-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ankush Grover wrote: > hey friends, > > I am trying to configure Squid Transparent Proxy on FC3. I am testing > the scenario on 2 machines. The FC3 machines has got 2 lan cards > > eth0: 192.168.1.125/24 > eth1: 192.168.2.126/24 > > Another machine is having only one LAN Card > > eth0: 192.168.2.88/24 > > I added these lines for transparent proxy in squid.conf > http_port 3128 (by default) > httpd_accel_port 80 > httpd_accel_host virtual > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > I have also added these lines to squid.conf > > acl mynetwork src 192.168.1.125 > acl mynetwork1 src 192.168.2.0 > http_access allow mynetwork > http_access allow mynetwork1 > > Configured iptables to redirect the request to the proxy from the > domain 192.168.2.0 to port 3128 > > iptables -t nat -A PREROUTING -i eth1 -s 192.168.2.0/24 -p tcp --dport > 80 -j REDIRECT --to-port 3128 > > But when I gave the below command to list the iptables rules there was > no rules added to the iptables > > iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > I saved and restart iptables many times even flushed the iptables few > times and again added the NAT rule but everytime iptables -L shows > empty rules. > > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.2.0 * 255.255.255.0 U 0 0 0 > eth1 > 192.168.1.0 * 255.255.255.0 U 0 0 0 > eth0 > 169.254.0.0 * 255.255.0.0 U 0 0 0 > eth1 > default 192.168.1.1 0.0.0.0 UG 0 0 0 > eth0 > > lsmod command output > Module Size Used by > ipt_REDIRECT 2113 20 > iptable_nat 23037 2 ipt_REDIRECT > ip_conntrack 40565 1 iptable_nat > iptable_filter 2753 0 > ip_tables 16705 3 ipt_REDIRECT,iptable_nat,iptable_filter > > > I am able to ping from 192.168.1.125 to 192.168.2.88. There is one > more problem I am not able to ssh onto another server (FC3) from the > squid server. > > ssh -l tester 192.168.1.122 > Received disconnect from 192.168.1.122: 2: Too many authentication > failures for tester > > As this is the testing scenario only 2 machines are in domain > 192.168.2.0 ( one machine running windows xp and other is FC3 with 2 > lan cards and I am using these machines for testing squid transparent > proxy ) all other machines in the network are in the domain > 192.168.1.0 so I should be able to ssh onto the machine 192.168.1.122 > as the LAN Card eth0 on FC3 machine (192.168.1.125) is connected to > the network 192.168.1.0. > > Please guide me what wrong I am doing ? > > Thanks & Regards > > Ankush Grover > Ankush, That rule is in the NAT table, you can see it with. iptables -t nat -nvL or to see both filter and nat tables together. iptables -nvL ; iptables -t nat -nvL I also think you need a subnet declaration for your squid ACLs, because you are using "src" - see your conf file for more description on proper declarations. vi /etc/squid/squid.conf acl INTERNAL-NETWORK src 192.168.2.0/24 http_access allow INTERNAL-NETWORK You should only need the two lines above (they work together). This will allow all traffic from the 192.168.2.0/24 network to access the proxy cache. If you want to access the proxy from the 192.168.1.0/24 network, then you will need to make changes at your gateway (192.168.1.1) to redirect them back to the FC3 box. Your Win98 box will work properly because it is passing traffic _through_ the FC3 from the 192.168.2.0/24 network. Remember, your transparent proxy is a redirection of HTTP requests (port 80) to your proxy cache (port 3128). Squid then handles the request transparently, the client doesn't realise the change in network packet flow. To test this properly, you can either disable packet forwarding on the FC3 box, or set your iptables forward policy to drop everything. iptables -P FORWARD DROP This way ALL packets must be redirected with your iptables rule and passed through squid to get out the .2.0 network. HTH. Regards, Miles Brennan - -- Linux Home Server HOWTO http://www.brennan.id.au/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFEs5j8cSPa0xQu/fARAqHZAJ4hBzU8Skv+SK84RJcwZ6akE4cYWACglgox r4JQbFofhGyzZeM7A4fmxt4= =ghpA -----END PGP SIGNATURE-----
