[squid-users] tansparent proxy on a firewall

From: Liu Mei <[email protected]>
Date: Tue, 22 Oct 2002 01:43:51 -0700 (PDT)

Hi,

There are many posts about transparent proxy in the
mailing list. However I still could not find a
solution to my problem. I am sorry to disturb you for
the old common question.

Origianlly, our private subnet was 192.168.1.0/24. We
are using a cable modem to connect to the IPS's
gateway which is 192.168.1.254. I think ISP has done
something over its side because we don't need to setup
anything in our web browser.

Now things become complex. we used redhat 7.2 to build
our own firewall, which is sitting between the modem
and our LAN. And for some reasons, we have to divide
the lan into two subnets, which are 192.168.2.0/24 and
192.168.3.0/24.
Thus the firewall machine has three network cards.
Eth0 (1.253) connects to the modem, eth1(2.1) connects
to the subnet 2.0/24, eth2(3.1) connects to the subnet
3.0/24. By using two ipchains rules
  -A forward -s 192.168.2.0/24 -i eth0 -j MASQ
  -A forward -s 192.168.3.0/24 -i eth0 -j MASQ
,the two subnets can access internet properly.

Then we plan to setup a transparent proxy and caching
server on the same firewall machine as well.

After reading some menu, we followed the instructions
to setup the squid (2.5 stable1).

The options in squid.conf changed are:

http_port 8080
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Also two new ipchains rules have been added in front
of the MASQ rules.
-A input -s 192.168.2.0/24 -d 0/0 www -p tcp -i eth0
-j REDIRECT 8080
-A input -s 192.168.3.0/24 -d 0/0 www -p tcp -i eth0
-j REDIRECT 8080

However, it seems that no request will be sent to the
proxy by running cachemgr.cgi.

In terms of double checking, we moved http_access deny
all in front of other http_access allow rules and
restart the squid by running two commands
/usr/local/squid/sbin/squid -k kill
/usr/local/squid/sbin/squid.

But the workstations in the subnets can still access
the internet.

I guess the problem may be due to the forward ipchains
rules which MASQ the request from the two subnets to
eth0 and thus go directly to the internet. Then I
changed the previous REDIRECT rules to be one

-A input -d 0/0 www -p tcp -i eth0 -j REDIRECT 8080

but still no package can be sent to Squid.

How can I fix the problem? If you need more
information to help me to identify the problem, I will
be very glad to do that.

Many thanks.

Liumei

__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
Received on Tue Oct 22 2002 - 02:43:53 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:46 MST