-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 12 Jun 2007 13:22:40 +0530 "Indunil Jayasooriya" <indunil75@xxxxxxxxx> wrote: > Hi ALL, > > I want to setup Transpaent Proxy on the box running iptables Firewall. > > With iptables, I have given below rules. > > iptables -F INPUT > iptables -F OUTPUT > iptables -F FORWARD > iptables -F -t nat > iptables -F -t mangle > > #Enabling ip forwarding > echo "1" > /proc/sys/net/ipv4/ip_forward > > #enable syn cookies (prevent against the common 'syn flood attack') > echo "1" > /proc/sys/net/ipv4/tcp_syncookies > > #do source validation by reversed path > echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter > > #Enable tracking mechanism > /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A INPUT DROP > iptables -A FORWARD DROP > iptables -A OUTPUT DROP Hi Indunil, You can make the above rules default policy to DROP. iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP > > in addition to that, There are many rules , ALL work fine. > You can provide all your firewall rules to make your problem more clear and concise. > in squid.conf file, I have added below rules, > > http_port 3128 > cache_mem 64 MB > cache_dir ufs /var/spool/squid 100 16 256 > cache_access_log /var/log/squid/access.log > cache_log /var/log/squid/cache.log > cache_store_log /var/log/squid/store.log > > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on If you are using Squid-2.5, then Squid transproxy should work with the above options. > > And, Then, I did below command. > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT > --to-port 3128 This rule should work. You can also try: iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 --dport 80 -j REDIRECT --to-port 3128 But I think it produces the same effect. I think you may need the rule below too. iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 3128 -j ACCEPT > > But, When I browse Internet , request will not get ridirected to 3128 > port. So I can not use squid as a Transpaent Proxy. What is the exact error that you get when you try to browse the Internet using your web browser? > > Where have I gone wrong? > > I reffered to below URL. > http://www.tldp.org/HOWTO/TransparentProxy.html#toc2 > > Pls help me. > Try using tcpdump to analyze where or which port the clients' web traffic is going to. I guess your Squid box is either a gateway or you have some sort of load balancer in front of squid. > -- > Thank you > Indunil Jayasooriya > - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFGbl1RVrOl+eVhOvYRApo4AJ0ZrhcPa5sYMc+k22HG4fIFSxaoQQCfcH1O TGfXB05lj03J8xTJi+lmbt4= =5iPF -----END PGP SIGNATURE-----
