Re: problem in configuring squid transparent proxy on FC3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Ankush Grover wrote:
hey friends,

I am trying to configure Squid Transparent Proxy on FC3. I am testing
the scenario on 2 machines. The FC3 machines has got 2 lan cards

eth0: 192.168.1.125/24
eth1: 192.168.2.126/24

Another machine is having only one LAN Card

eth0: 192.168.2.88/24

I added these lines for transparent proxy in squid.conf
http_port 3128 (by default)
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

I have also added these lines to squid.conf

acl mynetwork src 192.168.1.125
acl mynetwork1 src 192.168.2.0
http_access allow mynetwork
http_access allow mynetwork1

Configured iptables to redirect the request to the proxy from the
domain 192.168.2.0 to port 3128

iptables -t nat -A PREROUTING -i eth1 -s 192.168.2.0/24 -p tcp --dport
80 -j REDIRECT --to-port 3128

But when I gave the below command to list the iptables rules there was
no rules added to the iptables

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I saved and restart iptables many times even flushed the iptables few
times and again added the NAT rule but everytime iptables -L shows
empty rules.

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.2.0 * 255.255.255.0 U 0 0 0
eth1
192.168.1.0 * 255.255.255.0 U 0 0 0
eth0
169.254.0.0 * 255.255.0.0 U 0 0 0
eth1
default 192.168.1.1 0.0.0.0 UG 0 0 0
eth0

lsmod command output
Module Size Used by
ipt_REDIRECT 2113 20
iptable_nat 23037 2 ipt_REDIRECT
ip_conntrack 40565 1 iptable_nat
iptable_filter 2753 0
ip_tables 16705 3 ipt_REDIRECT,iptable_nat,iptable_filter


I am able to ping from 192.168.1.125 to 192.168.2.88. There is one
more problem I am not able to ssh onto another server (FC3) from the
squid server.

ssh -l tester 192.168.1.122
Received disconnect from 192.168.1.122: 2: Too many authentication
failures for tester

As this is the testing scenario only 2 machines are in domain
192.168.2.0 ( one machine running windows xp and other is FC3 with 2
lan cards and I am using these machines for testing squid transparent
proxy ) all other machines in the network are in the domain
192.168.1.0 so I should be able to ssh onto the machine 192.168.1.122
as the LAN Card eth0 on FC3 machine (192.168.1.125) is connected to
the network 192.168.1.0.

Please guide me what wrong I am doing ?

Thanks & Regards

Ankush Grover

Ankush,

That rule is in the NAT table, you can see it with.

iptables -t nat -nvL

or to see both filter and nat tables together.

iptables -nvL ; iptables -t nat -nvL

I also think you need a subnet declaration for your squid ACLs, because
you are using "src" - see your conf file for more description on proper
declarations.

vi /etc/squid/squid.conf

acl INTERNAL-NETWORK src 192.168.2.0/24
http_access allow INTERNAL-NETWORK

You should only need the two lines above (they work together). This will
allow all traffic from the 192.168.2.0/24 network to access the proxy cache.

If you want to access the proxy from the 192.168.1.0/24 network, then
you will need to make changes at your gateway (192.168.1.1) to redirect
them back to the FC3 box. Your Win98 box will work properly because it
is passing traffic _through_ the FC3 from the 192.168.2.0/24 network.

Remember, your transparent proxy is a redirection of HTTP requests (port
80) to your proxy cache (port 3128). Squid then handles the request
transparently, the client doesn't realise the change in network packet
flow. To test this properly, you can either disable packet forwarding on
the FC3 box, or set your iptables forward policy to drop everything.

iptables -P FORWARD DROP

This way ALL packets must be redirected with your iptables rule and
passed through squid to get out the .2.0 network.

HTH.

Regards,
Miles Brennan

- --

Linux Home Server HOWTO
http://www.brennan.id.au/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEs5j8cSPa0xQu/fARAqHZAJ4hBzU8Skv+SK84RJcwZ6akE4cYWACglgox
r4JQbFofhGyzZeM7A4fmxt4=
=ghpA
-----END PGP SIGNATURE-----

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: Updating Web References in .NET 2003
    ... when I go to update the web service it doesn't update it at all. ... service does not regenerate the proxy class with the new settings. ... > from some other development machines? ... >> output parameter becomes the return type and the new output parameter ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Blocking Instant Messaging Applications
    ... > proxy server should be allowed to directly connect to the internet. ... changes out to machines if the proxy died and we had to disable ... > you'll need to use Windows Messenger instead of MSN messenger. ...
    (Security-Basics)
  • Re: Proxy Server
    ... >> believe that it is not selected by default on Windows 2000)... ... I have noticed that some machines at my ... >>> out passed the proxy server. ...
    (microsoft.public.windows.server.general)
  • Re: Help on n-Tier architecture ???
    ... With remoting and SOAP services u may not create app proxy. ... sc> reference are manage as a proxy classe which is implemented in each ... Tiers located on different machines and liers could locate on one. ... It's a couple of clicks in Component Explorer sc> I am studying an application architecture based on an n.Tiers sc> architecture. ...
    (microsoft.public.dotnet.distributed_apps)
  • X over ssh problems from FC3 to older systems
    ... I've just upgraded my laptop from FC1 to FC3 and everything looks fine ... The remote machines are mainly RH7.3 with all RH ... Resource id: 0x116 ... kdeinit: sending SIGHUP to children. ...
    (Fedora)