- To: "'Howard Lowndes'" <lannet@xxxxxxxxxxxxx>, "'Mail List - SLUG'" <slug@xxxxxxxxxxx>, "'Mail List - CLUG'" <linux@xxxxxxxxx>
- Subject: RE: [SLUG] ipchains & ipmasqadm
- From: Bernhard Lüder <bl@xxxxxxxxxxx>
- Date: Mon Sep 4 20:45:32 2000
Hi,
I used transparent proxy on many setups with great success.
Here's what I do:
IPchains:
/sbin/ipchains -A input -p tcp -s $LOCALNET -d $ANYWHERE 80 -j REDIRECT 8080
Squid Setup:
Make sure the following is set in your /etc/squid/squid.conf. All these
exist in the standard RH6.0 - 6.2 setup. So change them to this:
http_port 8080
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
See also:
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html
Restart Squid and off you go. That's all I ever have to do.
Bernhard Lüder
ICQ 26070583
> -----Original Message-----
> From: slug-admin@xxxxxxxxxxx
> [mailto:slug-admin@xxxxxxxxxxx]On Behalf Of
> Howard Lowndes
> Sent: Monday, September 04, 2000 7:59 PM
> To: Mail List - SLUG; Mail List - CLUG
> Subject: [SLUG] ipchains & ipmasqadm
>
>
> Let me start with an ASCII drawing, I find it helps to visualise my
> problem better. Its nothing unusual.
>
> Private
> Network
> 192.168.x.0/24
> |
> |
> eth0
> /------------------\
> | 192.168.x.1 |
> | |
> | |
> | Linux 2.2.16 |
> | Squid |
> | |
> | |
> | 139.130.a.b |
> \------------------/
> ppp0
> |
> |
> ===============
> / 139.130.a.z \
> / \
> / TBBI \
>
> The Linux box has several ipchains filters on it to restrict various
> incoming TCP connections and incoming UDP packets, some are
> accepted and
> others are denied or rejected. Basically the internal net is free to
> initiate outgoing connections. Everything works as it
> should, forwarding
> works OK as does masquerading.
>
> The masquerading rule is like:
> ipchains -A forward -i ppp0 -s 192.168.x.0/24 -j MASQ -b
>
> The kernel has all of the relevant configs set:
> CONFIG_IP_MASQUERADE=y
> CONFIG_IP_MASQUERADE_ICMP=y
> CONFIG_IP_MASQUERADE_MOD=y
> CONFIG_IP_MASQUERADE_IPAUTOFW=m
> CONFIG_IP_MASQUERADE_IPPORTFW=m
> CONFIG_IP_MASQUERADE_MFW=m
> CONFIG_IP_TRANSPARENT_PROXY=y
>
> and /proc/sys/net/ipv4/ip_forward is set to 1
>
> So far, no problems.
>
> Now, what I want to do is to set up squid on the box to listen on port
> 3128. That is done and it runs fine when the browsers on the private
> network set the proxy in their configurations.
>
> My problem is that I don't want to trust the users to configure their
> browsers, so I want to do transparent proxying with any
> requests from the
> private network to external port 80 at least, being redirected to the
> squid proxy.
>
> I tried the following:
> ipchains -A input -i eth0 -p tcp --dport 80 -j REDIRECT 3128
> but that didn't seem to work.
>
> I then opted to try the packet marking in ipchains and do marked
> redirection using ipmasqadm, thus:
> ipchains -A input -i eth0 -p tcp --dport 80 -m 1
> ipmasqadm mfw -A -m 1 -r 139.130.a.b 3128
> but this just seems to be ignored and the packet gets output thru ppp0
> after it has been masqueraded just as it had been before.
>
> Can anyone please advise me what is the correct combination
> here, should I
> leave the original masquerading rule in, or should I modify
> it to exclude
> those packets being handled by my other rules.
>
> --
> Howard.
> ______________________________________________________
> LANNet Computing Associates <http://www.lannet.com.au>
>
>
>
> --
> SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> More Info: http://slug.org.au/lists/listinfo/slug
SLUG Mailing List Archives