Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Peter Schobel <pschobel@xxxxxxxxxxxxx>]

ok, I removed the error line and the cat autoconf line from the 
config.h and got iptables 1.2.9 to compile against my kernel source and 
headers and reinstalled

if i turn on ip_forward and try to access external sites, i get 
forwarded through to the external page without problem

if i enable the iptables rule

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
--to-port 3128

my pages just time out when i try to access external sites

but if i try to access the proxyhost directly using http, it redirects 
me to the proxy site without problem

i get exactly the same results using this rule

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT 
--to-destination $LOCALHOST:3128

does anyone have any idea why traffic destined for external sites will 
not transparently redirect to squid for me?

does anyone have any idea as to what further steps I can take to 
troubleshoot this problem?

Thx in advance,

Peter Schobel

On Thursday, January 8, 2004, at 09:33  PM, Alistair Tonner wrote:

> On January 8, 2004 03:05 pm, Peter Schobel wrote:
> > ok, I downloaded the source ball for iptables 1.2.9, and compiled 
> > using
> >
> > make KERNEL_DIR=/usr/src/linux-2.6.0-1.107
> >
> > i got an error from config.h telling me to use the glibc version so i
> > symlinked /usr/src/linux-2.6.0-1.107 to /usr/include/linux/config.h
> >
> > then i compiled successfully and installed using
> >
> > make install KERNEL_DIR=/usr/src/linux-2.6.0-1.107
> >
> > without incident
> >
> > i checked the timestamp on the iptables binary to make sure that it 
> > had
> > been overwritten
> >
> > I rmmod'd all the iptables modules and then reloaded my iptables rule
> >
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> > --to-port 3128
>
> 	Ummm ... I don't understand where the error came from.... I'm using a 
> slackware based box with many upgrades
> 	(gcc glibc binutils and modutils....) my switch from 2.4.23 to 2.6.0 
> required a binutils and modutils
> 	upgrade FIRST -- I would hope that RPM dependencies are in place to 
> enforce this as it will likely
> 	apply to your situation ... when I rebuilt iptables source it went 
> painlessly --- no error from config.h.
>
> 	I *DONT* like the relink .. I've a feeling this will break some 
> inportant defines....
> 	
> 	what do you get for modprobe --version and ld -v ?
> 	I suspect your modutils is incorrect for 2.6.0
>
> > lsmod gives me
> >
> > Module                  Size  Used by
> > ipt_REDIRECT            2048  1
> > iptable_nat            20140  2 ipt_REDIRECT
> > ip_tables              15104  2 ipt_REDIRECT,iptable_nat
> > ip_conntrack           28464  2 ipt_REDIRECT,iptable_nat
> >
> > iptables -t nat -L gives me
> >
> > Chain PREROUTING (policy ACCEPT)
> > target     prot opt source               destination
> > REDIRECT   tcp  --  anywhere             anywhere            tcp
> > dpt:http redir ports 3128
> >
> > Chain POSTROUTING (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> >
> > testing it reveals that it is still not working - did i do anything
> > wrong in the above steps? what further steps would you recommend to
> > troubleshoot this problem?
> >
> > Peter Schobel
> > ~
*****************************
Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************