I haven't been following all of this Peter, but it would seem you now need to add a rule allow the packets to get through the FORWARD chain now that they have been successfully REDIRECTED. Try something like: $IPT -t filter -A FORWARD -i eth0 -p tcp --dport 3128 -j ACCEPT -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Peter Schobel Sent: Friday, January 09, 2004 6:09 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel ok, I removed the error line and the cat autoconf line from the config.h and got iptables 1.2.9 to compile against my kernel source and headers and reinstalled if i turn on ip_forward and try to access external sites, i get forwarded through to the external page without problem if i enable the iptables rule iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 my pages just time out when i try to access external sites but if i try to access the proxyhost directly using http, it redirects me to the proxy site without problem i get exactly the same results using this rule iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $LOCALHOST:3128 does anyone have any idea why traffic destined for external sites will not transparently redirect to squid for me? does anyone have any idea as to what further steps I can take to troubleshoot this problem? Thx in advance, Peter Schobel On Thursday, January 8, 2004, at 09:33 PM, Alistair Tonner wrote: > On January 8, 2004 03:05 pm, Peter Schobel wrote: >> ok, I downloaded the source ball for iptables 1.2.9, and compiled >> using >> >> make KERNEL_DIR=/usr/src/linux-2.6.0-1.107 >> >> i got an error from config.h telling me to use the glibc version so i >> symlinked /usr/src/linux-2.6.0-1.107 to /usr/include/linux/config.h >> >> then i compiled successfully and installed using >> >> make install KERNEL_DIR=/usr/src/linux-2.6.0-1.107 >> >> without incident >> >> i checked the timestamp on the iptables binary to make sure that it >> had been overwritten >> >> I rmmod'd all the iptables modules and then reloaded my iptables rule >> >> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT >> --to-port 3128 >> > > Ummm ... I don't understand where the error came from.... I'm using a > slackware based box with many upgrades > (gcc glibc binutils and modutils....) my switch from 2.4.23 to 2.6.0 > required a binutils and modutils > upgrade FIRST -- I would hope that RPM dependencies are in place to > enforce this as it will likely > apply to your situation ... when I rebuilt iptables source it went > painlessly --- no error from config.h. > > I *DONT* like the relink .. I've a feeling this will break some > inportant defines.... > > what do you get for modprobe --version and ld -v ? > I suspect your modutils is incorrect for 2.6.0 > >> lsmod gives me >> >> Module Size Used by >> ipt_REDIRECT 2048 1 >> iptable_nat 20140 2 ipt_REDIRECT >> ip_tables 15104 2 ipt_REDIRECT,iptable_nat >> ip_conntrack 28464 2 ipt_REDIRECT,iptable_nat >> >> iptables -t nat -L gives me >> >> Chain PREROUTING (policy ACCEPT) >> target prot opt source destination >> REDIRECT tcp -- anywhere anywhere tcp >> dpt:http redir ports 3128 >> >> Chain POSTROUTING (policy ACCEPT) >> target prot opt source destination >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> testing it reveals that it is still not working - did i do anything >> wrong in the above steps? what further steps would you recommend to >> troubleshoot this problem? >> >> Peter Schobel >> ~ > > ***************************** Peter Schobel Network Administrator Porchlight.ca Unlimited Internet ***************************** In a world without walls or fences We will have no need for gates or windows *****************************
