Is this possible? Transparent Squid question

**dancudds** · 03-03-2007

Ok - got a sportsman bet here.
My linux/networking skills r kinda too low for this although I'm gonna try to set this up if possible.

So, I know you can and there's lots of tutorials out there for transparent proxying with a squid if the squid is on the same box that is acting as the gateway.

What I want to do is have the squid transparently proxy on the same subnet as the end user's machines but not on the gateway.

So HTTP packets go

From client machine to gateway -
gateway forwards all port 80 traffic to squid box
which then forwards out of the gateway to a cache_peer on port 8080

Traffic comes back in to the gateway which would first go to the squid box then back to the gateway and out to the client machine.

So in a nutshell, is it possible to change the standard squid transparent set-up and have the squid NOT on the gateway machine???

yes/no???

thanks guys

**dancudds** · 03-06-2007

any thoughts on this?

**kakariko81280** · 03-06-2007

stricly speaking I would expect you to be able to do this. It might be a bit kludgy but I would try a DNAT instead of a redirect.

The transparent proxy howto gives this command as the magic:

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

changing that a little (untested because I don't have the bits handy)

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <squid host>
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d <squid host> -j ACCEPT

Of course, you will need a rule to permit the squid host access to the internet before this one or you will get an endless loop.

This is a bit of a misuse of DNAT so I'm not sure it's the best solution. Aside from that you could hack up something with ssh port forwarding, but it depends on your situation.

Let us know how you get on,

Chris...

**dancudds** · 03-07-2007

Thanks for the advice. I would have been all-over the place trying REDIRECT without it!
Gotta be honest, I've never set-up even the one host transparent solution and I'm having a bit of a mare trying to get my fedora run as a gateway but I should have more time over the next week to give it a go.

Originally Posted by kakariko81280

stricly speaking I would expect you to be able to do this. It might be a bit kludgy but I would try a DNAT instead of a redirect.

The transparent proxy howto gives this command as the magic:

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

changing that a little (untested because I don't have the bits handy)

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <squid host>
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d <squid host> -j ACCEPT

Of course, you will need a rule to permit the squid host access to the internet before this one or you will get an endless loop.

This is a bit of a misuse of DNAT so I'm not sure it's the best solution. Aside from that you could hack up something with ssh port forwarding, but it depends on your situation.

Let us know how you get on,

Chris...

**kakariko81280** · 03-09-2007

Having given this more thought I reckon there is a better way that doesn't require messing with DNAT or port forwarding.

Can you set up your clients so for them the squid machine is the gateway? Then set up a normal transparent proxy and set the squid host to be the only one that knows about the proper gateway.

Bonus points are available if you can configure the gateway device to only accept traffic from the squid host; something that shouldn't be too hard if you can use IPtables on the gateway.

Traffic then goes client -> Squid host -> gateway -> Internet.

It seems like a better solution to me.

Let us know what you do,

Chris...

**dancudds** · 03-09-2007

Originally Posted by kakariko81280

Having given this more thought I reckon there is a better way that doesn't require messing with DNAT or port forwarding.

Can you set up your clients so for them the squid machine is the gateway? Then set up a normal transparent proxy and set the squid host to be the only one that knows about the proper gateway.

Bonus points are available if you can configure the gateway device to only accept traffic from the squid host; something that shouldn't be too hard if you can use IPtables on the gateway.

Traffic then goes client -> Squid host -> gateway -> Internet.

It seems like a better solution to me.

Let us know what you do,

Chris...

For me to win this bet though the squid machine has to NOT be on the default gateway the users go to. It's kinda crazy thing I got stuck here and it may be impossible but we should find out next week.

The plan is

client--80>gateway--3128>squidbox--8080>gateway--8080>external cache peer.

I'm only setting this up on VMs in a lab so I'll be in complete control, hope to have an update on Tuesday for you.

Thread Tools

Display

Is this possible? Transparent Squid question

Posting Permissions