Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 381
  • Last Modified:

Smart Switching squid cache

Is it possible to use IPtables to implement a smart switching transparent cache as described at http://squid.visolve.com/white_papers/trans_caching.htm
?

I have 2 machines, 192.168.1.1 and 192.168.1.2, the squid cache is on 192.168.1.2, while the 1.1 rig is the one actually connected to the internet.  How do I either do the smart switching, or just have 1.1 forward all HTTP requests to 1.2?
0
Naito
Asked:
Naito
  • 21
  • 16
  • 2
  • +1
1 Solution
 
suguinhaCommented:
You only have to setup iptables on the DEFAULT GATEWAY of your clients to forward http requests to the squid machine. The squid machine itself must have free access so you won't create a network loop.
If the squid server is not a router on your network, you don't have to worry about forwarding. Just enable transparent when compiling it.
0
 
NaitoAuthor Commented:
sorry, wasn't too clear on that question

right now all HTTP querys by default go to 192.168.1.1, which doesn't have Squid.  I want to either make it so that 192.168.1.1 knows to automatically forward all HTTP requests to the Squid server on 192.168.1.2 when it's available, or if that's not possible, to just always forward all HTTP requests to it.  Right now all my client machines have to manual set the proxy server setting in their browsers, want to get rid of having to do that.

thanks for the reply tho.
0
 
Gabriel OrozcoSolution ArchitectCommented:
ok.
this what you have to add in your linux box:
(assuming your requests come from eth0)

iptables -I PREROUTING -t nat -i eth0 -p tcp -d !192.168.1.1 --dport 80 -j DNAT --to-destination 192.168.1.2:3128

of course, your squid must be configured to look into the heading of the request, as all the requests will be going to itself, instead the internet. in squid.conf, be sure you have:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on


add the rule to your firewall/nat script, and add this  lines to squid.conf, and restart squid.

now try :)
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
NaitoAuthor Commented:
nope =(
can't connect to any site with that rule added in. Requests are coming from ETH1 so I changed the interface accordingly, but it still doesn't work...if I delete it everything works again.  Squid is already accepting connections to port 3128, Access.log shows proper activity when browsers are set to proxy to it, but if I remove the proxy setting in the browser and add that rule, browser says "website not responding".
0
 
Gabriel OrozcoSolution ArchitectCommented:
try the rule with this version:

iptables -I PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:3128

0
 
NaitoAuthor Commented:
still no go.... same result...

does this help? my current IPTables setup:

