[squid-users] Transparent proxy with squid and Dansguardian

[Darren B.]

HI

I am trying to set up a router that allows a group of devices on a 
network to access the internet via Dansguardian and squid.


I am setting it up as a transparent proxy and locking down the ports 
with IPtables.


I am using IPtables to redirect connections on port 80 from the client 
and remap them to 8080 for dansguardian, dans is then set up to talk to 
squid on 127.0.0.1:3128


the iptables rules are

iptables -A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT 
--to-ports 8080

iptables -A POSTROUTING -j MASQUERADE

if I set the rule above to REDIRECT to 3128, the cache works as 
expected. If I set it above, I can see traffic in DG and in the cache 
log of squid but the target IF address is stripped out and I seem to be 
getting a forwarding loop.


I am not sure what is going on but it seems that Dansguardian is 
rewriting the target address and getting squid to loop back on itself.


All the various versions are current to ubuntu 14.04 although the 
dansguardian is a little old in this distro.


Any pointers would be greatly appreciated.


Darren B.




Currently the processes running and listening are

root@dnsmasq:~# netstat -ntlp | grep LISTEN
tcp0  0 0.0.0.0:53  0.0.0.0:* LISTEN  
1068/dnsmasq

tcp0  0 0.0.0.0:22  0.0.0.0:* LISTEN  1022/sshd
tcp0  0 0.0.0.0:31280.0.0.0:* LISTEN  
1610/squid3
tcp0  0 0.0.0.0:80800.0.0.0:* LISTEN  
4202/dansguardian

tcp0  0 0.0.0.0:1   0.0.0.0:* LISTEN  1149/perl
tcp6   0  0 :::53   :::* LISTEN  1068/dnsmasq
tcp6   0  0 :::22   :::* LISTEN  1022/sshd
tcp6   0  0 :::3129 :::* LISTEN  1610/squid3


Squid config is currently this

acl localnet1 src 172.25.101.0/24   # RFC1918 possible internal network
acl localnet2 src 172.25.102.0/24   # RFC1918 possible internal network
acl localnet3 src 172.25.103.0/24   # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow localhost
http_access allow localnet1
http_access allow localnet2
http_access allow localnet3

http_access deny !Safe_ports

always_direct allow all

http_access deny CONNECT !SSL_ports

cache_effective_user proxy
cache_effective_group proxy

# http_access deny manager

http_port 3128 intercept
http_port 3129

debug_options All,2 78,5

cache_dir ufs /mnt/ksn/squid/cache 100 16 256

coredump_dir /var/spool/squid3

refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern .   0   20% 4320

#Performance Tuning Options
hosts_file /etc/hosts
dns_nameservers 127.0.0.1
cache_replacement_policy heap LFUDA
cache_swap_low 90
cache_swap_high 95
#cache_mem 200MB
logfile_rotate 10
memory_pools off
maximum_object_size 50 MB
maximum_object_size_in_memory 50 KB
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off







___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Transparent Proxy by squid 2.6 stable 14 in ubuntu 7.10 not working

[kang ason]

--- kang ason [EMAIL PROTECTED] wrote:

 Date: Fri, 1 Feb 2008 07:00:27 -0800 (PST)
 From: kang ason [EMAIL PROTECTED]
 Subject: Transparent Proxy by squid 2.6 stable 14 in
 ubuntu 7.10 not working
 To: squid-users@squid-cache.org
 
 Dear all
 
 i have server running squid (transparent proxy) in 
 linux (squid installed using synaptic Package
 Manager
 on ubuntu 7.10 with squid 2.6 Stable 14)
 
 this server have two interfaces, eth0 to internet 
 eth1 to LAN
 And this is my squid.conf
 
