?
Solved

Smart Switching squid cache

Posted on 2003-03-17
41
Medium Priority
?
379 Views
Last Modified: 2010-03-18
Is it possible to use IPtables to implement a smart switching transparent cache as described at http://squid.visolve.com/white_papers/trans_caching.htm
?

I have 2 machines, 192.168.1.1 and 192.168.1.2, the squid cache is on 192.168.1.2, while the 1.1 rig is the one actually connected to the internet.  How do I either do the smart switching, or just have 1.1 forward all HTTP requests to 1.2?
0
Comment
Question by:Naito
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 21
  • 16
  • 2
  • +1
41 Comments
 

Expert Comment

by:suguinha
ID: 8160916
You only have to setup iptables on the DEFAULT GATEWAY of your clients to forward http requests to the squid machine. The squid machine itself must have free access so you won't create a network loop.
If the squid server is not a router on your network, you don't have to worry about forwarding. Just enable transparent when compiling it.
0
 
LVL 1

Author Comment

by:Naito
ID: 8163560
sorry, wasn't too clear on that question

right now all HTTP querys by default go to 192.168.1.1, which doesn't have Squid.  I want to either make it so that 192.168.1.1 knows to automatically forward all HTTP requests to the Squid server on 192.168.1.2 when it's available, or if that's not possible, to just always forward all HTTP requests to it.  Right now all my client machines have to manual set the proxy server setting in their browsers, want to get rid of having to do that.

thanks for the reply tho.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8168925
ok.
this what you have to add in your linux box:
(assuming your requests come from eth0)

iptables -I PREROUTING -t nat -i eth0 -p tcp -d !192.168.1.1 --dport 80 -j DNAT --to-destination 192.168.1.2:3128

of course, your squid must be configured to look into the heading of the request, as all the requests will be going to itself, instead the internet. in squid.conf, be sure you have:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on


add the rule to your firewall/nat script, and add this  lines to squid.conf, and restart squid.

now try :)
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 1

Author Comment

by:Naito
ID: 8169313
nope =(
can't connect to any site with that rule added in. Requests are coming from ETH1 so I changed the interface accordingly, but it still doesn't work...if I delete it everything works again.  Squid is already accepting connections to port 3128, Access.log shows proper activity when browsers are set to proxy to it, but if I remove the proxy setting in the browser and add that rule, browser says "website not responding".
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8169561
try the rule with this version:

iptables -I PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:3128

0
 
LVL 1

Author Comment

by:Naito
ID: 8169969
still no go.... same result...

does this help? my current IPTables setup:

# Generated by iptables-save v1.2.5 on Wed Mar 19 21:48:27 2003
*mangle
:PREROUTING ACCEPT [78887:15618351]
:INPUT ACCEPT [1895:339546]
:FORWARD ACCEPT [76821:15238049]
:OUTPUT ACCEPT [1090:147181]
:POSTROUTING ACCEPT [77796:15360207]
COMMIT
# Completed on Wed Mar 19 21:48:27 2003
# Generated by iptables-save v1.2.5 on Wed Mar 19 21:48:27 2003
*nat
:PREROUTING ACCEPT [1734:338469]
:POSTROUTING ACCEPT [84:4151]
:OUTPUT ACCEPT [133:4751]
-A PREROUTING -d aaa.bbb.ccc.ddd -p tcp -m tcp --dport 1026 -j DNAT --to-destination 192.168.1.0:20002
-A PREROUTING -d aaa.bbb.ccc.ddd -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80
-A PREROUTING -d aaa.bbb.ccc.ddd -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.1.2:21
-A PREROUTING -d aaa.bbb.ccc.ddd -p udp -m udp --dport 1026 -j DNAT --to-destination 192.168.1.0:20002
-A PREROUTING -s 192.168.1.0/255.255.255.0 -d 64.152.64.69 -j DROP
-A PREROUTING -s 192.168.1.0/255.255.255.0 -d 199.95.206.210 -j DROP
-A PREROUTING -s 192.168.1.0/255.255.255.0 -d 69.0.155.52 -j DROP
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0 -p tcp -m tcp --dport 1026 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.2 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.2 -p tcp -m tcp --dport 21 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0 -p udp -m udp --dport 1026 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 19 21:48:27 2003
# Generated by iptables-save v1.2.5 on Wed Mar 19 21:48:27 2003
*filter
:INPUT DROP [1:440]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:drop-lan - [0:0]
:drop-reserved - [0:0]
:drop-trojan - [0:0]
:flag-lan - [0:0]
:testing - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 1.0.0.0/255.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 23.0.0.0/255.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 31.0.0.0/255.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 96.0.0.0/224.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 128.0.0.0/255.255.0.0 -i eth0 -j drop-reserved
-A INPUT -s 128.9.64.26 -i eth0 -j drop-reserved
-A INPUT -s 128.66.0.0/255.255.0.0 -i eth0 -j drop-reserved
-A INPUT -s 191.255.0.0/255.255.0.0 -i eth0 -j drop-reserved
-A INPUT -s 197.0.0.0/255.255.0.0 -i eth0 -j drop-reserved
-A INPUT -s 201.0.0.0/255.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 223.255.255.0/255.255.255.0 -i eth0 -j drop-reserved
-A INPUT -s 240.0.0.0/248.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 248.0.0.0/248.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A INPUT -d aaa.bbb.ccc.ddd -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -i eth0 -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -i eth0 -p tcp -m tcp --dport 1875 -j ACCEPT
-A INPUT -i ! eth0 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -p udp -m udp --dport 1024:65535 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -o eth0 -p tcp -m tcp --dport 111 -j drop-lan
-A FORWARD -o eth0 -p udp -m udp --dport 111 -j drop-lan
-A FORWARD -o eth0 -p tcp -m tcp --dport 137:139 -j drop-lan
-A FORWARD -o eth0 -p udp -m udp --dport 137:139 -j drop-lan
-A FORWARD -o eth0 -p tcp -m tcp --dport 635 -j drop-lan
-A FORWARD -o eth0 -p udp -m udp --dport 635 -j drop-lan
-A FORWARD -i ! eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: " --log-level 7
-A FORWARD -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s aaa.bbb.ccc.ddd -o eth0 -p icmp -j ACCEPT
-A OUTPUT -s aaa.bbb.ccc.ddd -o eth0 -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -s aaa.bbb.ccc.ddd -o eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -s aaa.bbb.ccc.ddd -o eth0 -p tcp -m tcp --sport 1875 -j ACCEPT
-A OUTPUT -o ! eth0 -j ACCEPT
-A OUTPUT -s aaa.bbb.ccc.ddd -o eth0 -p tcp -m tcp --sport 1024:65535 -j ACCEPT
-A OUTPUT -s aaa.bbb.ccc.ddd -o eth0 -p udp -m udp --sport 1024:65535 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
-A drop-lan -j LOG --log-prefix "Drop - LAN only: "
-A drop-lan -j REJECT --reject-with icmp-port-unreachable
-A drop-reserved -j LOG --log-prefix "Drop - reserved network: "
-A drop-reserved -j DROP
-A drop-trojan -j LOG --log-prefix "Drop - trojan-flooder: "
-A drop-trojan -j DROP
-A flag-lan -j LOG --log-prefix "Flag: "
-A flag-lan -j ACCEPT
-A testing -j LOG --log-prefix "testing: "
-A testing -j ACCEPT
COMMIT
# Completed on Wed Mar 19 21:48:27 2003
0
 
LVL 1

Author Comment

by:Naito
ID: 8170036
is it THIS line possibly causing problems?

-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.2 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.1.1
0
 
LVL 1

Author Comment

by:Naito
ID: 8170173
n/m, ignore that last comment
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8170458
mmhh...
please try with a simple firewall and then troubleshoot your current firewall. this is a sample:

#Activate IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

ipt="`which iptables`"
outside=eth0
inside=eth1

# Avoid Floodings
$ipt -N FLOOD
$ipt -A FLOOD -m limit --limit 2/s --limit-burst 5 -j RETURN
$ipt -A FLOOD -j DROP

$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP

$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i $inside -j ACCEPT
$ipt -A OUTPUT -i $inside -j ACCEPT
$ipt -A FORWARD -i $inside -j ACCEPT

$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Accept at least traffic to ssh into this host.
$ipt -A INPUT -p tcp --dport 22 -j ACCEPT
#now the nat thing.
$ipt -t nat -A POSTROUTING -o $outside -j MASQUERADE

$ipt -A INPUT -j FLOOD
$ipt -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$ipt -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

