You are not logged in.

#1 2013-01-17 19:34:37

sacarde
Member
Registered: 2006-07-14
Posts: 389

squid in trasparent-proxy

hi,
   I would like to use squid in trasparent-proxy mode, I follow:

https://wiki.archlinux.org/index.php/Sq … _web_proxy

but seems not works...

I have:

- configured and started squid
- added  iptables rule (http://digilander.libero.it/sacarde/np/iptables.rules)
- but when I use browser or ftp in cli, I dont view anything in /var/log/squid/access.log


can you help me? I wrong?



sacarde

Offline

#2 2013-01-17 22:19:33

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: squid in trasparent-proxy

If you set the proxy manually in your browser, does that work? If that works, then it's a problem with your redirecting, if it doesn't, then there's something wrong with squid. Knowing that will help narrow down where to look obviously.

Offline

#3 2013-01-18 07:59:55

sacarde
Member
Registered: 2006-07-14
Posts: 389

Re: squid in trasparent-proxy

setting proxy manually in browser or setting "http_proxy" "ftp_proxy" variables
it works

the squid wiki page is updated ?

Offline

#4 2013-01-19 07:10:13

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: squid in trasparent-proxy

Well if that works, then it must be the redirection that's not working.

I don't know if the squid wiki page is up to date, but squid doesn't change very often, and iptables changes even less so it shouldn't be too bad.

What is the output of `iptables -t nat -nvL`?

Offline

#5 2013-01-19 07:48:20

sacarde
Member
Registered: 2006-07-14
Posts: 389

Re: squid in trasparent-proxy

this:

Chain PREROUTING (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 3129
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 redir ports 3129
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 redir ports 3129

Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 973 packets, 59991 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 973 packets, 59991 bytes)
pkts bytes target     prot opt in     out     source               destination

Offline

#6 2013-01-19 08:09:59

sacarde
Member
Registered: 2006-07-14
Posts: 389

Re: squid in trasparent-proxy

but fow example I boubt, in squid.conf I have to set:

http_port 3129 intercept

or

http_port 3129 transparent


and then... only this?

Offline

#7 2013-01-20 07:27:15

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: squid in trasparent-proxy

(Please use [ code ] tags to post things like this, makes them easier to read)

Chain PREROUTING (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 3129
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 redir ports 3129
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 redir ports 3129

None of these rules are being hit (the first column is 0) so that's why it is not working. The machine running squid is the one that the client computer(s) use as their gateway/router?

Offline

#8 2013-01-20 08:04:57

sacarde
Member
Registered: 2006-07-14
Posts: 389

Re: squid in trasparent-proxy

I follow this guide:

http://wiki.squid-cache.org/ConfigExamp … xLocalhost

and now it works !!

I view rules:

iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 3127

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 147 packets, 9354 bytes)
 pkts bytes target     prot opt in     out     source               destination
    5   280 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 owner GID match 15
    5   280 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.1.20:3127

Chain POSTROUTING (policy ACCEPT 157 packets, 9914 bytes)
 pkts bytes target     prot opt in     out     source               destination

but works only for trafic www 80

if I would like add ftp? what rules I have to add ?

Last edited by sacarde (2013-01-20 08:09:23)

Offline

#9 2013-01-20 21:58:41

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: squid in trasparent-proxy

iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 3127

....

Chain OUTPUT (policy ACCEPT 147 packets, 9354 bytes)
 pkts bytes target     prot opt in     out     source               destination
    5   280 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 owner GID match 15
    5   280 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.1.20:3127

OUTPUT is only for the local machine; you didn't mention that you were trying to transparent local web browsing.

sacarde wrote:

but works only for trafic www 80

if I would like add ftp? what rules I have to add ?

You can't transparently proxy FTP. The FTP protocol does not have an equivalent to the HTTP "Host" header which is what is required to be able to transparently proxy.

Offline

#10 2013-01-21 07:52:46

sacarde
Member
Registered: 2006-07-14
Posts: 389

Re: squid in trasparent-proxy

then only http (port 80) trafic I can transparent proxy?

or using another proxy?



fukawi2 thanks a lot

Last edited by sacarde (2013-01-21 08:06:17)

Offline

#11 2013-01-21 11:00:07

sacarde
Member
Registered: 2006-07-14
Posts: 389

Re: squid in trasparent-proxy

if I undestand...

- squid proxy ---> manage protocol http/https/ftp
- squid transparent proxy ---> manage only http

is true?

Offline

#12 2013-01-21 22:18:52

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: squid in trasparent-proxy

Correct; technically you can transparently proxy HTTPS as well, but it causes problems since the browser is not expecting a proxy, but the S(ecure) part of HTTPS does what it is designed to do and detects that the connection is being interfered with.

Offline

#13 2013-01-22 08:36:17

sacarde
Member
Registered: 2006-07-14
Posts: 389

Re: squid in trasparent-proxy

thank you


I will try: tinyproxy, tsock...(dante)...

Last edited by sacarde (2013-01-22 09:11:40)

Offline

Board footer

Powered by FluxBB