transparent proxy w Linux and 3Com Netbuilder

From: Enric <[email protected]>
Date: Fri, 13 Mar 1998 12:40:21 +0100 (MET)

Hello,

I have read the thread about "Transparent proxy with Linux 2.0.29 and
CISCO IOS 11.1", and in particular the message from Brian
[mailto:signal@shreve.net].

We have the same configuration that Brian:

squid 1.1.20 on a Linux (RH 5.0) box 2.0.33 kernel version and a router
from 3Com (Netbuilder II) (not CISCO as Brian).
The Linux kernel is configured the same way Brian says.
Also, the same lines for ipfwadm and the same for the squid.conf parameters.

We have some subnets defined (I don't know if Brian also) and the _problem
is here_ (I think).

The following scheme shows some of our subnets:

 Subnet: 150.128.120.0 / 24
/---------------------------\
  +-------+ +-------------+
  | pipa |--------------------| NetBuilder |-----> To Internet
  +-------+ +-------------+
150.128.120.11 |
                                    |
         +--------------------------+
         | |
      +-------+ +-------+
      | Squid | | Conto |
      +-------+ +-------+
    150.128.98.17 150.128.98.13
\--------------------------------/
  Subnet: 150.128.98.0 / 24
  
            
- The NetBuilder permits outgoing 150.128.98.17/32 traffic and redirects the
  www traffic from 150.128.120.0 and 150.128.98.0 subnets to Squid box
  (150.128.98.17).

- The IP Firewall installed on linux box redirects the www traffic to
  their local port 3128 ( on this port is listening the Squid software ).

The results are:

- From 150.128.98.0 / 24 subnet all works fine (the browsers with
  direct connections and squid sofware)

- From 150.128.120.0 / 24 subnet does not. Opera(3.0 demo version) browser
  seems work fine. Netscape (4.04) and IE (4.0) does not. The data seems to
  reach the squid box (soem times) but not returns to the client
  browsers. And sometimes seems no data arrive to squid.
  The error Netscape says is: A network error occurred while Netscape was
  receiving data. Network error: connection reset by peer. And in the squid
  access.log file appears the lines showing the conection is done
  (TCP_MISS, GET and DIRECT). When I clik on the OK button on the previous
  error message, the browser seems to continue receiving data but finally
  the connection finish anf the data is not totally retieved.
  If then, I click th reload button, in the access log appears
  TCP_CLIENT_REFRESH, GET and DIRECT and seems get some chunks of data.
  When later I try again, only receive the error message and no data is
  received.
  
  This is a rare behaviour. I can say it not works at all.

In short:

from the clients on the same subnet that the squid box, works OK, and
from any other subnet does not.

Please, can someone help me ?
Thank you.

-----Original Message----
From: Brian [mailto:signal@shreve.net]
Sent: Wednesday, March 11, 1998 8:16 AM
To: Chuck Pitre
Cc: Squid Users
Subject: Re: transparent proxy with LINUX 2.0.29 and CISCO IOS 11.1

Here is how I have Transparent proxying working for me, in an enviroment
where my router is a Cisco 2501 running IOS 11.1, and Squid machine is
running Linux 2.0.33.

Many thanks to the following individules and the squid-users list for
helping me get redirection and transparent proxying working on my
Cisco/Linux box.

Lincoln Dale
Riccardo Vratogna
Mark White
Henrik Nordstrom

First, here is what I added to my Cisco, which is running IOS 11.1. In
IOS 11.1 the route-map command is "process switched" as opposed to the
faster "fast-switched" route-map which is found in IOS 11.2 and later.
You may wish to be running IOS 11.2. I am running 11.1, and have had no
problems with my current load of about 150 simultaneous connections to
squid.:

!
interface Ethernet0
description To Office Ethernet
ip address 208.206.76.1 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
ip policy route-map proxy-redir
!
access-list 110 deny tcp host 208.206.76.44 any eq www
access-list 110 permit tcp any any eq www
route-map proxy-redir permit 10
match ip address 110
set ip next-hop 208.206.76.44

So basically from above you can see I added the "route-map" declaration,
and an access-list, and then turned the route-map on under int e0 "ip
policy route-map proxy-redir"

ok, so the Cisco is taken care of at this point. The host above:
208.206.76.44, is the ip number of my squid host.

My squid box runs Linux, so I had to do the following on it:

my kernel (2.0.33) config looks like this:

#
# Networking options
#
CONFIG_FIREWALL=y
# CONFIG_NET_ALIAS is not set
CONFIG_INET=y
CONFIG_IP_FORWARD=y
CONFIG_IP_MULTICAST=y
CONFIG_SYN_COOKIES=y
# CONFIG_RST_COOKIES is not set
CONFIG_IP_FIREWALL=y
# CONFIG_IP_FIREWALL_VERBOSE is not set
CONFIG_IP_MASQUERADE=y
# CONFIG_IP_MASQUERADE_IPAUTOFW is not set
CONFIG_IP_MASQUERADE_ICMP=y
CONFIG_IP_TRANSPARENT_PROXY=y
CONFIG_IP_ALWAYS_DEFRAG=y
# CONFIG_IP_ACCT is not set
CONFIG_IP_ROUTER=y

You will need Firewalling and Transparent Proxy turned on at a minimum.

Then some ipfwadm stuff:

# Accept all on loopback
ipfwadm -I -a accept -W lo
# Accept my own IP, to prevent loops (repeat for each interface/alias)
ipfwadm -I -a accept -P tcp -D 208.206.76.44 80
# Send all traffic destinated to port 80 to Squid on port 3128
ipfwadm -I -a accept -P tcp -D 0/0 80 -r 3128

it accepts packets on port 80 (redirected from the Cisco), and redirects
them to 3128 which is the port my squid process is sitting on. I put all
this in /etc/rc.d/rc.local

and the squid is configured as:

http_port 80
icp_port 3130
httpd_accel virtual 80
httpd_accel_with_proxy on

I am using v1.1.20 of the squid with the patch at:

http://hem.passagen.se/hno/squid/squid-1.1.20.host_and_virtual.patch

installed. You will want to install this patch if using a setup similar
to mine.

This works great. Many thanks again to all of those listed above in
helping me.

Brian

/-------------------------- signal@shreve.net -----------------------------\
| Brian Feeny | USR TC Hubs | ShreveNet Inc. (318)222-2638 |
| Network Administrator | Perl, Linux | Web hosting, online stores, |
| ShreveNet Inc. | USR Pilot | Dial-Up 14.4-56k, ISDN & LANs |
| 89 CRX DX w/MPFI, lots of |-=*:Quake:*=-| http://www.shreve.net/ |
| mods/Homepage coming soon |LordSignal/SN| Quake server: 208.206.76.47 |
\-------------------------- 318-222-2638 x109 -----------------------------/

Enric Navarro Sanchis.Analista Sistemas.http://nti.uji.es/~navarro
                | Do Not Buy Ivory |
                | Ivory Belongs Only | (And Walrus Also)
                | To Elephants |
Received on Fri Mar 13 1998 - 03:56:41 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:21 MST