#Now the redirections:
$ipt -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.1.2:80
$ipt -A PREROUTING -p udp -i eth0 --dport 1026 -j DNAT --to-destination 192.168.1.2:20002
$ipt -A PREROUTING -p tcp -i eth1 -d aaa.bbb.ccc.ddd --dport 80 -j DNAT --to-destination 192.168.1.2:80
$ipt -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination 192.168.1.2:3128



and test it. it's very simple and can be used as a test bed, and later as something to build upon.
0
 
LVL 1

Author Comment

by:Naito
ID: 8170761
idea:
iptables -I PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:3128

this rule that you suggested, it should work, all machines asking for HTTP on eth1 will get redirected to 192.168.1.2:3128....BUT, 192.168.1.2 itself is also on eth1, so when the squid cache gets the request and tries do get the updated page, it loops back on itself and is unable to connect?  how to exclude 192.168.1.2 from that rule then?

going to try that simple firewall you gave me, thank you very much! getting a major crash course in iptables today hehe
0
 
LVL 1

Author Comment

by:Naito
ID: 8170769
idea:
iptables -I PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:3128

this rule that you suggested, it should work, all machines asking for HTTP on eth1 will get redirected to 192.168.1.2:3128....BUT, 192.168.1.2 itself is also on eth1, so when the squid cache gets the request and tries do get the updated page, it loops back on itself and is unable to connect?  how to exclude 192.168.1.2 from that rule then?

going to try that simple firewall you gave me, thank you very much! getting a major crash course in iptables today hehe
0
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 300 total points
ID: 8170994
you are right! I didn't understood that.

ok, maybe the rule will look better like this:

iptables -I PREROUTING -t nat -i eth1 -s ! 192.168.1.2 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:3128

0
 
LVL 1

Author Comment

by:Naito
ID: 8171361
ok, getting there I think! now it might be just my Squid setup:

it STILL doesn't send stuff to the cache, but when I changed the port it was being forwarded to to 80, my Apache page came up instead, and it's always coming up no matter what web page I type in the URL.  

httpd_accel_uses_host_header on

doesn't seem to be working....?
0
 

Expert Comment

by:suguinha
ID: 8171388
I still don't understand what you pretend.
If the problem is just that your proxy isn't always on, you could setup a proxy-autosetup script no the gateway. See that browsers support auto-proxy setup by acessing a script provided by the user (actually a javascript).

You could write a program to see if the proxy is up or down. If it's up, then put the script there. If it's not, then replace the script with one that tells the browser to not use proxies. This avoid the necessity of changing the client's setup when the proxy goes up or down.

If this is reasonable, I could write one to you upon your request.
0
 
LVL 1

Author Comment

by:Naito
ID: 8171398
well we're working on getting gateway to forward the HTTP requests to the squid proxy server automatically without any client setup whatsoever first.  I figure once we get that working, I could write a script that'd test if the squid proxy is up and add or delete that routing rule accordingly, thus implementing a form of smart-switching.  Haven't been able to do that just yet.  Thanks for the offer tho!
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8171429
sorry for my question, but...

which apache is answering you? 192.168.1.1 or 192.168.1.2 ???

it's squid up and running?
(ps -efa | grep squid in 192.168.1.2 server)
0
 
LVL 1

Author Comment

by:Naito
ID: 8171464
192.168.1.2's apache....192.168.1.1 isn't running anything...

Squid is up and running, it still responds when I set proxy servers in clients to it.

[root@Polaris etc]# ps -efa | grep squid
root       816     1  0 15:40 ?        00:00:00 squid
squid      829   816  1 15:40 ?        00:06:07 (squid)
squid      844   829  0 15:40 ?        00:00:00 (unlinkd)
root      1891  1811  0 23:00 pts/0    00:00:00 grep squid

(FYI Polaris is 192.168.1.2, Aldebaran is 192.168.1.1)
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8171475
mmhh... please post the output of iptables -L -v --table nat
this being run in 192.168.1.1

I need to figure out what is really happening there
0
 
LVL 1

Author Comment

by:Naito
ID: 8171511
[root@Aldebaran root]# iptables -L -v --table nat
Chain PREROUTING (policy ACCEPT 2529 packets, 264K bytes)
 pkts bytes target     prot opt in     out     source               destination
  145  6960 DNAT       tcp  --  any    any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:http to:192.168.1.2:80
    1    60 DNAT       tcp  --  any    any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:ftp to:192.168.1.2:21
    0     0 DROP       all  --  any    any     192.168.1.0/24       ns2.pictronics.com
    0     0 DROP       all  --  any    any     192.168.1.0/24       CORPWEBvip10.doubleclick.com
    0     0 DROP       all  --  any    any     192.168.1.0/24       ns1.netshelter.net

