configure squid in transparent mode

[sureshk89]

Hi
I am trying to configure squid in transparent mode.I am using squid 3.
I configured squid.conf file as follows:
""grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
acl lan src 192.168.0.0/24
http_reply_access allow all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 192.168.0.1:4880 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname up.local.unitedprotech.com
icp_port 3130
always_direct allow all
coredump_dir /var/spool/squid""
In iptables i gave port forwarding as follows:
""iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:4880
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 4880""
eth0 = Internet
eth1 = Internal computers.

When i access from other system its not working,I tryed changing proxy settings in firefox,it worked.But in transparent mode its not working.

is there any problems with above config and forward rules.

Thanks and Regards
Suresh

[EliteCommander]

Hey....

I have not checked your config but in theory if you can access your internet through the squid if you configure your browser then the settings of the squid should be fine.

The problem should be in the iptables. Personally I dont like to manage iptables directly. There are so many other options to manage iptables. My favorite is shorewall. I would recommend to use shorewall and do the forwarding in shorewall. Its very easy to configure.

From,

EliteCommander

[sureshk89]

Hi
Thanks. I installed shorewall. when i start shorewall service my internet drops.
can you help me. And also tell me how to redirect port in shorewall.

Thanks and Regards
Suresh

[EliteCommander]

Hey,

It seems you have two network cards which is important when setting up your shorewall config.

I found a good howto that deals with iptables

https :// help.ubuntu[/url]. com/community/IptablesHowTo

If you stick to iptables then thats fine if not then you should flush the rules and then save iptables. I found two useful links:

http :// shorewall. net/shorewall_quickstart_guide.htm
http :// debianhelp. co.uk/shorewall.htm

Sorry but I am not allowed to post urls yet

From

EliteCommander

[linhniittran]

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl abc src "ip/subnet"
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl src "ip/subnet"
acl Web dstdomain adminpv.abc.vn
acl deny_URL url_regex test.bcd.vn/editor
acl ManagementLAN src "ip/subnet"
acl Access_Websites url_regex -i "domain"
acl capnhat_TDKT url_regex tdkt2.abc.vn
acl edit_samiweb url_regex "abc.vn/editor"
http_access allow ManagementLAN
http_access deny deny_URL
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny UBND_LAN edit_samiweb
http_access allow Access_Websites
http_access deny all


do check, config "ip/subnet" and "domain", with this "squid.conf", I use ok

[sureshk89]

Hi
I tried changing that.
""acl localnet src 192.168.0.0/24
acl Web dstdomain domain.com""
Regards
Suresh

[linhniittran]

"acl Web dstdomain domain.com" not important.
Can you send to me "message error" that you meet ?

[sureshk89]

When i restart squid i am getting this warning. Manually its working after changing in browser. I need to make it as transparent.
""Stopping squid: ................ [ OK ]
2010/12/22 06:42:20| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2010/12/22 06:42:20| Starting Authentication on port 0.0.0.0:4115
2010/12/22 06:42:20| Disabling Authentication on port 0.0.0.0:4115 (interception enabled)
2010/12/22 06:42:20| Initializing https proxy context
Starting squid: . Ok""

Thanks
Suresh

[sureshk89]

If this dint work i need to go for open proxy by changing in browser.
If i change in browser my users email not working in outlook.
We use pop3 and smtp in 110 and 25.I get eeror like "cannot connect to pop3"
Thanks
Suresh

[linhniittran]

Outlook error,
and your webmail ok?
if the both error, you must check "iptable".