Re: [squid-users] Transparent Proxy, Bridged interfaces & SQUID

From: Henrik Nordstrom <[email protected]>
Date: Fri, 28 Mar 2003 11:01:51 +0100

REDIRECT is a shorthand for DNAT to the box itself.

If DNAT does not work, REDIRECT won't work either..

The main benefid of REDIRECT is that the ip address do not need to be
specified.

Regards
Henrik

"Blaser, Shane" wrote:
>
> I have not,
>
> What does this camand do ???
>
> Thanks
>
> Shane
>
> -----Original Message-----
> From: Siew Wing Loon
> To: Steven Bourque; squid-users@squid-cache.org
> Sent: 3/27/2003 5:03 PM
> Subject: Re: [squid-users] Transparent Proxy, Bridged interfaces & SQUID
>
> Hi,
>
> Have you try this: -
>
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80
> -j REDIRECT --to-port 3128
>
> Rgds,
> Siew
>
> --- Steven Bourque <sbourque@packetworks.net> wrote:
> > Hello,
> >
> > I was hoping someone could help me:
> >
> > I have linux (debian) kernel 2.4.20 compiled with
> > everything mentioned
> > in the transparent proxy/squid HOWTO and iptables
> > working properly:
> >
> > eth0 is connected to the LAN
> > eth1 is connected to the WAN
> >
> > both are setup as a memeber of the bridge br0
> > br0 has an IP address of 10.10.6.231/24 (part of our
> > local IP's for
> > monitoring and configuration)
> >
> > the Bridging is working, however, it will not grab
> > the port 80 traffic:
> >
> > I have added the following as stated in the howto:
> >
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
> > 80 -j REDIRECT
> > --to-port 3128
> >
> > iptables -A INPUT -i br0 -p tcp -d 10.10.6.231 -s
> > 10.10.6.0/24 --dport
> > 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
> >
> > (so I can SSH to the box)
> > iptables -A INPUT -i br0 -p tcp -d 10.10.6.231 -s
> > 10.10.6.0/24 --dport
> > 22 -m state --state NEW,ESTABLISHED -j ACCEPT
> >
> > I have also tried the first iptable with -j DNAT
> > --to 10.10.6.231:3128
> >
> > Neither table gets a hit when viewed with iptable -t
> > nat -v -n -L or
> > iptable -v -n -L
> >
> > Those are the only entries in the iptables, the SSH
> > command does work.
> > Squid is configured with the entries has noted in
> > the HOWTO, otherwise
> > they are defaults.
> >
> > Squid is version 2.5.STABLE1
> >
> > iptables -L -n -v -t nat
> >
> > Chain PREROUTING (policy ACCEPT 31 packets, 5420
> > bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 0 0 REDIRECT tcp -- eth0 *
> > 0.0.0.0/0 0.0.0.0/0
> > tcp dpt:80 redir ports 3128
> >
> > Chain POSTROUTING (policy ACCEPT)
> > ...
> > (empty)
> > Chain OUTPUT (policy ACCPEPT)
> > ...
> > (empty)
> >
> > iptables -L -n -v
> > Chain DROP (policy ACCEPT 136 packets, 16195 bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 0 0 ACCEPT tcp -- br0 *
> > 0.0.0.0/0 10.10.6.231
> > tcp dpt:3128 state NEW,ESTABLISHED
> > 14 1651 ACCEPT tcp -- br0 *
> > 0.0.0.0/0 10.10.6.231
> > tcp dpt:22 state NEW,ESTABLISHED
> > Chain FORWARD (policy ACCEPT)
> > ...
> > (empty)
> > Chain OUTPUT (policy ACCEPT)
> > ...
> > (empty)
> >
> > We do not want any firewalling on this box, hense
> > the default are all
> > ACCEPT except the actual connections to the box,
> > which has two accepts
> > (SQUID and SSH)
> >
> > With this setup, I am able to surf the web, but it
> > is bypassing SQUID.
> > Everhything is continuing to be bridged.
> >
> > I spent a few days reading everything I can about
> > this.
> >
> > I found the program divert (I have divert enabled in
> > my kernel) does
> > that have anything to do with it?
> >
> > I tried it with divert on eth0 enable tcp add dst
> > 80,
> > that just seemed to kill my browsing as well as not
> > hitting squid or the
> > filters, although it a tcpdump -ne -i eth0 tcp dst
> > port 80, I do see the
> > MAC address change from that of my next hop router
> > to the MAC of the
> > eth0 (which should then get redirected by the
> > iptable, shouldn't it?)
> >
> > any help would be much appreciated! :)
> >
> > Thanks
> > --
> >
> > \Steven.
> >
> > /*
> > | Steven R.
> > Bourque, CCNA
> > /"\ | Network
> > Engineer
> > \ / ASCII ribbon campaign | Packet
> > Works Inc.
> > X against HTML email |
> > p:519.579.4507. f:519.579.8475.
> > / \ |
> > http://www.packetworks.net
> > | PGP ID:
> > 0x373AB23B
> > *\
> >
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
> http://platinum.yahoo.com
>
> .
Received on Fri Mar 28 2003 - 03:12:14 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:24 MST