# Generated by iptables-save v1.2.5 on Wed Mar 19 21:48:27 2003
*mangle
:PREROUTING ACCEPT [78887:15618351]
:INPUT ACCEPT [1895:339546]
:FORWARD ACCEPT [76821:15238049]
:OUTPUT ACCEPT [1090:147181]
:POSTROUTING ACCEPT [77796:15360207]
COMMIT
# Completed on Wed Mar 19 21:48:27 2003
# Generated by iptables-save v1.2.5 on Wed Mar 19 21:48:27 2003
*nat
:PREROUTING ACCEPT [1734:338469]
:POSTROUTING ACCEPT [84:4151]
:OUTPUT ACCEPT [133:4751]
-A PREROUTING -d aaa.bbb.ccc.ddd -p tcp -m tcp --dport 1026 -j DNAT --to-destination 192.168.1.0:20002
-A PREROUTING -d aaa.bbb.ccc.ddd -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80
-A PREROUTING -d aaa.bbb.ccc.ddd -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.1.2:21
-A PREROUTING -d aaa.bbb.ccc.ddd -p udp -m udp --dport 1026 -j DNAT --to-destination 192.168.1.0:20002
-A PREROUTING -s 192.168.1.0/255.255.255.0 -d 64.152.64.69 -j DROP
-A PREROUTING -s 192.168.1.0/255.255.255.0 -d 199.95.206.210 -j DROP
-A PREROUTING -s 192.168.1.0/255.255.255.0 -d 69.0.155.52 -j DROP
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0 -p tcp -m tcp --dport 1026 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.2 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.2 -p tcp -m tcp --dport 21 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0 -p udp -m udp --dport 1026 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 19 21:48:27 2003
# Generated by iptables-save v1.2.5 on Wed Mar 19 21:48:27 2003
*filter
:INPUT DROP [1:440]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:drop-lan - [0:0]
:drop-reserved - [0:0]
:drop-trojan - [0:0]
:flag-lan - [0:0]
:testing - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 1.0.0.0/255.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 23.0.0.0/255.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 31.0.0.0/255.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 96.0.0.0/224.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 128.0.0.0/255.255.0.0 -i eth0 -j drop-reserved
-A INPUT -s 128.9.64.26 -i eth0 -j drop-reserved
-A INPUT -s 128.66.0.0/255.255.0.0 -i eth0 -j drop-reserved
-A INPUT -s 191.255.0.0/255.255.0.0 -i eth0 -j drop-reserved
-A INPUT -s 197.0.0.0/255.255.0.0 -i eth0 -j drop-reserved
-A INPUT -s 201.0.0.0/255.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 223.255.255.0/255.255.255.0 -i eth0 -j drop-reserved
-A INPUT -s 240.0.0.0/248.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 248.0.0.0/248.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A INPUT -d aaa.bbb.ccc.ddd -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -i eth0 -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -i eth0 -p tcp -m tcp --dport 1875 -j ACCEPT
-A INPUT -i ! eth0 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -p udp -m udp --dport 1024:65535 -j ACCEPT
-A INPUT -d aaa.bbb.ccc.ddd -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -o eth0 -p tcp -m tcp --dport 111 -j drop-lan
-A FORWARD -o eth0 -p udp -m udp --dport 111 -j drop-lan
-A FORWARD -o eth0 -p tcp -m tcp --dport 137:139 -j drop-lan
-A FORWARD -o eth0 -p udp -m udp --dport 137:139 -j drop-lan
-A FORWARD -o eth0 -p tcp -m tcp --dport 635 -j drop-lan
-A FORWARD -o eth0 -p udp -m udp --dport 635 -j drop-lan
-A FORWARD -i ! eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: " --log-level 7
-A FORWARD -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s aaa.bbb.ccc.ddd -o eth0 -p icmp -j ACCEPT
-A OUTPUT -s aaa.bbb.ccc.ddd -o eth0 -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -s aaa.bbb.ccc.ddd -o eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -s aaa.bbb.ccc.ddd -o eth0 -p tcp -m tcp --sport 1875 -j ACCEPT
-A OUTPUT -o ! eth0 -j ACCEPT
-A OUTPUT -s aaa.bbb.ccc.ddd -o eth0 -p tcp -m tcp --sport 1024:65535 -j ACCEPT
-A OUTPUT -s aaa.bbb.ccc.ddd -o eth0 -p udp -m udp --sport 1024:65535 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
-A drop-lan -j LOG --log-prefix "Drop - LAN only: "
-A drop-lan -j REJECT --reject-with icmp-port-unreachable
-A drop-reserved -j LOG --log-prefix "Drop - reserved network: "
-A drop-reserved -j DROP
-A drop-trojan -j LOG --log-prefix "Drop - trojan-flooder: "
-A drop-trojan -j DROP
-A flag-lan -j LOG --log-prefix "Flag: "
-A flag-lan -j ACCEPT
-A testing -j LOG --log-prefix "testing: "
-A testing -j ACCEPT
COMMIT
# Completed on Wed Mar 19 21:48:27 2003
0
 
NaitoAuthor Commented:
is it THIS line possibly causing problems?

-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.2 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.1.1
0
 
NaitoAuthor Commented:
n/m, ignore that last comment
0
 
Gabriel OrozcoSolution ArchitectCommented:
mmhh...
please try with a simple firewall and then troubleshoot your current firewall. this is a sample:

#Activate IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

ipt="`which iptables`"
outside=eth0
inside=eth1

# Avoid Floodings
$ipt -N FLOOD
$ipt -A FLOOD -m limit --limit 2/s --limit-burst 5 -j RETURN
$ipt -A FLOOD -j DROP

$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP

$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i $inside -j ACCEPT
$ipt -A OUTPUT -i $inside -j ACCEPT
$ipt -A FORWARD -i $inside -j ACCEPT

$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Accept at least traffic to ssh into this host.
$ipt -A INPUT -p tcp --dport 22 -j ACCEPT
#now the nat thing.
$ipt -t nat -A POSTROUTING -o $outside -j MASQUERADE

$ipt -A INPUT -j FLOOD
$ipt -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$ipt -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

#Now the redirections:
$ipt -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.1.2:80
$ipt -A PREROUTING -p udp -i eth0 --dport 1026 -j DNAT --to-destination 192.168.1.2:20002
$ipt -A PREROUTING -p tcp -i eth1 -d aaa.bbb.ccc.ddd --dport 80 -j DNAT --to-destination 192.168.1.2:80
$ipt -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination 192.168.1.2:3128



and test it. it's very simple and can be used as a test bed, and later as something to build upon.
0
 
