Hi all, I''m trying to set up a transparent proxy with dansguardian, and running into some strange issues with the squid setup without dansguardian. I have used shorewall for quite some time, and I''m stumped as to why I can''t get this to work. Here is a brief synopsis of my network. loc --> gateway/firewall--> net I have the following policies: #firewall to net and local $FW all ACCEPT #local to firewall and net loc all ACCEPT #net to firewall net all DROP These are my rules: ACCEPT net $FW tcp 22 ACCEPT net $FW udp 22 ACCEPT net $FW tcp 10000 ACCEPT net $FW udp 10000 ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 443 REDIRECT loc 3128 tcp www - !192.168.0.1 Squid setup: Default config outlined here http://www.tldp.org/HOWTO/TransparentProxy-4.html with http_access allow all (for now) As you can see the last line should redirect all traffic on port 80 from loc to port 3128 where squid is running. If I set a browser on my loc to use the proxy at 192.168.0.1:3128 I can see the pages retrieved in the /var/log/squid/access.log, and everything works correctly. However when I use the transparent proxying, I get this error message TCP_DENIED/400 1431 GET / - NONE/- text/html I can''t figure this one out, I assumed that all traffic would be allowed since I took the defaults for squid and set "http_access allow all", and since squid works if I connect to the proxy port directly. I wasn''t sure if this is a squid or redirect problem, so I wanted to post here first. Thanks in advance for any advice. Todd
On Thursday 09 February 2006 19:14, Todd Nine wrote:> > TCP_DENIED/400 1431 GET / - NONE/- text/html >Squid configuration problem... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>On Thursday 09 February 2006 19:14, Todd Nine wrote: > > > >> TCP_DENIED/400 1431 GET / - NONE/- text/html >> >> >> > >Squid configuration problem... > >-Tom > >Have a look on the squid website, www.squid-cache.org . There was a section on how to transparently proxy using squid. Regards, Peter ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Thursday 09 February 2006 20:06, Peter Kitchener wrote:> Tom Eastep wrote: > >On Thursday 09 February 2006 19:14, Todd Nine wrote: > >> TCP_DENIED/400 1431 GET / - NONE/- text/html > > > >Squid configuration problem... > > > >-Tom > > Have a look on the squid website, www.squid-cache.org . There was a > section on how to transparently proxy using squid.Attached is a ''diff'' between the stock SuSE squid.conf and mine (and mine works perfectly in a transparent proxy environment): -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks for the help Tom, I had misspelled virtual! It''s always the spelling mistakes that get me. Todd On 2/9/06, Tom Eastep <teastep@shorewall.net> wrote:> > On Thursday 09 February 2006 20:06, Peter Kitchener wrote: > > Tom Eastep wrote: > > >On Thursday 09 February 2006 19:14, Todd Nine wrote: > > >> TCP_DENIED/400 1431 GET / - NONE/- text/html > > > > > >Squid configuration problem... > > > > > >-Tom > > > > Have a look on the squid website, www.squid-cache.org . There was a > > section on how to transparently proxy using squid. > > Attached is a ''diff'' between the stock SuSE squid.conf and mine (and mine > works perfectly in a transparent proxy environment): > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >