Hi Shawn, I can attest to the the fact that bridge/firewall transparent proxies work beautifully together. Check your access logs for squid, and messages for any dropped packets from the firewall if you have logging enabled. I turned off the athentication from squid (allowing all) and let ... iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 ... control access to the proxy. Depending on which kernel version you are using, you could control access using address blocks iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.0.0/24 --dport 80 -j REDIRECT --to-port 3128 If you want to exclude an IP within these blocks you could -j drop anything on from the --dport 80 above the rule, or to bypass the proxy altogether -j accept --dport 80.
If you are using a transparent firewall make sure that 1. you have assigned an IP and default gateway to the bridge and also that it has DNS access. I also have a cisco router performing performing NAT at the gateway, I also created a static one to one IP translation to the firewall for remote admin, this might be necessary to also avoid multiple NAT. Once set up the whole thing works like magic. Cheers, Lewis Shobbrook MCSE FastTrack Pty. Ltd. Lvl 12, 499 St. Kilda Rd, Melbourne VIC Australia 3004 Phone: +61 3 9866 8700 Fax: +61 3 9820 0276 > > From: "Grimes, Shawn (NIA/IRP)" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Date: Mon, 20 May 2002 10:11:06 -0400 > Subject: [Bridge] bridge and transparent proxy... > > I'm trying to setup a proxy server for our network and > instead of going around to every machine on the network and > configuring their settings (and them having them unconfigure > it as soon as I turn my back), I figured I could do it at the > firewall. I'm using a squid proxy with PAM authentication > using winbindd to authenticate on our windows domain. And it > is running on the same box as our firewall. So I found this > nifty mini-howto ( > http://users.gurulink.com/drk/transproxy/TransparentProxy.html > ) and it said all I needed to do was add the following line: > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j > REDIRECT --to-port 3128 > > which didn't work. If I do a tcpdump on the bridge/firewall, > I can see the request for the website, i.e. > P 192.168.1.100.1599 > 209.202.221.20.http: S > > But then it doesn't send anything back and I would think that > I shouldn't see that, I should see it going to port 3128. > > Any ideas? > > > > Thank You, > Shawn Grimes > Computer Specialist > NCTS - Gerontology Research Center > 410-558-8007 > [EMAIL PROTECTED] > _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
