First, make sure that Squid is setup for transparent operation: I would bet that it is not, given that you can access it by setting the proxy to 3128 manually: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html Once that is setup, you may have another problem: if you are not getting responses to your requests, but the requests are making to squid, try this: You MAY be correctly DNATting your packets to the proxy, but the replies are not going through the gateway, they are being routed direct, since they are on the same private subnet. A solution to this is to use a matching SNAT rule like this: iptables -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -s $INT_NET/24 -j DNAT --to ${SQUID_INT_ADDR}:3128 iptables -t nat -A POSTROUTING -o $INT_IF -p tcp --dport 3128 -d $SQUID_INT_ADDR/24 -j SNAT --to $GATEWAY_EXT_ADDR That way, the return packets will be forced to go through the gateway, and will be correctly routed. (You MIGHT be able to get away with using $GATEWAY_INT_ADDR in the second line, but I'm not sure... My not-too-different setup uses the external address for DNS reasons). However, this is a horrible solution to a problem where there is a good one! Setup a standard auto proxy config file, and setup the appropriate WPAD environment. Here's a link to how: http://www.squid-cache.org/Doc/FAQ/FAQ-5.html#ss5.10 You can even look here for really detailed examples: http://naragw.sharp.co.jp/sps/ Just to be clear, this isn't just "the right way": your cache will perform MUCH BETTER using this setup than a simple transparent proxy! The reason is simple: in a transparent proxy, the client DOESN'T KNOW its talking to a proxy! That means that it CANNOT adjust its caching policy to take that into effect! That means that your choice of refresh option (always, once, auto) can result in either stale pages or no caching on the client. You can always leave the transparent proxy in place for those machines you don't control, or where users reset the default policy. However, you should log those and try to minimize them, as it is a real performance hit and will throw off your caching results. Hope this helps, Bill > -----Original Message----- > From: Mike [mailto:mikeeo@xxxxxxx] > Sent: Monday, April 14, 2003 4:00 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: redirection with squid > > > I have read the transparency How-To and it doesn't apply to > my situation. I have a linux gateway that is also the default > route for all workstations. I also have a linux box running > squid that has 2 interfaces one private and one internet > routable. So far I haven't been able to redirect my clients > to the squid box. Lay out: > > inet----linuxgateway----(private IP) > | > | > squid<eth1>----(privateIP) > > the squid box has a routeable internet IP for eth0 and a > private IP for eth1 > (192.168.1.0) in fact both squid and linuxgateway have > private 192.168.1.0 networks. I just need to redirect packets > with destination port 80 to the squid box so it gets proxied > out. If I change my broswer proxy to squid:3128 works fine. > Im thinkin policy routing maybe? > > Thanks, > Mike > > >
