Hi,
I'm trying to set up a Squid transparent proxy. Here is my hardware
situation:
(1) Internet <-> (2) ADSL/NAT/gateway/router <-> (3) Linux server <-> (4) 40
computers
ad (2): This is a small Cisco device. Works fine. No ports are forwarded
from
(1) to (3).
ad (3): A Dell server, running Gentoo. Provides several services to the
inside
network (the LAN), e.g. an Apache webserver. Netfilter/IPtables forwards
traffic between eth0 and eth1 like this:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.254
(192.168.1.254 is the adress of the "outside" eth0 NIC, connected to (2))
ad (4): All computers are connected with switches.
All this works fine. It's quite transparent of course, nobody notices the
server, unless they actually surf to its webserver.
I now want to set up a proxy on the server, partly to help with caching, but
mostly to make it possible to log all www traffic. This proxy must be
transparent, ie. nobody will have to change anything on their computers.
Some questions:
1) Is this possible at all?
For normal web traffic I believe so, but what about https, chat programs,
ssl,
ssh and I-don't-know-what? If such things are difficult to get to work or
will cause my users (neighbours actually...) to have to change setting, it's
not good. So, will I be able to log (and maybe cache) www traffic without
the
users having any problems at all?
2) How will my routing rule in iptables look?
The best guide I've found is
http://squid.visolve.com/squid/trans_caching.htm
but all in all it seems to me that Squid documentation isn't very detailed.
Anyway, that guide gives a number of iptables rules that I must use:
iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -p TCP -s 0/0 --dport 21 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP -d 0/0 --dport 20 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 25 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 22 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 23 -j MASQUERADE
I'm very happy with my current rule -- it's only one line and it works! I'm
not an expert in these matters, but it seems to me that the above rules will
only permit traffic on a few ports between eth0 and eth1. Is that right and
what do I do about it? Or am I confusing internal traffic on eth1 with
eth0<->eth1 traffic?
3) At the moment I'm running a DNS caching program on the server: dnsmasq.
It
seems to be working just fine, though without any visible improvements --
our
ISP's DNS is pretty fast I guess.
Will Squid use that DNS cache, or will it provide its own?
Well, that's all I can think of for now.
//Niels
Received on Fri Apr 01 2005 - 12:52:38 MST
This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:03 MDT