Transparent Proxy Server - Error when redirecting port 80 to port 3128 on the Squid Machine

I have SQUID and IPTABLES running on a machine.  Squid works quite nicely when I tell my web-browser to use the SQUID machines IP address and port.

When I realized I would have to change every workstation on the network and people could still sneak into the setting and remove the proxy settings, it was suggested that I use Transparent Proxying and redirect all of the port 80 destined traffic to port 3128 on the Squid machine.

WHen I add the line:  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128, all webbrowsers on the network return the following screen from the SQUID machine.

ERROR
The requested URL could not be retrieved

--------------------------------------------------------------------------------

While trying to retrieve the URL: /

The following error was encountered:

Invalid URL
Some aspect of the requested URL is incorrect. Possible problems:

Missing or incorrect access protocol (should be `http://'' or similar)
Missing hostname
Illegal double-escape in the URL-Path
Illegal character in hostname; underscores are not allowed
Your cache administrator is root.



--------------------------------------------------------------------------------

Generated Sun, 21 Nov 2004 17:42:43 GMT by alcatraz (squid/2.5.STABLE5)

*******************************************************

It appears that somehow during the translation the URL goes missing, by looking at the "WHILE TRYING TO RETRIEVE THE URL : /"  If I hover my mouse over the / in that message, it shows me the URL of the site I typed into the address line of the browser.

Anyhow, could the problem also stem from NAT being done later down the line at my border router to the internet?  I doubt it, it seems like a squid problem.

Any suggestions?  I have read some documents that talked about compiling a Kernal with certain options.

I'm running FEDORA 2, which has the 2.6 kernal and I of course installed with the normal procedure with ISO cd-images.  I scared to recompile a kernal.

Thanks,

Deeky
deekyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jlevieCommented:
Where are you applying the iptables rule? On the Squid box or the gateway router?

To work the transparent proxy rule must be applied on the default gateway for the local LAN. If that system is not the box running Squid the rule must do a redirect to the port 3128 on the SQUID machines IP. However if you are using the Squid box as a default gateway then it needs to be NAT'ing the local network.
0
deekyAuthor Commented:
The Squid Box is my Gateway Router which is also running Iptables.  (this is all one machine I call a firewall).  It has 4 NICS, 1 to internet router, 1 to PRIVATE LAN, 1 to PUBLIC WIRELESS, 1 to WEB/MAIL server.  I'm only concentrating on two NICS, the one between the Internet Router and the Firewall, and the one between the PRIVATE LAN and the firewall.

I'm trying to get all internet traffic on the PRIVATE LAN, which is going to the firewall anyway because it is the default gateway, to use the SQUID port 3128 instead of the standard port 80.

Somehow, my redirect is not working properly because squid WORKS if i point each of my client browsers to the Firewall at port 3128.  The redirect is doing something because I get the above error generated by squid, so it is moving the packet to port 3128.  Is there another port needed to be open for a reply connection?

Deeky
0
jlevieCommented:
Is the box NAT'ing the interior IP's?

Could I see the iptables commands you use to set up the firewall?
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

deekyAuthor Commented:
No, the only other NAT'ing is done on a Cisco 1720 on the border between us and the internet.

Here are the IPTABLES:

# Generated by iptables-save v1.2.9 on Wed Nov 17 20:12:27 2004
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Redirect PRIVATE LAN to PROXY SERVER for port 80 Traffic
-A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Wed Nov 17 20:12:27 2004
# Generated by iptables-save v1.2.9 on Wed Nov 17 20:12:27 2004
*mangle
:PREROUTING ACCEPT [18829:9159599]
:INPUT ACCEPT [8426:862853]
:FORWARD ACCEPT [10401:8296650]
:OUTPUT ACCEPT [8500:860136]
:POSTROUTING ACCEPT [18747:9144950]
COMMIT
# Completed on Wed Nov 17 20:12:27 2004
# Generated by iptables-save v1.2.9 on Wed Nov 17 20:12:27 2004
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A FORWARD -o eth1 -j LOG  --log-level debug --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth1 -j LOG  --log-level debug --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth1 -j LOG  --log-level debug --log-prefix BANDWIDTH_OUT:
-A INPUT -i eth1 -j LOG  --log-level debug --log-prefix BANDWIDTH_IN:
-A INPUT -i lo -j ACCEPT
# Allow Web Traffic Established Back into FIREWALL
-A INPUT -m state -i eth1 --state ESTABLISHED,RELATED -j ACCEPT
# Allow LAN access to Internet
-A FORWARD -m state -s 192.168.1.0/255.255.255.0 -i eth0 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state -i eth1 -o eth0 --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Output Packets from FIREWALL MACHINE (SQUID)
-A OUTPUT -m state -o eth1 --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow Email Server Access to INTERNET Outgoing
-A FORWARD -m state -s 192.168.50.5/255.255.255.0 -i eth2 -o eth1 --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow Mailserver Internet Access INCOMING
-A FORWARD -m state -i eth1 -o eth2 --state ESTABLISHED,RELATED -j ACCEPT
# Allow Border Router To Send SYSLOG to Zeus on Private Lan
-A FORWARD -p udp -m udp -s 192.168.100.2 -d 192.168.1.5 -i eth1 -o eth0 --dport 514 -j ACCEPT
# Allow DNS Queries to ZEUS
-A FORWARD -p udp -m udp -m multiport --ports 53 -j ACCEPT
# Allow DNS Replies from ZEUS
-A INPUT -p udp -m udp -m multiport -s 192.168.1.5/255.255.255.0 -d 192.168.1.1/255.255.255.0 -i eth0 --ports 53 -j ACCEPT
# Allow Firewall to transmit DNS request to ZEUS
-A OUTPUT -p udp -m udp -m multiport -s 192.168.1.1/255.255.255.0 -d 192.168.1.5/255.255.255.0 -o eth0 --ports 53 -j ACCEPT
# Accept SQUID requests from PRIVATE LAN
-A INPUT -p tcp -m tcp -m state -s 192.168.1.0/255.255.255.0 -i eth0 --dport 3128 --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Permit SQUID function
-A OUTPUT -m state -o eth0 --state ESTABLISHED,RELATED -j ACCEPT
COMMIT

Deeky
0
deekyAuthor Commented:
Hello:

I eliminated the firewall from the equation, so I realized I needed to focus more on the squid configuration.

I figured out the problem.  I had missed these four key lines in the squid.conf file.  Apparently they make the difference.  They were:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

they need to all be on

I learned this from several other posts in the forum, but I didn't think they applied to my situation.  Apparently they do.

Since I solved my problem, now I have a related question, can somebody tell me what these 4 lines are doing?

Strange, without them, like I stated before the web-browser on the client side would not "pick up" a URL.  What is accel doing?  Sounds like it makes it faster?

Thanks,

Deeky

0
deekyAuthor Commented:
I haven't heard anything for a few days.  I found the answer to this question elsewhere.  How do I handle this situation?  The comment I posted is was my solution to this particular problem, and I suppose it should remain in the archives for others.

How do I close this question?

Deeky
0
moduloCommented:
Closed, 200 points refunded.
modulo
Community Support Moderator
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.