NaitoAuthor Commented:
idea:
iptables -I PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:3128

this rule that you suggested, it should work, all machines asking for HTTP on eth1 will get redirected to 192.168.1.2:3128....BUT, 192.168.1.2 itself is also on eth1, so when the squid cache gets the request and tries do get the updated page, it loops back on itself and is unable to connect?  how to exclude 192.168.1.2 from that rule then?

going to try that simple firewall you gave me, thank you very much! getting a major crash course in iptables today hehe
0
 
NaitoAuthor Commented:
idea:
iptables -I PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:3128

this rule that you suggested, it should work, all machines asking for HTTP on eth1 will get redirected to 192.168.1.2:3128....BUT, 192.168.1.2 itself is also on eth1, so when the squid cache gets the request and tries do get the updated page, it loops back on itself and is unable to connect?  how to exclude 192.168.1.2 from that rule then?

going to try that simple firewall you gave me, thank you very much! getting a major crash course in iptables today hehe
0
 
Gabriel OrozcoSolution ArchitectCommented:
you are right! I didn't understood that.

ok, maybe the rule will look better like this:

iptables -I PREROUTING -t nat -i eth1 -s ! 192.168.1.2 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:3128

0
 
NaitoAuthor Commented:
ok, getting there I think! now it might be just my Squid setup:

it STILL doesn't send stuff to the cache, but when I changed the port it was being forwarded to to 80, my Apache page came up instead, and it's always coming up no matter what web page I type in the URL.  

httpd_accel_uses_host_header on

doesn't seem to be working....?
0
 
suguinhaCommented:
I still don't understand what you pretend.
If the problem is just that your proxy isn't always on, you could setup a proxy-autosetup script no the gateway. See that browsers support auto-proxy setup by acessing a script provided by the user (actually a javascript).

You could write a program to see if the proxy is up or down. If it's up, then put the script there. If it's not, then replace the script with one that tells the browser to not use proxies. This avoid the necessity of changing the client's setup when the proxy goes up or down.

If this is reasonable, I could write one to you upon your request.
0
 
NaitoAuthor Commented:
well we're working on getting gateway to forward the HTTP requests to the squid proxy server automatically without any client setup whatsoever first.  I figure once we get that working, I could write a script that'd test if the squid proxy is up and add or delete that routing rule accordingly, thus implementing a form of smart-switching.  Haven't been able to do that just yet.  Thanks for the offer tho!
0
 
Gabriel OrozcoSolution ArchitectCommented:
sorry for my question, but...

which apache is answering you? 192.168.1.1 or 192.168.1.2 ???

it's squid up and running?
(ps -efa | grep squid in 192.168.1.2 server)
0
 
NaitoAuthor Commented:
192.168.1.2's apache....192.168.1.1 isn't running anything...

Squid is up and running, it still responds when I set proxy servers in clients to it.

[root@Polaris etc]# ps -efa | grep squid
root       816     1  0 15:40 ?        00:00:00 squid
squid      829   816  1 15:40 ?        00:06:07 (squid)
squid      844   829  0 15:40 ?        00:00:00 (unlinkd)
root      1891  1811  0 23:00 pts/0    00:00:00 grep squid

(FYI Polaris is 192.168.1.2, Aldebaran is 192.168.1.1)
0
 
Gabriel OrozcoSolution ArchitectCommented:
mmhh... please post the output of iptables -L -v --table nat
this being run in 192.168.1.1

I need to figure out what is really happening there
0
 
NaitoAuthor Commented:
[root@Aldebaran root]# iptables -L -v --table nat
Chain PREROUTING (policy ACCEPT 2529 packets, 264K bytes)
 pkts bytes target     prot opt in     out     source               destination
  145  6960 DNAT       tcp  --  any    any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:http to:192.168.1.2:80
    1    60 DNAT       tcp  --  any    any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:ftp to:192.168.1.2:21
    0     0 DROP       all  --  any    any     192.168.1.0/24       ns2.pictronics.com
    0     0 DROP       all  --  any    any     192.168.1.0/24       CORPWEBvip10.doubleclick.com
    0     0 DROP       all  --  any    any     192.168.1.0/24       ns1.netshelter.net

