RE: [squid-users] Transparent proxy questions.

From: <[email protected]>
Date: Sun, 13 Oct 2002 10:54:21 +0200

Hi Chris,

why not taking figure 2 making the linux box a normal ip forwarder and
setting a couple of static routes?
Then you make a redirect iptables rule to squid that runs in transparent
mode.

If you really need bridging, here's what you're looking for:
http://bridge.sourceforge.net/download.html

I once used that with kernel 2.2. It is bidirectional.

I just can't tell you whether squid runs on it and how to configure it. But
I think yes.

HTH
Philipp

> -----Original Message-----
> From: Chris Oxenreider [mailto:oxenreid@state.net]
> Sent: Sunday, October 13, 2002 3:27 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] Transparent proxy questions.
>
>
>
> Hi,
>
> I am trying to figure out how to do transparent proxying. I
> have managed
> to get all of the Squid/SquidGard/Apache items working.
>
> |--------| |---------|
> | Net1 |\ Router1 |---------| Router2 |--->???
> |--------| \ |-----| | |---------|
> \---| | |-| |---------|
> |--------| | | | | |NON Linux|
> | Net2 |------| |--|X|--|Fire Wall|
> |--------| | | | | | |
> /---| | |-| |---------|
> |--------| / |-----| | | |---------|
> | Net3 |/ . |---------| Router3 |------->
> |--------| | |---------| Internet
> . |--------|
> |-.-| Proxy |
> |--------|
>
> Figure 1
>
> I have managed to get everything working on my Proxy box, and it works
> fine in my test Newark if I set my client hosts to use the
> Proxy host as
> the gateway device (not quite transparet).
>
> What I would like to do is to protect web traffic for
> networks 1, 2, and
> 3 only. All other protocols should be untouched. By placing
> the Proxy
> host as seen in figure 1. From here I get a little confused.
>
> In my mind make the transparent proxy functional I need to tell web
> packets to go to the Proxy. But how?
>
> 1) Router based policy redirects (output extended-access-lists?).
> (This is monstrously hard on the router cpu, and very slow.)
>
> 2) Use a layer 4 switch to forward all port 80 packets to the proxy.
>
> 3) Have the firewall only accept port 80 packets from the proxy and
> somehow use promiscuous mode on the proxy to listen only for port
> 80 connections, grab them and forward them.
>
> 4) Set Router1 to have a default route of the ip address of the
> Proxy and set the Proxy to have a default route of the firewall.
> With a secondary route marked as very expensive of the
> firewall it's
> self so that if the Proxy goes down eventually packets
> will get out.
>
> 5) Insert a second network card in the proxy and turn it in to a
> bridge as seen in Figure 2 and setup the firewall rules
> accordingly.
> Though I have not seen anything on the list so far that
> looks like a
> 'how-to' for this.
>
> |--------| |---------|
> | Net1 |\ Router1 |---------| Router2 |--->???
> |--------| \ |-----| | |---------|
> \---| | |---------|
> |--------| | | |NON Linux|
> | Net2 |------| |--- --|Fire Wall|
> |--------| | | | | | |
> /---| | | | |---------|
> |--------| / |-----| | | | |---------|
> | Net3 |/ | | |---------| Router3 |------->
> |--------| | | |---------| Internet
> eth1 | | eth0
> |--------|
> | Proxy |
> |--------|
>
> Figure 2
>
> From my observation, the use of a layer 4 switch seems to be the most
> flexible and fault tollerent, though not the least expensive.
>
> I would like to see a 'how-to' on the bridge technique, but that needs
> to be sure that it's bi-directional and that an ip address
> for a host on
> network 1 retains it's unique ip address on the other side of
> the proxy
> for protocols other than port 80.
>
> The intriguing one is the use of 'default route' in number 4. Almost
> like a lay 4 switch, but not quite as expensive.
>
> Am I barking up the wrong tree? Is this the complicated part? Am I
> making it more complicated than it needs to be? Comments?
> Suggestions?
>
>
> my /etc/rc.d/fw.local script looks like this:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT \
> --to-port 3128
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/ip_dynaddr
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
> echo 0 > /proc/sys/net/ipv4/tcp_timestamps
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
> echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
> echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
> echo 0 > /proc/sys/net/ipv4/tcp_sack
> echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
>
>
>
> --
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> =-=-=-=-=-=-=
> Christopher G. Oxenreider | http://www.state.net/~oxenreid
> oxenreid@state.net | "You only get what you give" --
> New Radicals
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> =-=-=-=-=-=-=
>
>
Received on Sun Oct 13 2002 - 02:54:26 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:40 MST