Search squid archive

Bridging/Tproxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



johan firdianto wrote:
You're right Jefrries,

after compiling connection tracking NAT, it doesn't make sense.
I mean, i can't see my browsing log in access.log
no error in cache.log
counter iptables is incrementing. But I still can browse. When i dump
the packet, no header squid appended at response, so the response
didn't come from squid.
how to check that packet from iptables hits squid ?.
or in bridging environment need different solution ?


Looking for an answer for you I found an old tutorial that may still have some relevance. The rest is long and non-relevant so I quote the bridging portion:

"Bridge Setup

We configure our system as a network bridge, which means that it sits between two physical devices on our network and relays the packets between them. However, there's a twist: we intercept certain packets (those destined for port 80) and shunt them to Squid for processing.

You'll need two ethernet cards in your machine to bridge between (one "in" and one "out", as it were). You can use another card for a management IP address, or you can actually assign an address to the bridge itself and reach the machine just as you would a "real" interface.

In order to set up the bridge, we need to make a few tweaks to the system. First, we need to install some software that's necessary for setting up a bridge:

apt-get install bridge-utils

Next, edit /etc/network/interfaces. You should already have a stanza for a statically configured interface (e.g., eth0). Keep the settings for the stanza, but replace the interface name with br0. Also, add the line bridge_ports ethXXX ethYYY to add them to the bridge. For example:

auto br0
iface br0 inet static
    bridge_ports eth0 eth1
    address 192.168.0.100
    netmask 255.255.255.0
    gateway 192.168.0.1

Additionally, if your setup is like ours you'll need to add some routing to the box so it knows where to send packets. Our Squid box sits just between our firewall/router and LAN. Thus, it needs to be told how to route packets to the LAN and packets to the outside world. We do this by specifying the firewall as the "gateway" in the interfaces file, and adding a static route for our LAN. Thus, you would add the following lines to /etc/network/interfaces in the br0 stanza:

    up route add -net 192.168.1.0/24 gw 192.168.1.1
    down route del -net 192.168.1.1/24 gw 192.168.1.1

We'll need to tell the kernel that we're going to forward packets, so make sure the following are set in /etc/sysctl.conf:

net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1

Once you're all set, the easiest thing to do is reboot for the bridge config to take effect. The other settings should now be working also. cat /proc/sys/net/ipv4/ip_forward to confirm that the machine is in forwarding mode.
"

iptables appeared to be setup as per normal on top of that.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.9

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux