Re: Re[2]: [squid-users] Non-transparent port works, transparent doesn't

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 19 Oct 2011 13:54:59 +1300

 On Tue, 18 Oct 2011 23:23:44 +0400, zozo zozo wrote:
>> > Does it mean that now intercepting squid can only work on the
>> gateway machine?
>>
>> No. It means that routers like yours need to be configured for
>> policy
>> routing (aka "packet forwarding") instead of NAT port mapping (aka
>> "port
>> forwarding").
>>
>> This config was written particularly for the *WRT use case (but
>> applies
>> to any Linux router):
>>
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>
> Can you please make it even more clear:
> Squid 3.2 can be used on a separate machine and be transpanrent only
> if it's directly connected to the routing machine, right?

 Okay, to be clear:

  "transparent" is a confusing word. By itself it means several
 different and non-overlapping things. Other words are always needed to
 clarify *what* is transparent.

  Interception proxy is purely and simply the idea of getting packets
 into Squid when they should have been delivered elsewhere. NAT is _one_
 form of interception.

  routing is how packets move around. In this case we are concerned with
 getting some port 80 packets to arrive on the Squid box. Nothing more.

  Interception and routing are unrelated operations. What I am talking
 about is using one (routing) to feed the other (interception) with
 packets. So the overall system is called "transparent interception
 proxy" or some such.

> Because routing tables can only send packets to gateways directly
> connected to them?

 BUT the machine receiving can itself be a router gatewaying the packets
 to another. You can chain as many routers as you like, it just adds a
 lot of complexity to be managed.

> I.e. I can't put my transparent proxy to internet, I need it to be in
> same IP space as my network interface?

 You can put it anywhere you like. There are only two requirements:

  1) NAT happens on the same OS.
     So Squid can have direct access to the NAT data to undo the
 destination IP erasure.

  2) Squid needs access to the same DNS as the clients.
     To verify the packets destination IP matches the HTTP requested
 domain.

>
> Could I do it in 3.1?

 Yes these requirements are only strictly enforced in 3.2+, but
 following them improves reliability and security on all Squid.

 Amos
Received on Wed Oct 19 2011 - 00:55:04 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 19 2011 - 12:00:06 MDT