next »

[RazaMetaL]

Hello,

I´ve this network topology:



All the linux servers can view internet sites trough the transparent proxy/gateway, but the lan pc´s not. The linux servers are running with 2 nic´s and have squid configured to be a proxy server for the lan machines.

What can be bad ? maybe  i need an additional configuration?

Code:

# egrep -v "^$|^#" /etc/squid/squid.conf
http_port 8080
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 16 MB
maximum_object_size 8192 KB
cache_dir ufs /var/spool/squid 6144 64 256
cache_store_log none
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl manta src 200.96.221.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow manta
http_access deny all
http_reply_access allow all
icp_access allow all
miss_access allow all
cache_mgr proxy@proxy
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
error_directory /etc/squid/errores
coredump_dir /var/spool/squid

My transparent proxy/firewall have the following lines at the firewall script:

Code:

# TRANSPARENT PROXY
/sbin/iptables -A INPUT -i eth1 -p tcp -d 200.96.221.0/24 --dport 80 -j
ACCEPT
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
REDIRECT --to-port 8080

Code:

# tail -f /var/log/cache.log
2004/06/05 14:55:56| Starting Squid Cache version 2.5.STABLE3 for
i386-redhat-linux-gnu...
2004/06/05 14:55:56| Process ID 7453
2004/06/05 14:55:56| With 1024 file descriptors available
2004/06/05 14:55:56| DNS Socket created at 0.0.0.0, port 35065, FD 4
2004/06/05 14:55:56| Adding nameserver 200.96.221.2 from
/etc/resolv.conf
2004/06/05 14:55:56| User-Agent logging is disabled.
2004/06/05 14:55:56| Referer logging is disabled.
2004/06/05 14:55:56| Unlinkd pipe opened on FD 9
2004/06/05 14:55:56| Swap maxSize 6291456 KB, estimated 483958 objects
2004/06/05 14:55:56| Target number of buckets: 24197
2004/06/05 14:55:56| Using 32768 Store buckets
2004/06/05 14:55:56| Max Mem  size: 16384 KB
2004/06/05 14:55:56| Max Swap size: 6291456 KB
2004/06/05 14:55:56| Store logging disabled
2004/06/05 14:55:56| Rebuilding storage in /var/spool/squid (CLEAN)
2004/06/05 14:55:56| Using Least Load store dir selection
2004/06/05 14:55:56| Set Current Directory to /var/spool/squid
2004/06/05 14:55:56| Loaded Icons.
2004/06/05 14:55:56| Accepting HTTP connections at 0.0.0.0, port 8080,
FD 10.
2004/06/05 14:55:56| Accepting HTTP connections at 0.0.0.0, port 3128,
FD 11.
2004/06/05 14:55:56| Accepting ICP messages at 0.0.0.0, port 3130, FD
12.
2004/06/05 14:55:56| WCCP Disabled.
2004/06/05 14:55:56| Ready to serve requests.
2004/06/05 14:55:57| Done reading /var/spool/squid swaplog (1198
entries)
2004/06/05 14:55:57| Finished rebuilding storage from disk.
2004/06/05 14:55:57|      1198 Entries scanned
2004/06/05 14:55:57|         0 Invalid entries.
2004/06/05 14:55:57|         0 With invalid flags.
2004/06/05 14:55:57|      1198 Objects loaded.
2004/06/05 14:55:57|         0 Objects expired.
2004/06/05 14:55:57|         0 Objects cancelled.
2004/06/05 14:55:57|         0 Duplicate URLs purged.
2004/06/05 14:55:57|         0 Swapfile clashes avoided.
2004/06/05 14:55:57|   Took 0.9 seconds (1292.7 objects/sec).
2004/06/05 14:55:57| Beginning Validation Procedure
2004/06/05 14:55:57|   Completed Validation Procedure
2004/06/05 14:55:57|   Validated 1198 Entries
2004/06/05 14:55:57|   store_swap_size = 17144k
2004/06/05 14:55:57| storeLateRelease: released 0 objects

Regards,

[Ricky]

There is no problem..  
as you are running transparent proxy on your main server...but i don't think u r runnig transparent proxy on ur individual LAN servers. so make sure to access internet on LAN you have ur browser configured to use ur Linux1 server or LINux2 resp. as proxy server. In the case u r also having transparent on individual LAN servers then make sure that gateway is set as the ip of the server of that LAN.
Lastly .. u can use cache peer to have cache only on main server.

BTW.. your diagram is good.

[RazaMetaL]

Thank you for the response.

All linux have squid configured to be proxy for the lan machines, when I start the iptables REDIRECT line, the computers of the lan´s cant view web sites, but I can see at the access.log of the transparent proxy activity and request from the linux of each lan.

If I leave with no REDIRECT, all can view web sites.


The graphic was made with M$ Visio running on Fedora Core 2 with CrossOver Office  :lol:  

[Ricky]

the redirection line you have give in ur first post is for your server connected directly to internet.. can I have redirection script for ur local linux servers ?

[RazaMetaL]

Yes.. this redirection is for the transparent proxy server. All the linux servers for each lans have redirection from 80 to 8080 with iptables, the servers are squid listening at the port 8080 as well but not in transparent I´ve to set the proxy configuration por each station.

Maybe I need to accept the forward at the linux servers for the port 8080 ? My default policies at the linux servers are, for INPUT, OUTPUT adn FORWARD are setted as DROP .

[Ricky]

You mean you have blocked every thing.. may be you try to allow port 8080 !

   Recommend LS
   Linux User Around