Re: [squid-users] Problem with Transparent Proxy using Squid and IPTables on ...

From: <BrianC8876@dont-contact.us>
Date: Wed, 7 Jan 2004 14:18:17 EST

One of the really fun things about LINUX is you get to start from scratch
every 2 years when they re-write it :-/

In a message dated 01/07/2004 1:39:57 PM Eastern Standard Time,
pschobel@porchlight.ca writes:

> I have a server that was running a transparent redirection proxy - i
> was using 2.4.20 kernel on this system and i recently upgraded to
> 2.6.0.107 kernel package for redhat 9
>
> Ever since i did the kernel upgrade the proxy does not work correctly.
>
> As far as I know, the kernel is configured properly
>
> lsmod shows these iptables modules
>
> Module Size Used by
> ipt_REDIRECT 2048 0
> iptable_nat 20140 1 ipt_REDIRECT
> ip_conntrack 28464 2 ipt_REDIRECT,iptable_nat
> iptable_filter 2688 0
> ip_tables 15104 3 ipt_REDIRECT,iptable_nat,iptable_filter
>
> my INPUT, FORWARD and OUTPUT policies are all set to accept
>
> iptables -L
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> I am using this iptables rule
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> my nat table looks like this
>
> iptables -t nat --list
>
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> REDIRECT tcp -- anywhere anywhere tcp
> dpt:http redir ports 3128
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> ip forwarding is enabled
>
> cat /proc/sys/net/ipv4/ip_forward
> 1
>
> squid is running on 3128 - the squid config looks like this
>
> acl all src 0/0
>
> visible_hostname proxyhost.porchlight.ca
>
> http_port 3128
>
> no_cache deny all
>
> redirect_program /usr/local/bin/redirector.pl
> redirect_children 5
> redirect_rewrites_host_header on
> redirector_access allow all
>
> http_access allow all
> http_reply_access allow all
>
> httpd_accel_port 80
> httpd_accel_host virtual
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
>
> This configuration has not changed since before the kernel upgrade
> except that there were a couple of rules preventing proxy access to the
> outside world which I removed in order to make things as simple as
> possible for debugging purposes
>
> I can see by running snort that the packets destined for the remote
> host are arriving on the interface
>
Received on Wed Jan 07 2004 - 12:18:28 MST

This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:04 MST