Chain POSTROUTING (policy ACCEPT 187 packets, 9235 bytes)
 pkts bytes target     prot opt in     out     source               destination
    9   432 SNAT       tcp  --  any    any     192.168.1.0/24       Polaris.chanhome.catcp dpt:http to:192.168.1.1
    0     0 SNAT       tcp  --  any    any     192.168.1.0/24       Polaris.chanhome.catcp dpt:ftp to:192.168.1.1
 1664 80959 MASQUERADE  all  --  any    eth0    anywhere             anywhere  

Chain OUTPUT (policy ACCEPT 279 packets, 9381 bytes)
 pkts bytes target     prot opt in     out     source               destination
0
 
Gabriel OrozcoSolution ArchitectCommented:
here is the problem:

 145  6960 DNAT       tcp  --  any    any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:http to:192.168.1.2:80
   

if you see, it's redirected to the port 80, and not the port 3128.

this rule should be changed:
$ipt -A PREROUTING -p tcp -i eth0 -s ! 192.168.1.2 --dport 80 -j DNAT --to-destination 192.168.1.2:3128

ho, please change mi test firewall script to:
#Now the redirections:
$ipt -A PREROUTING -p tcp -i eth0 -s ! 192.168.1.2 --dport 80 -j DNAT --to-destination 192.168.1.2:3128
$ipt -A PREROUTING -p udp -i eth0 --dport 1026 -j DNAT --to-destination 192.168.1.2:20002
$ipt -A PREROUTING -p tcp -i eth1 -d aaa.bbb.ccc.ddd --dport 80 -j DNAT --to-destination 192.168.1.2:80
$ipt -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination 192.168.1.2:3128


restart the script and it will clear the iptables and strart again. now you will have the rules right.

:)
0
 
NaitoAuthor Commented:
145  6960 DNAT       tcp  --  any    any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:http to:192.168.1.2:80
   1    60 DNAT       tcp  --  any    any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:ftp to:192.168.1.2:21

I believe those two are there because I have incoming HTTP and FTP requests from the internet forwarded to Polaris, as the HTTP server and FTP server are running on that. So I don't think it's those....?

I tried the firewall script you gave me, but that completely kills all routing from Aldebaran, even with the changes. Can't even access SSH...

P.S. I REALLY appreciate all the time both of you are putting into this problem, if I had more points to give away I would.
0
 
Gabriel OrozcoSolution ArchitectCommented:
This is the problem:
145  6960 DNAT       tcp  --  any    any    
the first "any" is the "from" interfase. this SHOULD be eth0


in my last script I mixed things and put eth0 as local. sorry. :/

so lets start talking about rules and not about scripts:

# Redirect outside connections to the real web server
iptables -I PREROUTING -t nat -i eth0 -d aaa.bbb.ccc.ddd -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80

# Redirect internal connections to the real web server (it's necessary?)
iptables -I PREROUTING -t nat -i eth1 -d aaa.bbb.ccc.ddd -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80

# Redirect internal users to the squid cache
#   (but not the squid computer itself!)
iptables -I PREROUTING -t nat -i eth1 -s ! 192.168.1.2 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:3128


please config your firewall with this rules and test
0
 
NaitoAuthor Commented:
same result

I have a feeling it's forwarding properly now, but for some reason Squid on 1.2 isn't responding to requests from Aldebaran (1.1).
0
 
Gabriel OrozcoSolution ArchitectCommented:
please post again the results of iptables -L -v --table nat
0
 
NaitoAuthor Commented:
[root@Aldebaran root]# iptables -L -v --table nat
Chain PREROUTING (policy ACCEPT 1988 packets, 177K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  eth0   any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:http to:192.168.1.2:80
    2    96 DNAT       tcp  --  eth1   any    !Polaris.chanhome.ca  anywhere           tcp dpt:http to:192.168.1.2:3128
   13   640 DNAT       tcp  --  any    any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:http to:192.168.1.2:80
    0     0 DNAT       tcp  --  any    any     anywhere             CPE00036d1443f7-CM00803786a81c.cpe.net.cable.rogers.comtcp dpt:ftp to:192.168.1.2:21
    0     0 DROP       all  --  any    any     192.168.1.0/24       ns2.pictronics.com
    0     0 DROP       all  --  any    any     192.168.1.0/24       CORPWEBvip10.doubleclick.com
    0     0 DROP       all  --  any    any     192.168.1.0/24       ns1.netshelter.net