 http_port 192.168.10.10:8080 transparent
 hierarchy_stoplist cgi-bin ?
 acl QUERY urlpath_regex cgi-bin \?
 cache deny QUERY
 cache_vary on
 acl apache rep_header Server ^Apache
 broken_vary_encoding allow apache
 cache_mem 128 MB
 cache_swap_low 98
 cache_swap_high 99
 maximum_object_size 51200 KB
 minimum_object_size 0 KB
 ipcache_size 2048
 ipcache_low 98
 ipcache_high 99
 fqdncache_size 2048
 cache_replacement_policy heap LFUDA
 memory_replacement_policy heap GDSF
 cache_dir ufs /var/spool/squid 5000 18 256
 access_log /var/log/squid/access.log
  squid
 cache_log /dev/null
 cache_store_log /dev/null
 emulate_httpd_log off
 log_ip_on_direct on
 mime_table /usr/share/squid/mime.conf
 log_mime_hdrs off
 pid_filename /var/run/squid.pid
 log_fqdn off
 ftp_user [EMAIL PROTECTED]
 ftp_list_width 32
 ftp_passive on
 ftp_sanitycheck on
 hosts_file /etc/hosts
 refresh_pattern ^ftp:  1440   20%   10080
 refresh_pattern ^gopher:   1440   0%   1440
 refresh_pattern .  0   20%   4320
 acl all src 0.0.0.0/0.0.0.0
 acl manager proto cache_object
 acl localhost src 127.0.0.1/255.255.255.255
 acl to_localhost dst 127.0.0.0/8
 acl SSL_ports port 443 # https
 acl SSL_ports port 563 # snews
 acl SSL_ports port 873 # rsync
 acl Safe_ports port 80 # http
 acl Safe_ports port 21 # ftp
 acl Safe_ports port 443 # https
 acl Safe_ports port 70 # gopher
 acl Safe_ports port 210 # wais
 acl Safe_ports port 1025-65535 # unregistered ports
 acl Safe_ports port 280 # http-mgmt
 acl
  Safe_ports port 488 # gss-http
 acl Safe_ports port 591 # filemaker
 acl Safe_ports port 777 # multiling http
 acl Safe_ports port 631 # cups
 acl Safe_ports port 873 # rsync
 acl Safe_ports port 901 # SWAT
 acl purge method PURGE
 acl CONNECT method CONNECT
 
 ## Client IP Address
 acl VLAN10 src 192.168.10.0/255.255.255.0
 http_access deny CONNECT !SSL_ports
 http_access deny !Safe_ports
 http_access deny purge
 http_access allow purge localhost
 http_access deny manager
 http_access allow VLAN10
 http_access allow manager localhost
 http_access allow localhost
 http_access deny all
 icp_access allow all
 cache_mgr [EMAIL PROTECTED]
 cache_effective_user proxy
 cache_effective_group proxy
 visible_hostname Proxy.server
 always_direct allow all
 coredump_dir /var/spool/squid
 extension_methods REPORT MERGE MKACTIVITY CHECKOUT
 store_dir_select_algorithm round-robin
 ##  end of
  squid.conf 
 
 and this is my iptables for squid transparent
 iptables -t nat -A PREROUTING -i eth1 -s
 192.168.10/24 -p tcp --dport 80 -j REDIRECT
 --to-port 8080
 iptables -A PREROUTING -t nat -i eth1 -p tcp -s
 192.168.10.0/24 -j ACCEPT
 iptables -t nat -A POSTROUTING -o eth0 -s
 192.168.10/24 -j MASQUERADE
 
 when i look into /var/log/squid/access.log, i can
 found client access squid.
 if client setting browser using proxy into
 192.168.10.10 with port 8080, i can see client in
 /var/log/squid/access.log
 
 what wrong with my squid.conf or iptables rules?
 why transparent proxy not working,  why client must
 setting using proxy in their browser if the want
 using
 proxy.
 
 thanks.
 
 
 
 regards
 ason
 Cah Kopeng
 Lereng Utara Gunung Merbabu

 -
 Never miss a thing.   Make Yahoo your homepage.



  

Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 

Re: [squid-users] Transparent Proxy by squid 2.6 stable 14 in ubuntu 7.10 not working

[Amos Jeffries]

Lets just go over all these settings

kang ason wrote:

--- kang ason [EMAIL PROTECTED] wrote:


Date: Fri, 1 Feb 2008 07:00:27 -0800 (PST)
From: kang ason [EMAIL PROTECTED]
Subject: Transparent Proxy by squid 2.6 stable 14 in
ubuntu 7.10 not working
To: squid-users@squid-cache.org

Dear all

i have server running squid (transparent proxy) in 
linux (squid installed using synaptic Package

Manager
on ubuntu 7.10 with squid 2.6 Stable 14)

this server have two interfaces, eth0 to internet 
eth1 to LAN
And this is my squid.conf

http_port 192.168.10.10:8080 transparent


Fine. BUT, is 192.168.10.10 an IP assigned to eth1 ??
As a test you can drop the IP here and FW inbound traffic to 
192.168.10.10:8080



hierarchy_stoplist cgi-bin ?



acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY


You can kill these to and replace them with the refresh_patterns below.