Chain POSTROUTING (policy ACCEPT 187 packets, 9235 bytes)
 pkts bytes target     prot opt in     out     source               destination
    9   432 SNAT       tcp  --  any    any     192.168.1.0/24       Polaris.chanhome.catcp dpt:http to:192.168.1.1
    0     0 SNAT       tcp  --  any    any     192.168.1.0/24       Polaris.chanhome.catcp dpt:ftp to:192.168.1.1
 1664 80959 MASQUERADE  all  --  any    eth0    anywhere             anywhere  

Chain OUTPUT (policy ACCEPT 279 packets, 9381 bytes)
 pkts bytes target     prot opt in     out     source               destination
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8171543
here is the problem:

 145  6960 DNAT       tcp  --  any    any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:http to:192.168.1.2:80
   

if you see, it's redirected to the port 80, and not the port 3128.

this rule should be changed:
$ipt -A PREROUTING -p tcp -i eth0 -s ! 192.168.1.2 --dport 80 -j DNAT --to-destination 192.168.1.2:3128

ho, please change mi test firewall script to:
#Now the redirections:
$ipt -A PREROUTING -p tcp -i eth0 -s ! 192.168.1.2 --dport 80 -j DNAT --to-destination 192.168.1.2:3128
$ipt -A PREROUTING -p udp -i eth0 --dport 1026 -j DNAT --to-destination 192.168.1.2:20002
$ipt -A PREROUTING -p tcp -i eth1 -d aaa.bbb.ccc.ddd --dport 80 -j DNAT --to-destination 192.168.1.2:80
$ipt -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination 192.168.1.2:3128


restart the script and it will clear the iptables and strart again. now you will have the rules right.

:)
0
 
LVL 1

Author Comment

by:Naito
ID: 8171623
145  6960 DNAT       tcp  --  any    any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:http to:192.168.1.2:80
   1    60 DNAT       tcp  --  any    any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:ftp to:192.168.1.2:21

I believe those two are there because I have incoming HTTP and FTP requests from the internet forwarded to Polaris, as the HTTP server and FTP server are running on that. So I don't think it's those....?

I tried the firewall script you gave me, but that completely kills all routing from Aldebaran, even with the changes. Can't even access SSH...

P.S. I REALLY appreciate all the time both of you are putting into this problem, if I had more points to give away I would.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8171795
This is the problem:
145  6960 DNAT       tcp  --  any    any    
the first "any" is the "from" interfase. this SHOULD be eth0


in my last script I mixed things and put eth0 as local. sorry. :/

so lets start talking about rules and not about scripts:

# Redirect outside connections to the real web server
iptables -I PREROUTING -t nat -i eth0 -d aaa.bbb.ccc.ddd -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80

# Redirect internal connections to the real web server (it's necessary?)
iptables -I PREROUTING -t nat -i eth1 -d aaa.bbb.ccc.ddd -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80

# Redirect internal users to the squid cache
#   (but not the squid computer itself!)
iptables -I PREROUTING -t nat -i eth1 -s ! 192.168.1.2 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:3128


please config your firewall with this rules and test
0
 
LVL 1

Author Comment

by:Naito
ID: 8171936
same result

I have a feeling it's forwarding properly now, but for some reason Squid on 1.2 isn't responding to requests from Aldebaran (1.1).
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8172010
please post again the results of iptables -L -v --table nat
0
 
LVL 1

Author Comment

by:Naito
ID: 8172129
[root@Aldebaran root]# iptables -L -v --table nat
Chain PREROUTING (policy ACCEPT 1988 packets, 177K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  eth0   any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:http to:192.168.1.2:80
    2    96 DNAT       tcp  --  eth1   any    !Polaris.chanhome.ca  anywhere           tcp dpt:http to:192.168.1.2:3128
   13   640 DNAT       tcp  --  any    any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:http to:192.168.1.2:80
    0     0 DNAT       tcp  --  any    any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:ftp to:192.168.1.2:21
    0     0 DROP       all  --  any    any     192.168.1.0/24       ns2.pictronics.com
    0     0 DROP       all  --  any    any     192.168.1.0/24       CORPWEBvip10.doubleclick.com
    0     0 DROP       all  --  any    any     192.168.1.0/24       ns1.netshelter.net

