On Tue, 17 Aug 2010 13:14:25 -0500, >p3dRø< <ip2trama@xxxxxxxxx> wrote: > Hi Amos, > > I have my proxy as another host in the network (with only one ethernet > card = eth0). The communication flow is: > > Internet <--> Router ADSL <--> Firewall <--> Squid <--> PCs > > What I mean with transparent is that all the hosts go to proxy without > authentication and without blocking anything yet. They don't know that > there is any proxy. With only one NIC on the proxy this gets close to some tricky packet routing issues. If you can use a second NIC, physically separating the DMZ (Squid->ADSL linkage) from the internal PCs would be a great help in avoiding problems. (Ironically I have a long 3-day callout ahead to fix exactly these issues for a client who decided to re-wire their net-cafe themselves). For NAT interception (http_port ... intercept) to work properly the Squid box must be the once doing NAT. Otherwise there are not box-internal NAT tables for Squid to retrieve the client real-destinations from. In these setups I recommend making the Squid box setup as a full router + firewall and the access device (ADSL here) as a pure modem/bridge pushing everything complex over to the Squid box. Due to vulnerabilities with direct access to an interception port 3.1 and later will now prohibit the two modes from sharing a port. If the NAT lookups fail (see above) its considered a direct-access connection and may be blocked. The fix for you is to do NAT on the Squid box. http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat That seems to be the main problem in a nutshell. There are a few minor issues and details to make things run more smoothly. I cover them below... > > I reconfigured my config file and I have this now: > > http_port 3128 intercept > cache_mem 100 MB > cache_dir ufs /var/spool/squid 150 16 256 > acl red_local src 192.168.1.0/24 > acl localhost src 127.0.0.1/32 With 3.1 Squid is IPv6-enabled. You may want to update these to include your LAN IPv6 ranges. Those are ::1 for localhost and fe80::/7 for the private equivalent to 192.168.* Though having said that the NAT will not work on IPv6 traffic. NP: you can instead v6-enable your LAN PCs traffic to Squid by using WPAD to silently configure them for a proxy hostname with AAAA records available. :) > acl all src all "all" is pre-defined in all Squid-3.x. Remove it to quieten the startup warnings. > http_access allow localhost > http_access allow red_local > acl SSL_ports port 443 > acl SSL_ports port 7779 > acl Safe_ports port 8080 > acl Safe_ports port 80 > acl Safe_ports port 7779 > acl CONNECT method CONNECT > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports Ah, so all the stuff about Safe_ports and SSL_ports was a red-herring. They are never used anyway. To actually work these two config lines are supposed to be above your LAN access permissions: http_access allow localhost http_access allow red_local Amos
