Re: AW: [squid-users] transparent proxy

From: Jan Humme <[email protected]>
Date: Tue, 20 Aug 2002 16:40:53 +0200

On Tuesday 20 August 2002 15:25, PayalR wrote:
> Now, my
> #iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix
> `Before proxy redirect: '
> REDIRECT tcp -- anywhere anywhere tcp dpt:http
> redir ports
> 3128
> LOG all -- anywhere anywhere LOG level
> warning prefix
> `After proxy redirect: '
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> This is done as suggested by Jan. No messages appear in /var/log/messages.

???

At least messages "Before proxy redirect:" MUST show up in your syslog; the
fact that they don't seems to indicate that your entire netfilter is not
being used?!

....unless you are syslogging to another file or machine of course; check
this first.

Also remember that the NAT table is only traversed once, for NEW connections;
so stop your browser, restart it, connect to some web page, and check the
syslog file.

What is the output for "lsmod"? Are the netfilter modules loaded?

> #cat /proc/sys/net/ipv4/ip_forward
> 1
>
> Now my problem is that when I remove proxy from browser and try to browse
> it tries to lokup page and eventually gives up by "saying host not found".
> But when I enter proxy settings in browser and browse the same site it just
> says it has sent the request but no site is displayed.

So with NON-transparant proxy configuration (browser configured to use proxy
at 3128) your system is not working either! That seems to point to a squid
configuration problem. With or without iptables/netfilter, the proxy MUST
work if you connect to it directly (NON-transparantly).

> Another user mentioned that I do POSTROUTING rules, but I don't know what
> he meant. So, I haven't used them. The only rules I used are given above.

POSTROUTING has nothing to do with it; it is only used for SNATting and
Masquerading. However, I seem to remember that you mentioned you are using a
dial-up connection, possibly with dynamic IP-address; I suppose that accounts
for your masquerading rule.

> Now tell me what must be the problem?

You may have more than one problem:
1) your syslog seems to indicate that netfilter is NOT used at all
2) your proxy does not seem to work even in NON-transparant (normal) mode
3) if you do have dynamic IP on dial-up, you may need a masquerading rule

Suggestions to move forward:

=> (before anything else) verify that your system is in fact logging to
/var/log/messages on this host, and not somewhere else (check
/etc/syslog.conf).

=> try again to connect with a browser (make sure you close it first and
restart it to make sure you have a NEW and fresh connection) to port 80 and
check the output of your syslogger; you MUST see at least the first logging
rule output.

=> check "lsmod" for netfilter/iptables modules; find out why you don't get
any logging data; can you post the output of "lsmod"?

=> get the squid proxy to work FIRST. That is: configure a browser to use
this proxy on port 3128 and don't bother with transparancy and redirecting
until you can serve the web via the proxy. You may want to this with all
iptables/neyfilter rules flushed, so your netfilter cannot interfere.

=> Once your squid proxy is working fine, then continue with the transparant
redirection part.

JH.
Received on Tue Aug 20 2002 - 08:40:52 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:45 MST