Re: [squid-users] Transparent Proxy & IPTables

From: Squid Support (Henrik Nordstrom) <hno@dont-contact.us>
Date: Wed, 15 May 2002 15:52:59 +0200

You should be running the NAT on the Squid box. If you DNAT outside the Squid
box then Squid has no way of telling what the real destination address was on
HTTP/1.0 requests without a Host header.

To have the firewall route any WWW traffic to the Squid box you can use
nfmark based "Advanced Routing", combined with my CONNMARK extension to
iptables (in iptables patch-o-matic) to ensure that any "RELATED" packets are
also routed there (fixes MTU discovery etc).

Regards
Henrik

Tiago Fioreze wrote:
> Hi everybody !!!
>
> I have one problem with my project and I would like some help.
>
> I'm implemanting transparent proxy in my network. I'm using
> SQUID and IPtables for this.
>
> The scenario:
> |----------| eth1|----------|eth0 |------------|
> | Internet |------| Firewall |--------|---------| My Network |
> |----------| |----------| | |------------|
> |
> |-------|
> | SQUID |
> |-------|
>
> The idea (project):
>
> The users in my network must to access http through of squid instead
> directly.
>
> The rules:
>
> --> SQUID:
>
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_single_host off
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
>
> --> IPTables:
>
> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> --dport 80 -j DNAT --to squid-box:8080
> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0
> -p tcp --dport 8080 -j ACCEPT
>
>
> The problem:
>
> The iptables changes the destination (from anywhere:80 to
> squid-box:8080), but the SQUID didn't receive none packets on port 8080.
>
> Ps.: If I add, between the rules of the IPTables, the rule below:
>
> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
> squid-box -j SNAT --to iptables-box
>
> the transparent proxy works very well, but my squid only receives
> connection from firewall (because of the rule above). So, I don't have
> control (by squid) of that my users are accessing in the internet.
>
> Can somebody help me ?
>
> Thanks in advance,
>
> Tiago Fioreze
>
> ********************************************
> * Administrador da Rede *
> * *
> * Núcleo de Ciência da Computação *
> * Universidade Federal de Santa Maria *
> * Santa Maria - Rio Grande do Sul - Brasil *
> ********************************************

-- 
Basic free Squid support provided thanks to MARA Systems AB
Your source of advanced reverse proxy solutions or customized
Squid solutions. http://www.marasystems.com/products/
Received on Wed May 15 2002 - 07:53:10 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:07 MST