Search squid archive

Re: How to setup both Transpaent Proxy and firewall on the same Machine.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 12 Jun 2007 13:22:40 +0530
"Indunil Jayasooriya" <indunil75@xxxxxxxxx> wrote:

> Hi ALL,
> 
> I want to setup Transpaent Proxy on the box running iptables Firewall.
> 
> With iptables,  I have given below rules.
> 
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
> iptables -F -t nat
> iptables -F -t mangle
> 
> #Enabling ip forwarding
> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> #enable syn cookies (prevent against the common 'syn flood attack')
> echo "1" > /proc/sys/net/ipv4/tcp_syncookies
> 
> #do source validation by reversed path
> echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
> 
> #Enable tracking mechanism
> /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp
> 
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> iptables -A INPUT DROP
> iptables -A FORWARD DROP
> iptables -A OUTPUT DROP

Hi Indunil,


You can make the above rules default policy to DROP.

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


> 
> in addition to that, There are many rules , ALL work fine.
> 

You can provide all your firewall rules to make your problem more clear and concise. 

> in squid.conf file, I have added below rules,
> 
> http_port 3128
> cache_mem 64 MB
> cache_dir ufs /var/spool/squid 100 16 256
> cache_access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
> 
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on

If you are using Squid-2.5, then Squid transproxy should work with the above options.

> 
> And, Then, I did below command.
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128

This rule should work. 

You can also try:

iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 --dport 80 -j REDIRECT --to-port 3128

But I think it produces the same effect.


I think you may need the rule below too. 

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 3128 -j ACCEPT


> 
> But, When I browse Internet , request will not get ridirected to 3128
> port. So I can not use squid as a Transpaent Proxy.

What is the exact error that you get when you try to browse the Internet using your web browser?

> 
> Where have I gone wrong?
> 
> I reffered to below URL.
> http://www.tldp.org/HOWTO/TransparentProxy.html#toc2
> 
> Pls help me.
> 

Try using tcpdump to analyze where or which port the clients' web traffic is going to. I guess your Squid box is either a gateway or you have some sort of load balancer in front of squid.

> -- 
> Thank you
> Indunil Jayasooriya
> 


- -- 


With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFGbl1RVrOl+eVhOvYRApo4AJ0ZrhcPa5sYMc+k22HG4fIFSxaoQQCfcH1O
TGfXB05lj03J8xTJi+lmbt4=
=5iPF
-----END PGP SIGNATURE-----

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux