squid as transparent in RHEL 4

Protecting your Linux box
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

i will say again according to rhel manuals and books that i have explored they called it with the name of iptables service in many places.. I am totally understanding your logics that you giving and totally understand what is a daemon but are you asking to me accept rhel peoples are stupid enough to call it a service!

I talked with you along with references here i give you again where author naming it as a service.
http://www.redhat.com/docs/manuals/linu ... ables.html

Activating the iptables Service!

Now you want me to refuse this whole enterprise distribution???

and Yes No More Argues on That Because I am totally convinced with your signature!a
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
majidnazeer
Naik
Posts: 60
Joined: Wed Oct 05, 2005 12:37 pm

Post by majidnazeer »

AoA!

I got this rules from command "iptables -t nat -L".

<<<Quote>>>>



target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 194.9.100.0 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


<</Quote>>

Thanks
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

Your rules seems pretty much ok these should work out.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
majidnazeer
Naik
Posts: 60
Joined: Wed Oct 05, 2005 12:37 pm

Post by majidnazeer »

But it's not work as transparent proxy.

Thanks
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

I beg you guyz please dont finght... i am sorry that i mistakenly wrote something that i should not have written without doing a complete research on that, i can never argue with Mr.Lambda as he is very much senior and have more experience then me.

I am sorry again, all this started becasue of me.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

it's all very simple.

smtp is a service, and sendmail (or postfix) is its server and outlook is its client.
http is a service, and apache (or iis) is its server and firefox is its client.
snmp is a service, and snmpd is its server and snmpnetstat is its client.
iptables is a service, and _____ is its server, and ____ is its client.

can anyone fill in the blanks with something reasonable?

iptables is not a service, just like "mv" or "ls" aren't services.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
mahin
Major
Posts: 605
Joined: Wed Aug 07, 2002 8:00 pm
Location: Karachi
Contact:

Post by mahin »

I do not see any fight except that lambda is bent upon making what they say " Demagh - ki - Dahi " :). What he is saying is correct yet you guys are also not wrong in quoting what you read.

I am not a guru like lambda still I can try to give you guys a hint.

IP Tables are user level access to change filtering mechanism of Kernel and remember kernel is not a Daemon :) [ a Daemon runs over some kernel and if we say kernel is a daemon then kernel runs over what ? :) ]

Now if some one would make a "Lassi" of that " Dahi" then some butter would come up :).

Google is your friend!
mudasir wrote:AOA,

I beg you guyz please dont finght...
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

wow mahin dimag--->dahi--->lassi+makhan

you going in a perfect sequence. I think you must be working on candiland milki linux :P
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear majidnazeer,

In your squid.conf file try to add these lines, below configuration is made on assumption that squid is running on port 8080 and is on the same macine.

Code: Select all

http_port 8080 transparent
http_port 80 vport vhost
Then run these IPTABLES rules.

Code: Select all


NETWORK="eth0"
INTERNET="eth1"
LOC_IP="192.168.0.1/24"

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o $INTERNET -p ALL -j MASQUERADE
iptables -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -p udp --dport 80 -j REDIRECT --to-port 8080
Do let us know if it works for you or not.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

mudasir wrote:AOA,

Code: Select all

http_port 8080 transparent
http_port 80 vport vhost
I consider he is using Squid 2.5 stable 6 that comes built in with rhel4 so those options won't work. He has to use httpd_accelerator options for making it transparent.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear Usman,

In his first post he stated
I installed squid 2.6 stable 17 on RHEL 4. But squid not run as transparent proxy whenever i installed same squid on fedor2 that worked fine as transparent proxy or proxy
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

Sorry forgot about that! Then as far as i can guess he must have made some problem while compiling the source code. why don't he give up the outcome of

Code: Select all

squid -v
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
nomankhn
Colonel
Posts: 714
Joined: Wed Aug 07, 2002 8:00 pm

Post by nomankhn »

Dear usman,

your experience is good enough, but before replying thread read the complete post and test it and then sent it, I am sure you are good enough and post very good threads and your suggestion is really meaningful for us, but at least first check at your side.

Regards,
Noman Liaquat
Post Reply