[squid-users] Transparent Proxy, Bridged interfaces & SQUID

From: Steven Bourque <sbourque@dont-contact.us>
Date: Mon, 24 Mar 2003 16:57:36 -0500

Hello,

I was hoping someone could help me:

I have linux (debian) kernel 2.4.20 compiled with everything mentioned
in the transparent proxy/squid HOWTO and iptables working properly:

eth0 is connected to the LAN
eth1 is connected to the WAN

both are setup as a memeber of the bridge br0
br0 has an IP address of 10.10.6.231/24 (part of our local IP's for
monitoring and configuration)

the Bridging is working, however, it will not grab the port 80 traffic:

I have added the following as stated in the howto:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

iptables -A INPUT -i br0 -p tcp -d 10.10.6.231 -s 10.10.6.0/24 --dport
3128 -m state --state NEW,ESTABLISHED -j ACCEPT

(so I can SSH to the box)
iptables -A INPUT -i br0 -p tcp -d 10.10.6.231 -s 10.10.6.0/24 --dport
22 -m state --state NEW,ESTABLISHED -j ACCEPT

I have also tried the first iptable with -j DNAT --to 10.10.6.231:3128

Neither table gets a hit when viewed with iptable -t nat -v -n -L or
iptable -v -n -L

Those are the only entries in the iptables, the SSH command does work.
Squid is configured with the entries has noted in the HOWTO, otherwise
they are defaults.

Squid is version 2.5.STABLE1

iptables -L -n -v -t nat

Chain PREROUTING (policy ACCEPT 31 packets, 5420 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
      tcp dpt:80 redir ports 3128

Chain POSTROUTING (policy ACCEPT)
...
(empty)
Chain OUTPUT (policy ACCPEPT)
...
(empty)

iptables -L -n -v
Chain DROP (policy ACCEPT 136 packets, 16195 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- br0 * 0.0.0.0/0 10.10.6.231
      tcp dpt:3128 state NEW,ESTABLISHED
14 1651 ACCEPT tcp -- br0 * 0.0.0.0/0 10.10.6.231
      tcp dpt:22 state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
...
(empty)
Chain OUTPUT (policy ACCEPT)
...
(empty)

We do not want any firewalling on this box, hense the default are all
ACCEPT except the actual connections to the box, which has two accepts
(SQUID and SSH)

With this setup, I am able to surf the web, but it is bypassing SQUID.
Everhything is continuing to be bridged.

I spent a few days reading everything I can about this.

I found the program divert (I have divert enabled in my kernel) does
that have anything to do with it?

I tried it with divert on eth0 enable tcp add dst 80,
that just seemed to kill my browsing as well as not hitting squid or the
filters, although it a tcpdump -ne -i eth0 tcp dst port 80, I do see the
MAC address change from that of my next hop router to the MAC of the
eth0 (which should then get redirected by the iptable, shouldn't it?)

any help would be much appreciated! :)

Thanks

-- 
\Steven.
/*
                                       | Steven R. Bourque, CCNA
         /"\                           | Network Engineer
         \ /  ASCII ribbon campaign    | Packet Works Inc.
          X   against HTML email       | p:519.579.4507. f:519.579.8475.
         / \                           | http://www.packetworks.net
                                       | PGP ID: 0x373AB23B
*\
Received on Mon Mar 24 2003 - 14:58:03 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:19 MST