Re: [squid-users] traparent cache +bridge

From: Sandro Littke <[email protected]>
Date: 15 Mar 2003 16:51:15 +0100

You dont need an iptables- bridge for transparent proxies. If you like
to have one for another reason, assign an IP to your external interface,
otherwise squid cant talk to the outside. Then just use these rules:

# vars
MY_NET="192.168.1.0/24"
MY_DNS="1.2.3.4"
SQUID_IP="127.0.0.1"
INT_IF="eth1"
EXT_IF="eth0"

# policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# dnat to squid
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -s !
$SQUID_IP -d ! $MY_NET -j DNAT --to-destination $SQUID_IP:3128

# access to squid from intranet
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $INT_IF -p tcp --dport 3128 -m state --state NEW -j
ACCEPT

# access for squid to internet
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -p udp --dport 53 -d $MY_DNS -m state
--state NEW -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -p tcp --dport 53 -d $MY_DNS -m state
--state NEW -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -p tcp --dport 80 -m state --state NEW -j
ACCEPT

Dont forget to setup squid for transparent services, otherwise you only
get an error message.

Best regards, Sandro Littke.

On Sat, 2003-03-15 at 15:18, hare ram wrote:
> Hi all
>
> i have setup the transparent Bridge
> like to have transparent cache
>
> but i could not able to able to traffic divert using iptables
> could some one guide me why
>
>
> mysetup
>
> PC----eth1(Bridge)eth0---Router--internet
>
>
>
> thanks
> hare
>
>

-- 
---------
CIT Jena - IT Consulting 
tel +49 3641 363700
fax +49 3641 363701
mobil +49 172 5214549
Received on Sat Mar 15 2003 - 08:52:31 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:04 MST