Chain POSTROUTING (policy ACCEPT 22 packets, 1127 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2    96 SNAT       tcp  --  any    any     192.168.1.0/24       Polaris.chanhome.catcp dpt:http to:192.168.1.1
    0     0 SNAT       tcp  --  any    any     192.168.1.0/24       Polaris.chanhome.catcp dpt:ftp to:192.168.1.1
 1619 87998 MASQUERADE  all  --  any    eth0    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 167 packets, 5509 bytes)
 pkts bytes target     prot opt in     out     source               destination
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8174721
It's working now...
what's wrong?

ho, I see.. the third rule should no exist. it's taking all the packets!

please delete that rule which sends all the traffic going to your external address (but without specifying that the interfase should be eth0) to 192.168.1.2:80

by the way... ftp will not work properly. it's a problem in any firewall software, as it uses port 21 and port 20, and then several other ports :/
0
 
LVL 1

Author Comment

by:Naito
ID: 8181355
currentl progress:
when I add that rule
setting clients to no proxy causes no websites to load
setting clients to proxy to 192.168.1.2:3128 will load websites properly through Squid cache

oi...
0
 
LVL 1

Author Comment

by:Naito
ID: 8181648
currentl progress:
when I add that rule
setting clients to no proxy causes no websites to load
setting clients to proxy to 192.168.1.2:3128 will load websites properly through Squid cache

oi...
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8186818
you need to check the logs from squid now

they should be in /usr/local/squid/logs if you installed from scratch.

if it came with your distro, then maybe they are in /etc/squid somewhere.

this is now a problem with squid.
0
 
LVL 1

Author Comment

by:Naito
ID: 8187336
2003/03/23 14:39:50| Accepting HTTP connections at 0.0.0.0, port 3128, FD 12.
2003/03/23 14:39:50| Accepting ICP messages at 0.0.0.0, port 3130, FD 13.

access logs show nothing when trying to open webpages, unless clients manually directed to proxy
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8192770
mmhh...
when you do an iptables -L -v --table nat
it shows how may packages are going from one interfase to the other, per each rule.

if your rule which forwards the packest has a 0 (zero) then some other rule is taking them first, and those never come to the squid program.

what I can see, is that you have several rules, kind of... not very organized. maybe we can work some more in those rules, to get what you want working right.

would you mind posting what you want your firewall setup to do?
0
 
LVL 1

Author Comment

by:Naito
ID: 8192881
this is after 2 requests with no proxy set on clients:
Chain PREROUTING (policy ACCEPT 423 packets, 51446 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   144 DNAT       tcp  --  eth1   any    !Polaris.chanhome.ca  anywhere           tcp dpt:http to:192.168.1.2:3128

before request there are no packets...so it seems that rule is catching it and forwarding correctly....but squid doesn't respond, and doesn't even see the request according to the logs...

The firewall is probably messy cuz it was made by ClarkConnect, I didn't put that together....at this point I just want it to:
do NAT properly so clients can share internet access
forward HTTP requests from internet to server running on 192.168.1.2
forward HTTP requests from intranet to squid cache running on 192.168.1.2
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8192989
your squid settings are right? is it answering to internal requests?

please remember to check this is in your squid.conf:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on


if you have not restarted squid, issue a
squid -k reconfigure
in your 192.168.1.2
0
 
LVL 1

Author Comment

by:Naito
ID: 8193153
Squid answers fine when I set my clients to proxy to it manually....
all the above httpd_accel settings are set, squid has been restarted numerous times

mysterious eh?
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8193287
and the ACL's???
please post them

there *must* be some answer from squid. please see in the logs, or with a
tail /var/log/syslog
tail /var/log/messages

or maybe you will need to issue a:

squid -k shutdown

and then re-run it with
squid -N to see all the messages in the screen
0
 
LVL 1

Author Comment

by:Naito
ID: 8197267
Squid's access.log shows normal activity when my clients are set to manually proxy to squid as I've said, but without the manual setting, it stays completely blank.
--------------------------------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.1.0
http_access allow our_networks
http_access deny all
0
 

Expert Comment

by:CleanupPing
ID: 9077646
Naito:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 1

Author Comment

by:Naito
ID: 9169225
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 9169250
pretty good! but please post here what the root cause was, at least, I want to know what it was!

Regards
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 9169259
ok. I have readed the document... will see what we missing in the posts
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month12 days, 21 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question