Hi, I'm trying to set up a Squid transparent proxy. Here is my hardware situation: (1) Internet <-> (2) ADSL/NAT/gateway/router <-> (3) Linux server <-> (4) 40 computers ad (2): This is a small Cisco device. Works fine. No ports are forwarded from (1) to (3). ad (3): A Dell server, running Gentoo. Provides several services to the inside network (the LAN), e.g. an Apache webserver. Netfilter/IPtables forwards traffic between eth0 and eth1 like this: iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.254 (192.168.1.254 is the adress of the "outside" eth0 NIC, connected to (2)) ad (4): All computers are connected with switches. All this works fine. It's quite transparent of course, nobody notices the server, unless they actually surf to its webserver. I now want to set up a proxy on the server, partly to help with caching, but mostly to make it possible to log all www traffic. This proxy must be transparent, ie. nobody will have to change anything on their computers. Some questions: 1) Is this possible at all? For normal web traffic I believe so, but what about https, chat programs, ssl, ssh and I-don't-know-what? If such things are difficult to get to work or will cause my users (neighbours actually...) to have to change setting, it's not good. So, will I be able to log (and maybe cache) www traffic without the users having any problems at all? 2) How will my routing rule in iptables look? The best guide I've found is http://squid.visolve.com/squid/trans_caching.htm but all in all it seems to me that Squid documentation isn't very detailed. Anyway, that guide gives a number of iptables rules that I must use: iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A POSTROUTING -p TCP -s 0/0 --dport 21 -j MASQUERADE iptables -t nat -A POSTROUTING -p TCP -d 0/0 --dport 20 -j MASQUERADE iptables -t nat -A POSTROUTING -p TCP --dport 25 -j MASQUERADE iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE iptables -t nat -A POSTROUTING -p TCP --dport 22 -j MASQUERADE iptables -t nat -A POSTROUTING -p TCP --dport 23 -j MASQUERADE I'm very happy with my current rule -- it's only one line and it works! I'm not an expert in these matters, but it seems to me that the above rules will only permit traffic on a few ports between eth0 and eth1. Is that right and what do I do about it? Or am I confusing internal traffic on eth1 with eth0<->eth1 traffic? 3) At the moment I'm running a DNS caching program on the server: dnsmasq. It seems to be working just fine, though without any visible improvements -- our ISP's DNS is pretty fast I guess. Will Squid use that DNS cache, or will it provide its own? Well, that's all I can think of for now. //Niels
