I have been searching on the squid-user archive, there is some post that similar with my needs, but there is nothing was succeed for me. I don't know if someone (is already there) suggest this suggest... It will be nice if squid developers spends a little time to make a complete documentation about how-to transparently implementing squid in a network. So if there is someone needs or having through this problem, they just "redirect" to that documentation. Thanks Rachmat Hidayat Al Anshar ----- Original Message ---- > From: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@xxxxxxxxx> > To: squid cache <squid-users@xxxxxxxxxxxxxxx> > Cc: Chris Zhang <abnamro.chris@xxxxxxxxx> > Sent: Thursday, January 10, 2008 6:40:14 AM > Subject: Re: [help] setting up firewall policy for transparent (single-homed host) proxy > > Hay ho Chris, > Thanks for replying. > > First of all, I have reference to that link, but in other > disscussion > forum > I found someone out there says that... > " The traffic is being caught by the first rule, since the connection > probably isn't coming from the squid box. Before that rule, you need > to put in an ACCEPT for http packets aimed at the firewall box: > iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \ > --dport 80 -j ACCEPT"..something like that... > I have been trying for many times, and I still can't solve > this > problem. > > Is it about compiling options, > What command that I have to issue to get informed, what configure > option that squid used to compile at compiling process for a > first > time??? > > Can we re-compile squid? If so, what should I do? > > Thanks in advance > Rachmat Hidayat Al Anshar > > > > ----- Original Message ---- > > From: Chris Zhang > > To: Rachmat Hidayat Al Anshar > > Cc: linux@xxxxxxxxxxxxxxx > > Sent: Wednesday, January 9, 2008 7:11:46 PM > > Subject: Re: [clug] [help] setting up firewall policy for > transparent > (single-homed host) proxy > > > > Hi Rachmat, > > > > > > Maybe you want to try it again without this line > > > > > > 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > > --dport > > > 80 > > -j ACCEPT' > > > > > > Also I think you will have to change squid.conf file (see > > http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 ) > > > > > > Chris > > > > > > Rachmat Hidayat Al Anshar wrote: > > > var YAHOO = {'Shortcuts' : {}}; > > > YAHOO.Shortcuts.hasSensitiveText = false; > > > YAHOO.Shortcuts.sensitivityType = []; > > > YAHOO.Shortcuts.doUlt = false; > > > YAHOO.Shortcuts.location = "us"; > > > YAHOO.Shortcuts.document_id = 0; > > > YAHOO.Shortcuts.document_type = ""; > > > YAHOO.Shortcuts.document_title = "[help] setting up firewall > > policy > > > for transparent (single-homed host) proxy"; > > > YAHOO.Shortcuts.document_publish_date = ""; > > > YAHOO.Shortcuts.document_author = "rachmat_hidayat_03@xxxxxxxxx"; > > > YAHOO.Shortcuts.document_url = ""; > > > YAHOO.Shortcuts.document_tags = ""; > > > YAHOO.Shortcuts.annotationSet = { > > > "lw_1199853885_0": { > > > "text": "Yahoo! Mobile", > > > "extended": 0, > > > "startchar": 1530, > > > "endchar": 1542, > > > "start": 1530, > > > "end": 1542, > > > "extendedFrom": "", > > > "predictedCategory": "ORGANIZATION", > > > "predictionProbability": "0.679211", > > > "weight": 0.661212, > > > > > "type": > > > ["shortcuts:/us/instance/organization/company/yahoo_property"], > > > "category": ["ORGANIZATION"], > > > "context": "friend newshound and know-it-all with Yahoo Mobile Try > > it > > > now", > > > "metaData": { > > > "yprop_name": "Yahoo! Mobile", > > > "yprop_url": "http://mobile.yahoo.com/"; > > > } > > > } > > > }; > > > > > > Hi all... > > > > > > I am on my research deploying a transparent single-homed host proxy > > > server on my virtual network. My squid box is not on the same > > box > > > where the > > > firewall applied. I didn't have any idea how to set up the > > iptables > > > running on > > > the firewall, so I can redirect all client's web request to my > > proxy > > > box, > > > and make it as the only host on the network may request web > > services > > > through > > > firewall to the Internet...??? > > > > > > > > > INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET > > > ^ > > > | > > > v > > > > > > squid web > > > proxies > > > > > > I try to use this following firewall script... > > > > > > #!/bin/sh > > > # Firewall Script > > > ############################################################### > > > ### interfaces > > > EXT_DEV=eth0 > > > INT_DEV=eth1 > > > INT_NET=10.1.1.0/24 > > > > > > ### Loading firewall modules > > > modprobe ip_conntrack > > > modprobe ip_conntrack_ftp > > > > > > ############################################################### > > > ### Enable Packet Forwarding > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > > > > ### Remove all previous rules, and delete any user defined chains > > > iptables -F > > > iptables -X > > > iptables -t nat -F > > > iptables -t nat -X > > > > > > ### Set the default policies to drop > > > iptables -P INPUT DROP > > > iptables -P OUTPUT DROP > > > iptables -P FORWARD DROP > > > > > > ### Loopback device OK > > > iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT > > > iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT > > > > > > ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH. > > > iptables -A INPUT -p icmp --icmp-type any -j ACCEPT > > > iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT > > > iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT > > > > > > ### Allow all Internal traffic to Server > > > iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT > > > iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT > > > > > > ### OUTBOUND Rule: Allow ALL packets out the external device > > > iptables -A OUTPUT -o $EXT_DEV -j ACCEPT > > > iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT > > > > > > ### INBOUND Rule: Allow ALL EXT packets if a connection > > already > > > exists (See "NEW" Inbound Rules) > > > iptables -A INPUT -i $EXT_DEV -m state --state > > RELATED,ESTABLISHED > > > -j ACCEPT > > > iptables -A FORWARD -i $EXT_DEV -m state --state > > RELATED,ESTABLISHED > > > -j ACCEPT > > > > > > ### Squid Transparent Proxy > > > iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > > --dport > > > 80 -j ACCEPT > > > iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp > > --dport > > > 80 -j DNAT --to squid-box:3128 > > > > > > iptables -t nat -A POSTROUTING -o eth0 -s local-network -d > > squid-box > > > -j SNAT --to iptables-box > > > iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 > > -p > > > tcp --dport 3128 -j ACCEPT > > > > > > and the result is: > > > - client's web browser ignore the squid proxy > > > the http service is directly passing through the firewall > > > > > > All response will greatly appreciated. > > > > > > > > > Thanks in advance (^^,) > > > Rachmat Hidayat Al Anshar > > > > > > Be a better friend, newshound, and > > > know-it-all with Yahoo! Mobile. Try it now. > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________________________________________ > > _____ > > > Never miss a thing. Make Yahoo your home page. > > > http://www.yahoo.com/r/hs > > > > > > > > > > > > > > > > > ________________________________________________________________________________ > ____ > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it > now. > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > > ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