cache_vary on
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 128 MB
cache_swap_low 98
cache_swap_high 99
maximum_object_size 51200 KB
minimum_object_size 0 KB
ipcache_size 2048
ipcache_low 98
ipcache_high 99
fqdncache_size 2048
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_dir ufs /var/spool/squid 5000 18 256
access_log /var/log/squid/access.log
 squid
cache_log /dev/null


Better to have a cache_log and see whats going wrong with squid when 
something does.



cache_store_log /dev/null


Better to use cache_store_log none and prevent all the attempted 
writes to /dev/null



emulate_httpd_log off
log_ip_on_direct on
mime_table /usr/share/squid/mime.conf
log_mime_hdrs off
pid_filename /var/run/squid.pid
log_fqdn off
ftp_user [EMAIL PROTECTED]
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
hosts_file /etc/hosts
refresh_pattern ^ftp:  1440   20%   10080
refresh_pattern ^gopher:   1440   0%   1440


Useful to add:
  refresh_pattern (cgi-bin|\?) 0 0% 0


refresh_pattern .  0   20%   4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255


I know its the default config line, but better to use CIDR or no mask 
here (default is /32)




acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https



acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync


It's useful to make sure _ALL_ of the SSL_Ports are also in Safe_Ports.


acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl
 Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

## Client IP Address
acl VLAN10 src 192.168.10.0/255.255.255.0


Better to use CIDR 192.168.10.0/24


http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
http_access deny purge
http_access allow purge localhost


Ahhh... that will never match. The line above ALWAYS denies purge.
Kill it or switch the config lines.


http_access deny manager
http_access allow VLAN10
http_access allow manager localhost


again, that will never match for the global 'deny manager' above.


http_access allow localhost
http_access deny all



icp_access allow all
cache_mgr [EMAIL PROTECTED]
cache_effective_user proxy
cache_effective_group proxy
visible_hostname Proxy.server
always_direct allow all
coredump_dir /var/spool/squid
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
store_dir_select_algorithm round-robin
##  end of
 squid.conf 

and this is my iptables for squid transparent
iptables -t nat -A PREROUTING -i eth1 -s
192.168.10/24 -p tcp --dport 80 -j REDIRECT
--to-port 8080


Well, unless you have other IPA assigned to eth1, using IP here is 
pretty redundant,



iptables -A PREROUTING -t nat -i eth1 -p tcp -s
192.168.10.0/24 -j ACCEPT


So what is NAT meant to be doing with this traffic? ACCEPT allows 
without changes.
It seems to me that port-80 traffic is being redirected to squid, and 
the rest is let out into the internet with RFC1918 private addresses 
(depending on -t filter -A FORWARD bridging rules).



iptables -t nat -A POSTROUTING -o eth0 -s
192.168.10/24 -j MASQUERADE



Try this:
iptables -t nat -A PREROUTING -o eth0 -s 192.168.10.10 -p tcp --dport 80 
-j ACCEPT
 iptables -t nat -A PREROUTING -i eth1 -s 192.168.10/24 -p tcp --dport 
80 -j REDIRECT --to-port 8080


 iptables -t filter -A FORWARD -i eth1 -s 192.168.10/24 -p tcp --dport 
80 -j REJECT





when i look into /var/log/squid/access.log, i can
found client access squid.
if client setting browser using proxy into
192.168.10.10 with port 8080, i can see client in
/var/log/squid/access.log

what wrong with my squid.conf or iptables rules?
why transparent proxy not working,  why client must
setting using proxy in their 

Re: [squid-users] transparent proxy with squid

[Sushil Deore]

hello,

Thanks for your reply.

This rule exist in my setup and from logs I can see the 443 traffic
directed to the local squid port and then I am routing it to the main
squid box. The strange thing is that I am not seeing any return path of
the 443 request I am sending.

My setup is

[Transparent squid box] -- [squid box] -- [squid-cache box] -- -
{external world}

If I send the 443 request using my squid box then that works perfectly
fine and I get all my 443 requests. Considering this in mind, theoretically
443 traffic from the transparent squid box should work with the
PREROUTING rule which you have mentioned, but its not working in my case.

It would be a great help for me if you can suggest me the way out to it.

Thanks in advance.


With Regards,

-- Sushil.



