?
Solved

Transparent proxy clients  & nameservers

Posted on 2003-12-07
7
Medium Priority
?
377 Views
Last Modified: 2010-03-18

I have a working transparent proxy using squid and iptables. (RedHat 9.0)
If I put an ip address in the client web browser it works.
Names do not work so apparently the web browser cannot find the nameservers squid is using.

If I put the squid box in the web browser as a proxy it works with names.

How can I get this to work transparently with names???
0
Comment
Question by:Ted22
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 4

Expert Comment

by:Jivko
ID: 9895263
On the router:
"Mark" packets of destination port 80 with value 2

router# iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 80 \
 -j MARK --set-mark 2
            

Setup iproute2 so it will route packets with "mark" 2 to squid-box

router# echo 202 www.out >> /etc/iproute2/rt_tables
router# ip rule add fwmark 2 table www.out
router# ip route add default via 10.0.0.2 dev eth0 table www.out
router# ip route flush cache
            
#stop ICMP redirects
naret# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
naret# echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
naret# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects

http://www.lartc.org/lartc.html#LARTC.COOKBOOK.SQUID


On the squid box:
squid-box# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

And finaly squid.conf:

httpd_accel_host virutal
httpd_accel_port 80
httpd_accel_uses_host_header on
httpd_accel_with_proxy on

Regards









0
 
LVL 1

Author Comment

by:Ted22
ID: 9895443
They don't let me configure the router and my squid box is configured correctly.

Does that mean I can't do this?
0
 
LVL 4

Accepted Solution

by:
Jivko earned 250 total points
ID: 9895644
So .... how did you made the proxy "transparent" if you can not touch the router ????
0
Linux Academy Android App Now Supports Chromecast

We have some fantastic news for our Android fans. We’re so excited to announce that the Linux Academy Android app is now available with Chromecast support. That’s right – simply download the latest update of the Linux Academy App and start casting your favorite course videos!

 
LVL 1

Author Comment

by:Ted22
ID: 9895891
The router is on the other side of the squid box.
To make this sound stranger, the router is behind a firewall.
It's magic as far as I know.

The squid box gets it's address from a DHCP server.
The proxy is transparent as long as the squid box is the gateway on the client.
(It works with IP addresses, but not names.)








0
 
LVL 4

Expert Comment

by:Jivko
ID: 9896545
1. Do you have working DNS? ( Check your resolv.conf on the squid box)
2.Did you put this:
squid-box# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
at squid box?

3.Did you put this:
httpd_accel_host virutal
httpd_accel_port 80
httpd_accel_uses_host_header on
httpd_accel_with_proxy on

in your squid.conf

?

0
 
LVL 1

Author Comment

by:Ted22
ID: 9909501

I double checked all those things .

Maybe I have something in one of those files that's not supposed to be there.

0
 
LVL 1

Author Comment

by:Ted22
ID: 9916700
After looking at the Masquerade HOWTO it said that you must put the name server addresses on the client
if it won't find them. Why it would work sometimes and not others it didn't say. I'll accept one of your comments as an answer because everything you said was correct.
0

Featured Post

PowerShell Core for Advanced Linux Administrators

Understand advanced principals around Powershell Core with a focus on the Linux Administrator.  This course covers how to administer numerous environments across multiple platforms including Linux, Azure, AWS, and Google Cloud from a single shell instance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question