[squid-users] Transparent Proxy

John Sayce jsayce at asdlighting.com
Thu Sep 8 08:12:48 UTC 2016 

For testing purposes I've reduced it to the following:

http_port 3128 intercept
#dns_v4_first on
dns_nameservers 10.8.2.3 194.168.4.100 10.8.2.2 8.8.8.8
acl wifi src 10.8.14.0/24
acl all src all
http_access allow all
maximum_object_size 1 GB
minimum_object_size 0 KB
maximum_object_size_in_memory 4 MB
cache_mem 1700 MB
cache_dir aufs /var/cache/squid 40000 32 512
coredump_dir /var/cache/squid
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
cache_effective_user asd
cache_effective_group asd
cache_mgr jsayce at asdlighting.com
forwarded_for off

The version is 3.5.12

Okay.  Sorry, to clarify with a specific example.  Lets say I'm contacting http://1.1.1.1/ then the ack packet starts off with the client with ip address 10.8.14.9 in subnet 10.8.14.9/24 with default gateway 10.8.14.1.  It's routed through my core switch to my my firewall with ip 10.8.1.1.  My firewall recognises that the packet has a destination port 80 and is in subnet 10.8.14.0/24 and changes the destination address to be that of my proxy server 10.8.2.11.  So now the ack packet has source 10.8.14.9 and destination 10.8.2.11.  How does iptables know to reply to my client 10.8.14.9 with source address 1.1.1.1?  Does iptables know to read the header?

Thanks


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Antony Stone
Sent: 07 September 2016 10:27
To: 'squid-users at lists.squid-cache.org'
Subject: Re: [squid-users] Transparent Proxy

On Wednesday 07 September 2016 at 10:51:49, John Sayce wrote:

> I believe so.  The specific command I used was:
> 
> iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT 
> --to-port 3128
> 
> (For some reason my adapter is ens33, I have no idea why it's not eth0. 
> Squid is set to run on 3128.)

That looks okay, then.

> It's fair to say I have almost no experience with iptables.  Is it 
> iptables that should be doing the address translation?

Yes - the rule above tells the machine to take any packet addressed to port 80 on any address and send it instead to the local machine (REDIRECT changes the destination address to 127.0.0.1, even though that's not obvious) and port 3128.

> when the packet is sent back to the client?

Correct.  IPtables' address translation rules are automatically symmetrical - when a packet gets translated in one direction, a record is kept that it was done, and then the reply packet is automatically reverse-translated when it comes back in the other direction.

This is true no matter whether packets are going *through* the IPtables machine (ie: it's acting as a router), or whether they're being processed *on* the IPtables machine (as in this case).

I think we need to know more about your squid setup.

Please tell us which version of squid you are using, and post here your squid.conf file without comments or blank lines.


Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list