Indunil Jayasooriya
2007-Jun-12 07:50 UTC
[CentOS] How to setup both Transpaent Proxy and firewall on the same Machine.
Hi ALL, I want to setup Transpaent Proxy on the box running iptables Firewall. With iptables, I have given below rules. iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -F -t nat iptables -F -t mangle #Enabling ip forwarding echo "1" > /proc/sys/net/ipv4/ip_forward #enable syn cookies (prevent against the common 'syn flood attack') echo "1" > /proc/sys/net/ipv4/tcp_syncookies #do source validation by reversed path echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #Enable tracking mechanism /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT DROP iptables -A FORWARD DROP iptables -A OUTPUT DROP in addition to that, There are many rules , ALL work fine. in squid.conf file, I have added below rules, http_port 3128 cache_mem 64 MB cache_dir ufs /var/spool/squid 100 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on And, Then, I did below command. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 But, When I browse Internet , request will not get ridirected to 3128 port. So I can not use squid as a Transpaent Proxy. Where have I gone wrong? I reffered to below URL. http://www.tldp.org/HOWTO/TransparentProxy.html#toc2 Pls help me. -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070612/63ccc321/attachment-0001.html>
Robert Spangler
2007-Jun-14 02:01 UTC
[CentOS] How to setup both Transpaent Proxy and firewall on the same Machine.
On Tue June 12 2007 03:50, Indunil Jayasooriya wrote:> And, Then, I did below command. > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT > --to-port 3128Which side is eth0 pointing to? LAN or Internet? If it's the Internet side then you need to change the above to the LAN side. You don't give enough information about you setup to give you a totally correct answer. -- Regards Robert Smile... it increases your face value!