On Tue, 4 Oct 2005 [EMAIL PROTECTED] wrote:

 I would assume you'd need to do something similiar to:

 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT
 --to-port 3128

 Tim Rainier
 Information Services, Kalsec, INC
 [EMAIL PROTECTED]



 Sushil Deore [EMAIL PROTECTED]
 10/04/2005 01:06 PM

 To
 Henrik Nordstrom [EMAIL PROTECTED]
 cc
 squid-users@squid-cache.org
 Subject
 [squid-users] transparent proxy with squid







 Dear Henrik,

 I configured a transparent proxy with squid by referring
 http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3

 Though Daniel has strictly mentioed not to ask him about HTTPS with
 transparent proxy but still I do have certain doubts in my mind which I'll
 try to explain here.

 I am setting up a wireless network for which I'll be using transparent
 proxy with squid. Though my transparent proxy is working fine and
 serving all port 80 traffic. I also need to serve https request and at
 this stage I am stucked up.

 With a seperate squid box as a proxy server I am serving the HTTPS
 request.

 Kindly let me know or suggest me how do I serve the HTTPS request using
 the transparent proxy or do I need to setup any additional setup to serve
 HTTPS traffic?

 Thanks in advance.

 With Regards,

 -- Sushil.

Re: [squid-users] transparent proxy with squid

[Matus UHLAR - fantomas]

On 04.10 22:36, Sushil Deore wrote:
 I configured a transparent proxy with squid by referring
 http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3
 
 Though Daniel has strictly mentioed not to ask him about HTTPS with
 transparent proxy but still I do have certain doubts in my mind which I'll
 try to explain here.
 
 I am setting up a wireless network for which I'll be using transparent
 proxy with squid. Though my transparent proxy is working fine and
 serving all port 80 traffic. I also need to serve https request and at
 this stage I am stucked up.
 
 With a seperate squid box as a proxy server I am serving the HTTPS
 request.
 
 Kindly let me know or suggest me how do I serve the HTTPS request using
 the transparent proxy or do I need to setup any additional setup to serve
 HTTPS traffic?

Useless and impossible with squid. use NAT.

http://www.shorewall.net/Shorewall_Squid_Usage.html#id2459723
http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3
http://lists.debian.org/debian-isp/2001/07/msg00315.html


-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...

[squid-users] transparent proxy with squid

[Sushil Deore]

Dear Henrik,

I configured a transparent proxy with squid by referring
http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3

Though Daniel has strictly mentioed not to ask him about HTTPS with
transparent proxy but still I do have certain doubts in my mind which I'll
try to explain here.

I am setting up a wireless network for which I'll be using transparent
proxy with squid. Though my transparent proxy is working fine and
serving all port 80 traffic. I also need to serve https request and at
this stage I am stucked up.

With a seperate squid box as a proxy server I am serving the HTTPS
request.

Kindly let me know or suggest me how do I serve the HTTPS request using
the transparent proxy or do I need to setup any additional setup to serve
HTTPS traffic?

Thanks in advance.

With Regards,

-- Sushil.

Re: [squid-users] transparent proxy with squid

[trainier]

I would assume you'd need to do something similiar to:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT 
--to-port 3128 

Tim Rainier
Information Services, Kalsec, INC
[EMAIL PROTECTED]



Sushil Deore [EMAIL PROTECTED] 
10/04/2005 01:06 PM

To
Henrik Nordstrom [EMAIL PROTECTED]
cc
squid-users@squid-cache.org
Subject
[squid-users] transparent proxy with squid







Dear Henrik,

I configured a transparent proxy with squid by referring
http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3

Though Daniel has strictly mentioed not to ask him about HTTPS with
transparent proxy but still I do have certain doubts in my mind which I'll
try to explain here.

I am setting up a wireless network for which I'll be using transparent
proxy with squid. Though my transparent proxy is working fine and
serving all port 80 traffic. I also need to serve https request and at
this stage I am stucked up.

With a seperate squid box as a proxy server I am serving the HTTPS
request.

Kindly let me know or suggest me how do I serve the HTTPS request using
the transparent proxy or do I need to setup any additional setup to serve
HTTPS traffic?

Thanks in advance.

With Regards,

-- Sushil.

Re: [squid-users] Transparent Proxy with Squid and Host: header

[Henrik Nordstrom]

Don't reply to others questions when making a new question. Doing so will 
sort your question into the same thread.


On Wed, 31 Aug 2005, Enrico Demarin wrote:


Is there any way to fall back on the original IP destination of the request
if the Host: header
cannot be resolved ?


Not today, but patches implementing this is welcome.

