Re: [squid-users] Transparent Proxy, Bridged interfaces & SQUID

From: Siew Wing Loon <[email protected]>
Date: Thu, 27 Mar 2003 17:03:31 -0800 (PST)

Hi,

Have you try this: -

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80
-j REDIRECT --to-port 3128

Rgds,
Siew

--- Steven Bourque <sbourque@packetworks.net> wrote:
> Hello,
>
> I was hoping someone could help me:
>
> I have linux (debian) kernel 2.4.20 compiled with
> everything mentioned
> in the transparent proxy/squid HOWTO and iptables
> working properly:
>
> eth0 is connected to the LAN
> eth1 is connected to the WAN
>
> both are setup as a memeber of the bridge br0
> br0 has an IP address of 10.10.6.231/24 (part of our
> local IP's for
> monitoring and configuration)
>
> the Bridging is working, however, it will not grab
> the port 80 traffic:
>
> I have added the following as stated in the howto:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
> 80 -j REDIRECT
> --to-port 3128
>
> iptables -A INPUT -i br0 -p tcp -d 10.10.6.231 -s
> 10.10.6.0/24 --dport
> 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
>
> (so I can SSH to the box)
> iptables -A INPUT -i br0 -p tcp -d 10.10.6.231 -s
> 10.10.6.0/24 --dport
> 22 -m state --state NEW,ESTABLISHED -j ACCEPT
>
> I have also tried the first iptable with -j DNAT
> --to 10.10.6.231:3128
>
> Neither table gets a hit when viewed with iptable -t
> nat -v -n -L or
> iptable -v -n -L
>
> Those are the only entries in the iptables, the SSH
> command does work.
> Squid is configured with the entries has noted in
> the HOWTO, otherwise
> they are defaults.
>
> Squid is version 2.5.STABLE1
>
> iptables -L -n -v -t nat
>
> Chain PREROUTING (policy ACCEPT 31 packets, 5420
> bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 REDIRECT tcp -- eth0 *
> 0.0.0.0/0 0.0.0.0/0
> tcp dpt:80 redir ports 3128
>
> Chain POSTROUTING (policy ACCEPT)
> ...
> (empty)
> Chain OUTPUT (policy ACCPEPT)
> ...
> (empty)
>
> iptables -L -n -v
> Chain DROP (policy ACCEPT 136 packets, 16195 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- br0 *
> 0.0.0.0/0 10.10.6.231
> tcp dpt:3128 state NEW,ESTABLISHED
> 14 1651 ACCEPT tcp -- br0 *
> 0.0.0.0/0 10.10.6.231
> tcp dpt:22 state NEW,ESTABLISHED
> Chain FORWARD (policy ACCEPT)
> ...
> (empty)
> Chain OUTPUT (policy ACCEPT)
> ...
> (empty)
>
> We do not want any firewalling on this box, hense
> the default are all
> ACCEPT except the actual connections to the box,
> which has two accepts
> (SQUID and SSH)
>
> With this setup, I am able to surf the web, but it
> is bypassing SQUID.
> Everhything is continuing to be bridged.
>
> I spent a few days reading everything I can about
> this.
>
> I found the program divert (I have divert enabled in
> my kernel) does
> that have anything to do with it?
>
> I tried it with divert on eth0 enable tcp add dst
> 80,
> that just seemed to kill my browsing as well as not
> hitting squid or the
> filters, although it a tcpdump -ne -i eth0 tcp dst
> port 80, I do see the
> MAC address change from that of my next hop router
> to the MAC of the
> eth0 (which should then get redirected by the
> iptable, shouldn't it?)
>
> any help would be much appreciated! :)
>
> Thanks
> --
>
> \Steven.
>
> /*
> | Steven R.
> Bourque, CCNA
> /"\ | Network
> Engineer
> \ / ASCII ribbon campaign | Packet
> Works Inc.
> X against HTML email |
> p:519.579.4507. f:519.579.8475.
> / \ |
> http://www.packetworks.net
> | PGP ID:
> 0x373AB23B
> *\
>

__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
Received on Thu Mar 27 2003 - 18:03:36 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:23 MST