Find the answer to your Linux question:
Results 1 to 6 of 6
Ok - got a sportsman bet here. My linux/networking skills r kinda too low for this although I'm gonna try to set this up if possible. So, I know you ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2007
    Posts
    17

    Is this possible? Transparent Squid question


    Ok - got a sportsman bet here.
    My linux/networking skills r kinda too low for this although I'm gonna try to set this up if possible.

    So, I know you can and there's lots of tutorials out there for transparent proxying with a squid if the squid is on the same box that is acting as the gateway.

    What I want to do is have the squid transparently proxy on the same subnet as the end user's machines but not on the gateway.

    So HTTP packets go

    From client machine to gateway -
    gateway forwards all port 80 traffic to squid box
    which then forwards out of the gateway to a cache_peer on port 8080

    Traffic comes back in to the gateway which would first go to the squid box then back to the gateway and out to the client machine.

    So in a nutshell, is it possible to change the standard squid transparent set-up and have the squid NOT on the gateway machine???

    yes/no???

    thanks guys

  2. #2
    Just Joined!
    Join Date
    Mar 2007
    Posts
    17
    any thoughts on this?

  3. #3
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    682
    stricly speaking I would expect you to be able to do this. It might be a bit kludgy but I would try a DNAT instead of a redirect.

    The transparent proxy howto gives this command as the magic:

    Code:
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    changing that a little (untested because I don't have the bits handy)

    Code:
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <squid host>
    iptables -A FORWARD -i eth0 -p tcp --dport 80 -d <squid host> -j ACCEPT
    Of course, you will need a rule to permit the squid host access to the internet before this one or you will get an endless loop.

    This is a bit of a misuse of DNAT so I'm not sure it's the best solution. Aside from that you could hack up something with ssh port forwarding, but it depends on your situation.

    Let us know how you get on,

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Mar 2007
    Posts
    17
    Thanks for the advice. I would have been all-over the place trying REDIRECT without it!
    Gotta be honest, I've never set-up even the one host transparent solution and I'm having a bit of a mare trying to get my fedora run as a gateway but I should have more time over the next week to give it a go.

    Quote Originally Posted by kakariko81280
    stricly speaking I would expect you to be able to do this. It might be a bit kludgy but I would try a DNAT instead of a redirect.

    The transparent proxy howto gives this command as the magic:

    Code:
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    changing that a little (untested because I don't have the bits handy)

    Code:
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <squid host>
    iptables -A FORWARD -i eth0 -p tcp --dport 80 -d <squid host> -j ACCEPT
    Of course, you will need a rule to permit the squid host access to the internet before this one or you will get an endless loop.

    This is a bit of a misuse of DNAT so I'm not sure it's the best solution. Aside from that you could hack up something with ssh port forwarding, but it depends on your situation.

    Let us know how you get on,

    Chris...

  6. #5
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    682
    Having given this more thought I reckon there is a better way that doesn't require messing with DNAT or port forwarding.

    Can you set up your clients so for them the squid machine is the gateway? Then set up a normal transparent proxy and set the squid host to be the only one that knows about the proper gateway.

    Bonus points are available if you can configure the gateway device to only accept traffic from the squid host; something that shouldn't be too hard if you can use IPtables on the gateway.

    Traffic then goes client -> Squid host -> gateway -> Internet.

    It seems like a better solution to me.

    Let us know what you do,

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

  7. #6
    Just Joined!
    Join Date
    Mar 2007
    Posts
    17
    Quote Originally Posted by kakariko81280
    Having given this more thought I reckon there is a better way that doesn't require messing with DNAT or port forwarding.

    Can you set up your clients so for them the squid machine is the gateway? Then set up a normal transparent proxy and set the squid host to be the only one that knows about the proper gateway.

    Bonus points are available if you can configure the gateway device to only accept traffic from the squid host; something that shouldn't be too hard if you can use IPtables on the gateway.

    Traffic then goes client -> Squid host -> gateway -> Internet.

    It seems like a better solution to me.

    Let us know what you do,

    Chris...

    For me to win this bet though the squid machine has to NOT be on the default gateway the users go to. It's kinda crazy thing I got stuck here and it may be impossible but we should find out next week.

    The plan is

    client--80>gateway--3128>squidbox--8080>gateway--8080>external cache peer.

    I'm only setting this up on VMs in a lab so I'll be in complete control, hope to have an update on Tuesday for you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •