problem in configuring squid transparent proxy on FC3
Miles Brennan
miles at brennan.id.au
Tue Jul 11 12:26:36 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ankush Grover wrote:
> hey friends,
>
> I am trying to configure Squid Transparent Proxy on FC3. I am testing
> the scenario on 2 machines. The FC3 machines has got 2 lan cards
>
> eth0: 192.168.1.125/24
> eth1: 192.168.2.126/24
>
> Another machine is having only one LAN Card
>
> eth0: 192.168.2.88/24
>
> I added these lines for transparent proxy in squid.conf
> http_port 3128 (by default)
> httpd_accel_port 80
> httpd_accel_host virtual
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
>
> I have also added these lines to squid.conf
>
> acl mynetwork src 192.168.1.125
> acl mynetwork1 src 192.168.2.0
> http_access allow mynetwork
> http_access allow mynetwork1
>
> Configured iptables to redirect the request to the proxy from the
> domain 192.168.2.0 to port 3128
>
> iptables -t nat -A PREROUTING -i eth1 -s 192.168.2.0/24 -p tcp --dport
> 80 -j REDIRECT --to-port 3128
>
> But when I gave the below command to list the iptables rules there was
> no rules added to the iptables
>
> iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> I saved and restart iptables many times even flushed the iptables few
> times and again added the NAT rule but everytime iptables -L shows
> empty rules.
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 192.168.2.0 * 255.255.255.0 U 0 0 0
> eth1
> 192.168.1.0 * 255.255.255.0 U 0 0 0
> eth0
> 169.254.0.0 * 255.255.0.0 U 0 0 0
> eth1
> default 192.168.1.1 0.0.0.0 UG 0 0 0
> eth0
>
> lsmod command output
> Module Size Used by
> ipt_REDIRECT 2113 20
> iptable_nat 23037 2 ipt_REDIRECT
> ip_conntrack 40565 1 iptable_nat
> iptable_filter 2753 0
> ip_tables 16705 3 ipt_REDIRECT,iptable_nat,iptable_filter
>
>
> I am able to ping from 192.168.1.125 to 192.168.2.88. There is one
> more problem I am not able to ssh onto another server (FC3) from the
> squid server.
>
> ssh -l tester 192.168.1.122
> Received disconnect from 192.168.1.122: 2: Too many authentication
> failures for tester
>
> As this is the testing scenario only 2 machines are in domain
> 192.168.2.0 ( one machine running windows xp and other is FC3 with 2
> lan cards and I am using these machines for testing squid transparent
> proxy ) all other machines in the network are in the domain
> 192.168.1.0 so I should be able to ssh onto the machine 192.168.1.122
> as the LAN Card eth0 on FC3 machine (192.168.1.125) is connected to
> the network 192.168.1.0.
>
> Please guide me what wrong I am doing ?
>
> Thanks & Regards
>
> Ankush Grover
>
Ankush,
That rule is in the NAT table, you can see it with.
iptables -t nat -nvL
or to see both filter and nat tables together.
iptables -nvL ; iptables -t nat -nvL
I also think you need a subnet declaration for your squid ACLs, because
you are using "src" - see your conf file for more description on proper
declarations.
vi /etc/squid/squid.conf
acl INTERNAL-NETWORK src 192.168.2.0/24
http_access allow INTERNAL-NETWORK
You should only need the two lines above (they work together). This will
allow all traffic from the 192.168.2.0/24 network to access the proxy cache.
If you want to access the proxy from the 192.168.1.0/24 network, then
you will need to make changes at your gateway (192.168.1.1) to redirect
them back to the FC3 box. Your Win98 box will work properly because it
is passing traffic _through_ the FC3 from the 192.168.2.0/24 network.
Remember, your transparent proxy is a redirection of HTTP requests (port
80) to your proxy cache (port 3128). Squid then handles the request
transparently, the client doesn't realise the change in network packet
flow. To test this properly, you can either disable packet forwarding on
the FC3 box, or set your iptables forward policy to drop everything.
iptables -P FORWARD DROP
This way ALL packets must be redirected with your iptables rule and
passed through squid to get out the .2.0 network.
HTH.
Regards,
Miles Brennan
- --
Linux Home Server HOWTO
http://www.brennan.id.au/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
iD8DBQFEs5j8cSPa0xQu/fARAqHZAJ4hBzU8Skv+SK84RJcwZ6akE4cYWACglgox
r4JQbFofhGyzZeM7A4fmxt4=
=ghpA
-----END PGP SIGNATURE-----
More information about the users
mailing list