On Wed, 14 Oct 2009 17:19:27 -0400, Andrew Schmid <andrew.schmid@xxxxxxxxxxxxxxxx> wrote: > Hi, > > Here is quick info on my environment - > I have a CentOS 5.3 box server as firewall/gateway/router. > It has two interfaces > eth0 - public internetIP > eth1 - internal network IP (10.9.32.1) > > The server hands out DHCP to all clients, and the server is the gateway. > > I have installed squid proxy, and configured it to allow the local subnet, > and added transparent option. > > I added this to my iptables > # http proxy redirect > -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination > 10.9.32.1:3128 > -A POSTROUTING -o eth0 -j MASQUERADE > > The transparent caching now appears to work. However I came across this > article which says this: "WARNING: This method of interception is not > recommended. There are other methods such as Proxy.PAC and http_proxy > environment variable which are as effective and less intrusive when > multiple > clients are involved." > http://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource > > So I am trying to find the better way to do this. This is what I have come > up with so far but does not seem to be working: > -A PREROUTING -i eth0 -p tcp --dport 80 -j ACCEPT > -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 > -A POSTROUTING -o eth0 -j MASQUERADE > > Is this correct? Does anyone have better suggestions on how to do this? You seem to have miss-interpreted the statement I made in the wiki. The rules as demonstrated in the config are needed for NAT interception to work. The warning is about the whole approach of using iptables/firewall/NAT interception as the problem. Not the particular rules. It then mentions a few other 'transparent' methods (proxy PAC/WPAD and the unix http_proxy environment variable) which are automatic and invisible to the users, but do not have the same limits NAT does. WPAD/PAC is also covered in some detail in the wiki under SquidFaq/ConfiguringBrowsers , is slightly more complicated to setup but once going its much better to use than NAT since it allows browsers and other software to pass HTTPS, FTP properly through the proxy and do authentication if needed/wanted. FWIW: updating the example to be a bit clearer. Amos
