]
18:52:05.541891 192.168.10.54.1567 > 192.168.10.32.ssh: . ack 44 win 16820 (DF)
18:52:07.118630 192.168.10.54.2370 > 62.211.64.100.http: S 4256518408:4256518408(0) win 16384 (DF)
18:52:07.118796 192.168.10.54.2370 > 192.168.10.32.squid: S 4256518408:4256518408(0) win 16384 (DF)
18:52:07.118844 192.168.10.32.squid > 192.168.10.54.2370: S 1211810983:1211810983(0) ack 4256518409 win 5840 > (DF)

192.168.10.54 is my client IP
192.168.10.32 is squid IP
192.168.10.1 is firewall IP (on lan)

the first two lines refers to my ssh connection to squid server

i think this output means that the nat on firewall is working, because my http request has been natted to squid server??

i

Re: squid transparent proxy

Marco_113 — Fri, 17 Sep 2004 05:05:54 GMT

Any suggestion,
please?
Marco

Re: squid transparent proxy

Matthew Ausmus — Fri, 17 Sep 2004 13:02:35 GMT

Have you verified that squid works properly? One way to test is to telnet into squid from the machine running squid.

telnet servername or ip 3128

Once in, type (case sensitive)

CONNECT www.aol.com HTTP/1.0

then hit enter twice. The response should be 'Connection Established'. If not, it will show you the error generated and it will give you a new direction to search. Use aol because it is virtually guaranteed to work. If it does establish then you know squid is functioning properly.

Re: squid transparent proxy

Marco_113 — Mon, 20 Sep 2004 02:29:05 GMT

Thanks,
but i've solved the problem;
On the firewall i add the rule:
$IPTABLES -t nat -A POSTROUTING -o $ETH_LAN -s $LAN-d $IP_squid -j SNAT --to $IP_firewall_int