Regards
Henrik

[squid-users] Transparent Proxy with Squid and Host: header

[Enrico Demarin]

Hi everyone,

I have a question: i have set up squid in transparent mode, but i ran into
the following case:

the client has a hosts file, where it defines for example host19 as
following

38.25.63.10 host19

then he attempts a connection using either IE or Firefox:

http://host19

the result is that squid gives an error, saying host19 couldnt be found.
The client resolves
host19 using the hosts lookup table, but sends a Host: host19 header
within the request,
and squid attempts the connection to that address, which it can't resolve.

Is there any way to fall back on the original IP destination of the request
if the Host: header
cannot be resolved ?

thanks in advance
Enrico

--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.17/85 - Release Date: 30/08/2005

[squid-users] Transparent Proxy using squid and wccp

[Kola Ibikunle]

Hello,

I have attempted to conduct a transparent proxy using squid and a cisco 
router according to information in the article 
http://www.linux-mag.com/content/view/1957/2303.


It seems to me that the packets are getting redirected by the router but 
squid isnt forwarding. Please look thru and advise


Squid runs on Fedora Core 3 and installed via rpm. The router run IOS 12.2

I succeeded in getting the squid box registered with router

Router#sh ip wccp
Global WCCP information:
Router information:
Router Identifier:   192.168.1.18
Protocol Version:1.0

Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers:   1
Total Packets Redirected:3660
Redirect access-list:150
Total Packets Denied Redirect:   0
Total Packets Unassigned:0
Group access-list:   -none-
Total Messages Denied to Group:  0
Total Authentication failures:   0


but I am unable to browse

tcpdump on the linux box running FC 3 shows

unreacheable admin prohibited


while the debug screenshot is
Router#
*Mar  1 03:17:39.183: WCCP-PKT: Received valid Here_I_Am packet from 
192.168.1.23 w/rcvd_id 0335
*Mar  1 03:17:39.183: WCCP-PKT: Sending I_See_You packet to 192.168.1.23 
w/ rcvd_id 0336
*Mar  1 03:17:46.491: ICMP: dst (192.168.1.18) prohibited unreachable 
rcv from 192.168.1.23
*Mar  1 03:17:49.195: WCCP-PKT: Received valid Here_I_Am packet from 
192.168.1.23 w/rcvd_id 0336
*Mar  1 03:17:49.195: WCCP-PKT: Sending I_See_You packet to 192.168.1.23 
w/ rcvd_id 0337
*Mar  1 03:17:49.443: ICMP: dst (192.168.1.18) prohibited unreachable 
rcv from 192.168.1.23




Below is my Router COnfig

Router#sh conf
Using 1198 out of 155640 bytes
!
version 12.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
enable secret 5 $1$.nU6$zrTYq3u9FqrEs1z3VR6yO/
enable password 12345
!
ip subnet-zero
ip wccp version 1
ip wccp web-cache redirect-list 150
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.18 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
half-duplex
no cdp enable
!
interface FastEthernet0/1
ip address 111.222.111.110 255.255.255.128
ip wccp web-cache redirect out
ip nat outside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
ip nat pool ovrld 111.222.111.110 111.222.111.110 prefix-length 24
ip nat inside source list 7 pool ovrld overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip http server
!
!
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 150 permit tcp 192.168.1.0 0.0.0.255 any
access-list 150 deny   tcp any any
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 0 0
line 33 62
flush-at-activation
line aux 0
line vty 0 4
password 1234
login
!
end

RE: [squid-users] Transparent Proxy using squid and wccp

[Nilesh P]

Squid wont works with rpm 
You have to install squid Source  with  -enable-linux-netfilter  
feature.

-Original Message-
From:   Kola Ibikunle [mailto:[EMAIL PROTECTED] 
Sent:   Saturday, July 09, 2005 2:38 AM
To: squid-users@squid-cache.org
Subject:[squid-users] Transparent Proxy using squid and wccp

Hello,

I have attempted to conduct a transparent proxy using squid and a cisco 
router according to information in the article 
http://www.linux-mag.com/content/view/1957/2303.

