HPE Community
Operating System - Linux
1826521 Members
4155 Online
109695 Solutions
New Discussion

squid transparent proxy

 
Marco_113
Frequent Advisor

‎09-15-2004 11:45 PM

‎09-15-2004 11:45 PM

squid transparent proxy

hi,
i've another problem with squid; this time with transparent.

My firewall and my squid server are both Linux rh 8.0.

On the firewall:

1) IPTABLES -t nat -A PREROUTING -i $ETH_LAN -p tcp --doprt 80 -j DNAT --to $IP_squid:3128 -s ! $IP_squid

On the squid

1) httpd_accel_host virtual
2) httpd_accel_port 80
3) httpd_accel_with_proxy on
4) httpd_accel_uses_host_header on

But from my client with default gateeway IP_firewall i'm unable to go in INTERNET on 80 port

Thanks in advance

0 Kudos
Reply
9 REPLIES 9
Muthukumar_5
Honored Contributor

‎09-15-2004 11:55 PM

‎09-15-2004 11:55 PM

Re: squid transparent proxy

Your problem is because of firewell setting of
1) IPTABLES -t nat -A PREROUTING -i $ETH_LAN -p tcp --doprt 80 -j DNAT --to $IP_squid:3128 -s ! $IP_squid

Gateway contains two ip-address as public one and private one. Try to check on gateway about the running of squid http_port informations as,

netstat -na | grep -w '3128'

And else try to use as,
1) IPTABLES -t nat -A PREROUTING -i $ETH_LAN -p tcp --dport 80 -j DNAT --to-port 3128 -s ! $IP_squid

A good document writing about T-proxy over,
http://squid.visolve.com/squid/trans_caching.htm

Easy to suggest when don't know about the problem!
0 Kudos
Reply
Senthilmurugan
Frequent Advisor

‎09-16-2004 12:07 AM

‎09-16-2004 12:07 AM

Re: squid transparent proxy

Hello


/sbin/iptables -t nat -A PREROUTING -i $ETH_LAN -p tcp --dport 80 -s -d ! $IP_squid -j REDIRECT --to-port 3128

Replace by your LAN
network number/netmaskvalue.

If you don't want to give the network number just give the following:

/sbin/iptables -t nat -A PREROUTING -i $ETH_LAN -p tcp --dport 80 -d ! $IP_squid -j REDIRECT --to-port 3128

Also Check the following things:

* Check Whether $ETH_LAN is your Local LAN's Ethernet port number and also check whether $IP_squid is your GATEWAY/SQUID's IPaddress.

* Check whether squid is listening to 3128 using netstat:

#netstat -nap |grep 3128

Regards,
Senthil Murugan
0 Kudos
Reply
Marco_113
Frequent Advisor

‎09-16-2004 01:56 AM

‎09-16-2004 01:56 AM

Re: squid transparent proxy


my squid server a nd my firewall are different machines on the same lan


on squid, netstat:

tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN


my def gateway is firewall (ip of internal lan)
0 Kudos
Reply
Senthilmurugan
Frequent Advisor

‎09-16-2004 02:47 AM

‎09-16-2004 02:47 AM

Re: squid transparent proxy

Try the following in your gateway,

#iptables -t nat -A PREROUTING -i $ETH_LAN -p tcp -s ! $IP_squid --dport 80 -d ! 172.16.1.194 -j DNAT --to $IP_squid:3128

Replace $ETH_LAN with the local network IP (eg: eth0) and $IP_squid with the Squid machines IP .

If the problem still exist

* Send the iptable entries in the firewall with the
#iptables -L -t nat -n

* Monitor the packets at the squid machine with the tcpdump command:

#tcpdump -n |grep

Send the above two outputs if the problem still exists.

Regards,
Senthil Murugan
0 Kudos
Reply
Marco_113
Frequent Advisor

‎09-16-2004 03:05 AM

‎09-16-2004 03:05 AM

Re: squid transparent proxy

I think the problem is on squid server because:

1) Logging the traffic on firewall i see that the nat works;
i see the packet going from IP of my client redirect to IP_squid port 3128

2) On squid seever i don't see any access in /var/log/squid/access.log file

0 Kudos
Reply
Marco_113
Frequent Advisor

‎09-16-2004 04:57 AM

‎09-16-2004 04:57 AM

Re: squid transparent proxy

This is the output of tcpdump | grep 192.168.10.54 on squidtcpdump -n | grep 192.168.10.54
tcpdump: listening on eth0
18:52:05.541536 192.168.10.32.ssh > 192.168.10.54.1567: P 2051682319:2051682363(44) ack 1373344404 win 6432 (DF) [tos 0x10]
18:52:05.541891 192.168.10.54.1567 > 192.168.10.32.ssh: . ack 44 win 16820 (DF)
18:52:07.118630 192.168.10.54.2370 > 62.211.64.100.http: S 4256518408:4256518408(0) win 16384 (DF)
18:52:07.118796 192.168.10.54.2370 > 192.168.10.32.squid: S 4256518408:4256518408(0) win 16384 (DF)
18:52:07.118844 192.168.10.32.squid > 192.168.10.54.2370: S 1211810983:1211810983(0) ack 4256518409 win 5840 > (DF)


192.168.10.54 is my client IP
192.168.10.32 is squid IP
192.168.10.1 is firewall IP (on lan)

the first two lines refers to my ssh connection to squid server

i think this output means that the nat on firewall is working, because my http request has been natted to squid server??



i
0 Kudos
Reply
Marco_113
Frequent Advisor

‎09-16-2004 10:05 PM

‎09-16-2004 10:05 PM

Re: squid transparent proxy

Any suggestion,
please?
Marco
0 Kudos
Reply
Matthew Ausmus
Advisor

‎09-17-2004 06:02 AM

‎09-17-2004 06:02 AM

Re: squid transparent proxy

Have you verified that squid works properly? One way to test is to telnet into squid from the machine running squid.

telnet servername or ip 3128

Once in, type (case sensitive)

CONNECT www.aol.com HTTP/1.0

then hit enter twice. The response should be 'Connection Established'. If not, it will show you the error generated and it will give you a new direction to search. Use aol because it is virtually guaranteed to work. If it does establish then you know squid is functioning properly.
"What the gods get away with, the cows dont."
0 Kudos
Reply
Marco_113
Frequent Advisor

‎09-19-2004 07:29 PM

‎09-19-2004 07:29 PM

Re: squid transparent proxy

Thanks,
but i've solved the problem;
On the firewall i add the rule:
$IPTABLES -t nat -A POSTROUTING -o $ETH_LAN -s $LAN-d $IP_squid -j SNAT --to $IP_firewall_int
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.