On 3/03/2012 12:51 p.m., pplive wrote:
Dear all, I try to configure a transparent web proxy through squid 3, here is the network topology Users -> Switch -> Internet Users means a couple of PCs, all of them have public IP, all of them are connected to a switch. One PC among them is designed to be a proxy machine. The switch is programmable, thus for the TCP packets with destination address 80, it can be re-directed to the proxy machine. For other packets, it will be forwarded further to the Internet. The programmable switch has been tested and works well. The proxy machine has installed squid3, the listening port is 3128, and we have configure 'http_port 3128 transparent' in squid.conf . One problem is this machine has only one NIC (eth0), thus we can not use the method proposed in http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables (using a bridge) I have tried several iptable settings, such as iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to xx.yy.zz.ii:3128 Neither of them works.
There are several other iptables rules involved, along with sysctl requirements. See http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
the Squid 3.1 ptions is "intercept" for NAT interception proxy. Transparent proxy is something else.
If you have any other problems after fixing all that check the switch is bypassing the redirect when the packets for port 80 come *out* of the squid box.
Amos