It seems to me that the packets are getting redirected by the router but 
squid isnt forwarding. Please look thru and advise

Squid runs on Fedora Core 3 and installed via rpm. The router run IOS 12.2

I succeeded in getting the squid box registered with router

Router#sh ip wccp
Global WCCP information:
 Router information:
 Router Identifier:   192.168.1.18
 Protocol Version:1.0

 Service Identifier: web-cache
 Number of Cache Engines: 1
 Number of routers:   1
 Total Packets Redirected:3660
 Redirect access-list:150
 Total Packets Denied Redirect:   0
 Total Packets Unassigned:0
 Group access-list:   -none-
 Total Messages Denied to Group:  0
 Total Authentication failures:   0


but I am unable to browse

tcpdump on the linux box running FC 3 shows

unreacheable admin prohibited


while the debug screenshot is
Router#
*Mar  1 03:17:39.183: WCCP-PKT: Received valid Here_I_Am packet from 
192.168.1.23 w/rcvd_id 0335
*Mar  1 03:17:39.183: WCCP-PKT: Sending I_See_You packet to 192.168.1.23 
w/ rcvd_id 0336
*Mar  1 03:17:46.491: ICMP: dst (192.168.1.18) prohibited unreachable 
rcv from 192.168.1.23
*Mar  1 03:17:49.195: WCCP-PKT: Received valid Here_I_Am packet from 
192.168.1.23 w/rcvd_id 0336
*Mar  1 03:17:49.195: WCCP-PKT: Sending I_See_You packet to 192.168.1.23 
w/ rcvd_id 0337
*Mar  1 03:17:49.443: ICMP: dst (192.168.1.18) prohibited unreachable 
rcv from 192.168.1.23



Below is my Router COnfig

Router#sh conf
Using 1198 out of 155640 bytes
!
version 12.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
enable secret 5 $1$.nU6$zrTYq3u9FqrEs1z3VR6yO/
enable password 12345
!
ip subnet-zero
ip wccp version 1
ip wccp web-cache redirect-list 150
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.18 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
half-duplex
no cdp enable
!
interface FastEthernet0/1
ip address 111.222.111.110 255.255.255.128
ip wccp web-cache redirect out
ip nat outside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
ip nat pool ovrld 111.222.111.110 111.222.111.110 prefix-length 24
ip nat inside source list 7 pool ovrld overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip http server
!
!
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 150 permit tcp 192.168.1.0 0.0.0.255 any
access-list 150 deny   tcp any any
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 0 0
line 33 62
flush-at-activation
line aux 0
line vty 0 4
password 1234
login
!
end

[squid-users] Transparent Proxy in Squid with Websense

[Gary Chan]

I have the firewall which can help to forward the web traffic to the web proxy 
server. I used Squid as the proxy server and all traffic can pass to firewall 
then to Squid. However, when I used Websense  with Squid, I got the following 
symptom:
 
1. In transparent proxy, that is no setting in client IE browser:
Client - Firewall - Squid - Websense - Web Server
I found error and I cannot access the Internet browser
 
2. With the same configuration setting in squid.conf with IE configured:
Client - Squid - Websense - Web Server
The client can access the web server.
 
3. Without Websense in Transparent Proxy (ie. No setting in client IE)
Client - Firewall - Squid
I can also access the Internet.
 
My question is why I cannot intregrate Firewall, Squid  Websense together in 
Transparent Proxy setting.
 
Thanks!!!
 
 

Re: [squid-users] Transparent Proxy Using SQUID CACHE

[data grey]

hi there
 yes Elsen u are right i am having problems with https sites too ...


On Sat, 26 Mar 2005 23:44:15 +0100, Elsen Marc [EMAIL PROTECTED] wrote:
 
 
Hi there
 
i am having a little problem i have run a squid cache
with IPTABLES .every thing is working fine it gets transparent
requests and serves web pages perfectly but problem is that its not
working as transparent for MSN /YAHOO messengers .i have to put an
HTTP proxy on MSN to connect that can any one help me how to throw
that traffic out too transparently
 
   
 http://www.squid-cache.org/mail-archive/squid-users/200503/0853.html
 
 
M.
 

[squid-users] Transparent Proxy Using SQUID CACHE

[data grey]

Hi there 
   i am having a little problem i have run a squid cache
with IPTABLES .every thing is working fine it gets transparent
requests and serves web pages perfectly but problem is that its not
working as transparent for MSN /YAHOO messengers .i have to put an
HTTP proxy on MSN to connect that can any one help me how to throw
that traffic out too transparently


Regards
Data Grey

RE: [squid-users] Transparent Proxy Using SQUID CACHE

[Elsen Marc]

 

 


Hi there

 

i am having a little problem i have run a squid cache
with IPTABLES .every thing is working fine it gets transparent
requests and serves web pages perfectly but problem is that its not
working as transparent for MSN /YAHOO messengers .i have to put an
HTTP proxy on MSN to connect that can any one help me how to throw
that traffic out too transparently



   
http://www.squid-cache.org/mail-archive/squid-users/200503/0853.html

 

M.