[squid-users] Problem with transparent proxy on bridge machine

On Fri, 11 Mar 2005, Henrik Nordstrom wrote:

> > We'd like to configure Squid (or something else) to
> > control access by certain user-agents (IE) to certain URLs (the
> > Internet...). Ideally this would work as a transparent proxy.
> > Is this possible in Squid?
>
> Yes.
> See the browser and dstdomain acls, and Squid FAQ 10 Access Controls.

Thanks, Henrik. I've also been looking at Perl HTTP::Proxy and made a
thing to redirect IE users to an internal page, but whatever
works ...

Now the next problem...

We are running a transparent bridge on an RH7.3 machine with Linux 2.4.21
using brctl. It works fine. Squid works fine in normal mode through the
admin address of the bridge. But I can't get transparency to work.

I started with the iptables recipe in
http://www.tldp.org/HOWTO/TransparentProxy.html
but the TCP replies get lost - if Squid is not running, I get "connection
refused", but if it is running, the browser (telnet for testing) hangs
and I see a TCP reset on the target host apparently coming from the
client. If I test the redirect recipe with netcat (nc -u -l -p 9000)
I can intercept outbound UDP packets OK.

I realized that this recipe is designed for a router with 2 ip addresses
not a bridge, and found a recipe on http://freshmeat.net/articles/view/1433/
which is pretty much what we have with brctl.

However, adding the ebtables rule did not make any difference.

I tried

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 9000 \
  -j REDIRECT --to-port 3128
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
  --ip-destination-port 9000 -j redirect --redirect-target ACCEPT

Am I missing something, like a magic entry in /proc ?
Or will it only work in a 2.6 kernel ?
(ebtables build OK, and lists the rule back)

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
security@triumf.ca