Search squid archive

Re: transparent proxy in squid3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear Amos,

Thanks a lot! By looking at your URL, I have enter the following
commands in my squid3 machine (my HTTP service is at PORT 8080), the
squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at
10.0.2.1, HTTP client (nodes) is at 10.0.1.1:

yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp
--dport 8080 -j ACCEPT
yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080
-j DNAT --to-destination 10.0.3.1:3128
yeung@nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
yeung@nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport
3128 -j DROP

yeung@nodec1:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  nodec1-tblink-l9     anywhere            tcp dpt:http-alt
DNAT       tcp  --  anywhere             anywhere            tcp
dpt:http-alt to:10.0.3.1:3128

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

yeung@nodec1:~$ sudo iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp dpt:3128

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

However, the proxy still has some problem, when we start wget from the
HTTP client
yeung@nodes:~$ wget 10.0.2.1:8080
--2012-03-04 09:31:39--  http://10.0.2.1:8080/
Connecting to 10.0.2.1:8080... ^C
yeung@nodes:~$

We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the
following message:
09:31:39.384558 IP nodes-links.51902 > noder-linkr.http-alt: Flags
[S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
38022185 ecr 0,nop,wscale 6], length 0
09:31:42.379034 IP nodes-links.51902 > noder-linkr.http-alt: Flags
[S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
38022935 ecr 0,nop,wscale 6], length 0

It seems that there were some HTTP-alt traffic coming in from the
switch, but no HTTP traffic going out of the squid3 machine.

I am really sorry for continuing this problem.

Best regards!

On Fri, Mar 2, 2012 at 7:39 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> On 3/03/2012 12:51 p.m., pplive wrote:
>>
>> Dear all,
>>
>> I try to configure a transparent web proxy through squid 3, here is
>> the network topology
>>
>> Users ->  Switch ->  Internet
>>
>> Users means a couple of PCs, all of them have public IP, all of them
>> are connected to a switch. One PC among them is designed to be a proxy
>> machine. The switch is programmable, thus for the TCP packets with
>> destination address 80, it can be re-directed to the proxy machine.
>> For other packets, it will be forwarded further to the Internet. The
>> programmable switch has been tested and works well.
>>
>> The proxy machine has installed squid3, the listening port is 3128,
>> and we have configure 'http_port 3128 transparent' in squid.conf . One
>> problem is this machine has only one NIC (eth0), thus we can not use
>> the method proposed in
>>
>> http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables
>> (using a bridge)
>>
>> I have tried several iptable settings, such as
>>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
>> xx.yy.zz.ii:3128
>>
>> Neither of them works.
>
>
> There are several other iptables rules involved, along with sysctl
> requirements. See
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
>
> the Squid 3.1 ptions is "intercept" for NAT interception proxy. Transparent
> proxy is something else.
>
> If you have any other problems after fixing all that check the switch is
> bypassing the redirect when the packets for port 80 come *out* of the squid
> box.
>
> Amos



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux