On 12/11/10 19:54, Arturas Kurlavicius wrote:
Hello First i want say sorry for bad english :( Here mine situation I work in huge gonoverment netowk. Mine network uses proxy to acces internet. Shame that proxy not transparent... so i must every time tipe setting in every PC. Thats anoying. SO i want to change situation. I made a bit stupid gateway PC (debian). With single network adapter. Mess a bit with IP tables. And simple gateway working. network Cnfig: [CODE] auto lo iface lo inet loopback # The primary network interface auto eth0 allow-hotplug eth0 #iface eth0 inet dhcp iface eth0 inet static address 10.0.8.226 netmask 255.255.255.0 gateway 10.0.8.1 [/CODE] iptables Config: [CODE] ###Flush iptables configurations iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT ###Enable IP forwarding echo 1> /proc/sys/net/ipv4/ip_forward ###Enable ip masquerading iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE [/CODE] And all seemes working.. i can browse sies (with proxie esttings). So now i want with that Gateway make proxie transparent. So i'm tryeing to forward 80 port to proxie. Config: [CODE] ###Flush iptables configurations iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT ###Enable IP forwarding echo 1> /proc/sys/net/ipv4/ip_forward ###Enable ip masquerading iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ###bandau forwardint 80 porta iptables -A FORWARD -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 212.59.6.119:80
Use an uncommon randomly picked --to-destination port here to avoid the security problems introduced by NAT. It is only used between this firewall and Squid, so can be firewalled in the "mangle" table to prevent external machines sending traffic directly there.
[/CODE] Well it seems forwarding working... but i try to get page (for example www.inuxforums.org)... i get from proxy error [CODE] ERROR The requested URL could not be retrieved -------------------------------------------------------------------------------- While trying to retrieve the URL: / The following error was encountered: âInvalid URL Some aspect of the requested URL is incorrect. Possible problems: âMissing or incorrect access protocol (should be `http://'' or similar) âMissing hostname âIllegal double-escape in the URL-Path âIllegal character in hostname; underscores are not allowed -------------------------------------------------------------------------------- Generated Thu, 11 Nov 2010 11:02:48 GMT by duke.cust.lt (squid/3.0.STABLE25) [/CODE] But if i put proxie setting in browser (212.59.6.119:80) all again works fine. So i want to advice what i'm doing wrong..
You needs to create an http_port for the NAT traffic to enter Squid. It needs identical IP:port details identical to the firewall --to-destination. In 3.0 and older squid it has the flag "transparent" that tells Squid how to find and replace the missing hostname.
P.s. Auto proxie seetings not possible. And i hawe a lot of notebooks.. so they every time need to change setting.. and thats bad :(
Do you mean transparent configuration aka WPAD/PAC? that would really be the best way. NAT interception adds some annoying security problems and restrictions.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
