Thanx For Reply On Fri, Nov 12, 2010 at 9:15 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 12/11/10 19:54, Arturas Kurlavicius wrote: >> >> Hello >> First i want say sorry for bad english :( >> Here mine situation >> >> I work in huge gonoverment netowk. Mine network uses proxy to acces >> internet. Shame that proxy not transparent... so i must every time >> tipe setting in every PC. Thats anoying. SO i want to change >> situation. >> >> I made a bit stupid gateway PC (debian). With single network adapter. >> Mess a bit with IP tables. And simple gateway working. >> network Cnfig: >> [CODE] >> auto lo >> iface lo inet loopback >> >> # The primary network interface >> auto eth0 >> allow-hotplug eth0 >> #iface eth0 inet dhcp >> iface eth0 inet static >> address 10.0.8.226 >> netmask 255.255.255.0 >> gateway 10.0.8.1 >> [/CODE] >> iptables Config: >> [CODE] >> ###Flush iptables configurations >> iptables -F >> iptables -X >> iptables -t nat -F >> iptables -t nat -X >> iptables -t mangle -F >> iptables -t mangle -X >> iptables -P INPUT ACCEPT >> iptables -P FORWARD ACCEPT >> iptables -P OUTPUT ACCEPT >> >> ###Enable IP forwarding >> echo 1> Â/proc/sys/net/ipv4/ip_forward >> >> ###Enable ip masquerading >> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >> [/CODE] >> And all seemes working.. i can browse sies (with proxie esttings). >> >> So now i want with that Gateway make proxie transparent. So i'm >> tryeing to forward 80 port to proxie. >> Config: >> [CODE] >> ###Flush iptables configurations >> iptables -F >> iptables -X >> iptables -t nat -F >> iptables -t nat -X >> iptables -t mangle -F >> iptables -t mangle -X >> iptables -P INPUT ACCEPT >> iptables -P FORWARD ACCEPT >> iptables -P OUTPUT ACCEPT >> >> ###Enable IP forwarding >> echo 1> Â/proc/sys/net/ipv4/ip_forward >> >> ###Enable ip masquerading >> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >> >> ###bandau forwardint 80 porta >> iptables -A FORWARD -j ACCEPT >> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT >> --to-destination 212.59.6.119:80 > > Use an uncommon randomly picked --to-destination port here to avoid the > security problems introduced by NAT. It is only used between this firewall > and Squid, so can be firewalled in the "mangle" table to prevent external > machines sending traffic directly there. > >> [/CODE] >> >> Well it seems forwarding working... but i try to get page (for example >> www.inuxforums.org)... i get from proxy error >> [CODE] >> ERROR >> The requested URL could not be retrieved >> >> -------------------------------------------------------------------------------- >> While trying to retrieve the URL: / >> >> The following error was encountered: >> >> âInvalid URL >> Some aspect of the requested URL is incorrect. Possible problems: >> >> âMissing or incorrect access protocol (should be `http://'' or similar) >> âMissing hostname >> âIllegal double-escape in the URL-Path >> âIllegal character in hostname; underscores are not allowed >> >> -------------------------------------------------------------------------------- >> Generated Thu, 11 Nov 2010 11:02:48 GMT by duke.cust.lt >> (squid/3.0.STABLE25) >> [/CODE] >> But if i put proxie setting in browser (212.59.6.119:80) all again works >> fine. >> >> So i want to advice what i'm doing wrong.. > > You needs to create an http_port for the NAT traffic to enter Squid. It > needs identical IP:port details identical to the firewall --to-destination. > ÂIn 3.0 and older squid it has the flag "transparent" that tells Squid how > to find and replace the missing hostname. > So... you saying i need to change squid configuration... Well that not possible for me. I'm only user. Is there another way to make proxy transparent ?? If i cant change squid config??? Only WPAD/PAC? >> >> P.s. Auto proxie seetings not possible. And i hawe a lot of >> notebooks.. so they every time need to change setting.. and thats bad >> :( > > Do you mean transparent configuration aka WPAD/PAC? that would really be the > best way. NAT interception adds some annoying security problems and > restrictions. > > Amos > -- > Please be using > ÂCurrent Stable Squid 2.7.STABLE9 or 3.1.9 > ÂBeta testers wanted for 3.2.0.3 >