Chain POSTROUTING (policy ACCEPT 22 packets, 1127 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2    96 SNAT       tcp  --  any    any     192.168.1.0/24       Polaris.chanhome.catcp dpt:http to:192.168.1.1
    0     0 SNAT       tcp  --  any    any     192.168.1.0/24       Polaris.chanhome.catcp dpt:ftp to:192.168.1.1
 1619 87998 MASQUERADE  all  --  any    eth0    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 167 packets, 5509 bytes)
 pkts bytes target     prot opt in     out     source               destination
0
 
Gabriel OrozcoSolution ArchitectCommented:
It's working now...
what's wrong?

ho, I see.. the third rule should no exist. it's taking all the packets!

please delete that rule which sends all the traffic going to your external address (but without specifying that the interfase should be eth0) to 192.168.1.2:80

by the way... ftp will not work properly. it's a problem in any firewall software, as it uses port 21 and port 20, and then several other ports :/
0
 
NaitoAuthor Commented:
currentl progress:
when I add that rule
setting clients to no proxy causes no websites to load
setting clients to proxy to 192.168.1.2:3128 will load websites properly through Squid cache

oi...
0
 
NaitoAuthor Commented:
currentl progress:
when I add that rule
setting clients to no proxy causes no websites to load
setting clients to proxy to 192.168.1.2:3128 will load websites properly through Squid cache

oi...
0
 
Gabriel OrozcoSolution ArchitectCommented:
you need to check the logs from squid now

they should be in /usr/local/squid/logs if you installed from scratch.

if it came with your distro, then maybe they are in /etc/squid somewhere.

this is now a problem with squid.
0
 
NaitoAuthor Commented:
2003/03/23 14:39:50| Accepting HTTP connections at 0.0.0.0, port 3128, FD 12.
2003/03/23 14:39:50| Accepting ICP messages at 0.0.0.0, port 3130, FD 13.

access logs show nothing when trying to open webpages, unless clients manually directed to proxy
0
 
Gabriel OrozcoSolution ArchitectCommented:
mmhh...
when you do an iptables -L -v --table nat
it shows how may packages are going from one interfase to the other, per each rule.

if your rule which forwards the packest has a 0 (zero) then some other rule is taking them first, and those never come to the squid program.

what I can see, is that you have several rules, kind of... not very organized. maybe we can work some more in those rules, to get what you want working right.

would you mind posting what you want your firewall setup to do?
0
 
NaitoAuthor Commented:
this is after 2 requests with no proxy set on clients:
Chain PREROUTING (policy ACCEPT 423 packets, 51446 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   144 DNAT       tcp  --  eth1   any    !Polaris.chanhome.ca  anywhere           tcp dpt:http to:192.168.1.2:3128

before request there are no packets...so it seems that rule is catching it and forwarding correctly....but squid doesn't respond, and doesn't even see the request according to the logs...

The firewall is probably messy cuz it was made by ClarkConnect, I didn't put that together....at this point I just want it to:
do NAT properly so clients can share internet access
forward HTTP requests from internet to server running on 192.168.1.2
forward HTTP requests from intranet to squid cache running on 192.168.1.2
0
 
Gabriel OrozcoSolution ArchitectCommented:
your squid settings are right? is it answering to internal requests?

please remember to check this is in your squid.conf:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on


if you have not restarted squid, issue a
squid -k reconfigure
in your 192.168.1.2
0
 
NaitoAuthor Commented:
Squid answers fine when I set my clients to proxy to it manually....
all the above httpd_accel settings are set, squid has been restarted numerous times

mysterious eh?
0
 
Gabriel OrozcoSolution ArchitectCommented:
and the ACL's???
please post them

there *must* be some answer from squid. please see in the logs, or with a
tail /var/log/syslog
tail /var/log/messages

or maybe you will need to issue a:

squid -k shutdown

and then re-run it with
squid -N to see all the messages in the screen
0
 
NaitoAuthor Commented:
Squid's access.log shows normal activity when my clients are set to manually proxy to squid as I've said, but without the manual setting, it stays completely blank.
--------------------------------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.1.0
http_access allow our_networks
http_access deny all
0
 
CleanupPingCommented:
Naito:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
NaitoAuthor Commented:
0
 
Gabriel OrozcoSolution ArchitectCommented:
pretty good! but please post here what the root cause was, at least, I want to know what it was!

Regards
0
 
Gabriel OrozcoSolution ArchitectCommented:
ok. I have readed the document... will see what we missing in the posts
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 21
  • 16
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now