RE: [squid-users] Transparent proxy questions.

From: <[email protected]>
Date: Sun, 13 Oct 2002 23:19:37 +0200

Hello

again, ask here. There they cover bridging.
http://bridge.sourceforge.net/download.html

Somewhere there you will find a brigding mailinglist.

> I have the squid server setup as a transparent cache. I have
> it on the
> same path (via a switching hub). According to the squid FAQ
> (http://www.squid-cache.org/Doc/FAQ/FAQ-17.html) Section 17.0.4 says
> that getting the packets to the squid box via the packet path.
>
> Since this is not the firewall, nor a router it makes it a little
> harder. Looking at it from a protocol perspective I would like it
> essentially do the work of a layer 4 switch/bridge.

a bridge is a layer 2 device.

> in either direction unmodified except for port 80 (or other web ports
> like 8080) which get redirected to the squid proxy.
>
> NOTE: From what I have been reading a layer 4 switch is sounding
> more suitable, but not inexpensive.
>
> It looks as though I can not get packets to the squid box
> with out some
> sort of switch or dual interface option.
>
> Does anyone have a FAQ or outline or scripts to turn a dual interface
> Linux box + squid + options in to a transparent filtering device?
>
> At first though, I would need to set the default route from
> Router 1 to
> eth0 and from eth0 to router 1. Then set the default route from eth1
> (external interface) to the firewall, and vice versa. Configure squid
> to send it's queries only out the ip address of eth1. Then using
> iptables configure Linux to pass all packets between eth0 and eth1 in
> both directions. Then add an iptables element to REDIRECT
> all outbound
> connections via port 80 to the eth0 port 3128. What I am a
> little weak
> on is the routing table

you don't need that if you're going to make this box a bridge.

> that would need to be configured on the Linux
> box. Since I am unfamiliar with the iptables

Uhh....in that case you do not make yourself a favor with what you have in
mind. Neither with bridging nor with routing. probably you have to recompile
the kernel if you're going to make it a bridge. I may be wrong. As I said,
it's been a while since I last did it (1 1/2 years).

> it could be that I don't
> need to do that much complicated routing.

routing in this case is not complicated.

see here:

lan---router A----squid box----router B----inet router--->
    eth0 eth1 eth0 eth1 eth0 eth1 eth0 eth1

1. default gw lan: eth0 router A
here the entry in the routing table looks like this:
destination: 0.0.0.0
gw: router A, eth0 (ip addresss)
2. default gw router a: eth0 squid box
routing table entry very much the same as above
3. default gw squid box: eth0 router B
same here
4. default gw router B: eth0 inet router
same here
5. default gw inet router: ethX 1st ISP router
same here
and so on.

Now you can replace eth0 and eth1 with the corresponding IP addresses.
Eureka!
You CAN route from the same subnet into the same subnet if you decide to
make the squid box part of the subnet router A eth1 and router B eth0 are
in. You can also make it smaller subnets by dividing the subnets into
smaller pieces.

Once you've routed to the squid box the iptables looks like this:

iptables -t nat -A PREROUTING -i $laneth -p 6 --dport 80 -j REDIRECT
--to-port [SquidPort]

That's all.

Now you only have to make squid run in trans mode.
If you configure that take an exeptionally good look at this section in
squid.conf:
HTTPD-ACCELERATOR OPTIONS
Don't forget: Squid doesn't support ftp in trans mode. This is a job for
iptables if you intend this box to make a filter.

> I could take the IP address
> of the firewall and put it on eth0 and the ip address of
> router1 and put
> it on eth1 and do some sort of 'magic' with iptables to make the Linux
> box seem invisible.

You don't do bridging with iptables. Go see
http://bridge.sourceforge.net/download.html
 
> Someone must have done something like this before. Does

I'm sure there is somebody. See link.

> anyone have any
> advice or pointers to do this?

See link.

> This seems like something
> that would be
> candidate for inclusion in the FAQ.

I'm no big number on this list to decide that, but I don't think so. It's
quite special what you ask for (bridging). But very interesting I must
admit.
 

Philipp
Received on Sun Oct 13 2002 - 15:19:42 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:40 MST