Hi, You are right I am using port 8080. As I mentioned I have 2 machine the 1st machine is my Firewall/NAT server wherein the iptables configuration already stated that it should redirect port 80 to 8080
iptables -t nat -A PREROUTING -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -s 192.168.11.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -s 192.168.12.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -s 192.168.14.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -s 192.168.15.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -s 192.168.16.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -s 192.168.24.0/255.255.248.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -s 192.168.64.0/255.255.224.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -s 192.168.96.0/255.255.224.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 for the 2nd machine which is the squid proxy I accepted everything. # Generated by iptables-save v1.3.8 on Wed Apr 2 10:15:54 2008 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2:1152] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 8080 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 778 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 778 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 8 -j DROP -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 778 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Wed Apr 2 10:15:54 2008 But I still transparent proxy is not working. ----- Original Message ----- From: "Indunil Jayasooriya" <[EMAIL PROTECTED]> To: "Wennie V. Lagmay" <[EMAIL PROTECTED]> Sent: Thursday, April 3, 2008 10:48:31 AM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid transparent proxy There are whole a lot of firewall settings. I think your are running squid on port 8080 ( NOT 3128 ). Since you have below rule iptables -A INPUT DROP you will have to accept port 8080 as below. #Redirecting traffic destined to port 80 to port 8080 iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-port 8080 #For squid traffic to Accept iptables -A INPUT -i eth1 -d 192.168.101.254 -p tcp -m state --state NEW -m tcp -s 192.168.101.0/24 --dport 8080 -j ACCEPT in above 2 rules, eth1 is the interface that is connected to LAN and ip address 192.168.101.254 is the ip of the squid proxy server. It shoild be the gateway of clinets Pcs. And I think, Clients should have Dns servers. another URL http://www.mail-archive.com/[email protected]/msg52744.html Pls try.Good luck On Thu, Apr 3, 2008 at 12:21 PM, Wennie V. Lagmay <[EMAIL PROTECTED]> wrote: > Dear all, > > I am trying to activate transparent proxy on my setup but I cannot run it. > with the standard setup (configuring the client PC with browser > configuration) everything is working good, squid is responding and the client > can browse the internet. Now we are trying to implement a setup wherein > client has an option to put or not to put a configuration on the browser. > > I have separate machine 1st machine is the firewall/NAT server running > Fedora Core 4 64 bit (with public IP on the interface) and the 2nd machine is > the squid running Fedora Core 8 64 bit (also with a public IP address). > Although all the clients uses a private IP, squid can still serve them pretty > well. > > Now I have configure my squid (squid-2.6stable19) to accept transparent > connection, and its seems it is working because as the cache.log says, > "accepting transparently proxied http connection at 0.0.0.0, port 8080, FD 11 > > But I configure the client browser without a proxy configuration I cannot > browse the internet. > > I am attaching below my firewall/NAT iptables configuration. Can you please > check it for me and let me know if I am missing something. Also if you can > provide me a step by step configuration of a transparent proxy setup. > > > # Generated by iptables-save v1.2.8 on Thu Dec 23 08:44:33 2004 > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > # -A INPUT -j ACCEPT > -A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 778 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT > -A INPUT -p tcp -j REJECT --reject-with tcp-reset > -A INPUT -p udp -j REJECT --reject-with icmp-net-prohibited > # > -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.80 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.82 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.87 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.74 -j > REJECT > -A FORWARD -s 192.168.10.0/255.255.255.0 -j ACCEPT > -A FORWARD -d 192.168.10.0/255.255.255.0 -j ACCEPT > -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.80 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.82 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.87 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.74 -j > REJECT > -A FORWARD -s 192.168.11.0/255.255.255.0 -j ACCEPT > -A FORWARD -d 192.168.11.0/255.255.255.0 -j ACCEPT > -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.80 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.82 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.87 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.74 -j > REJECT > -A FORWARD -s 192.168.12.0/255.255.255.0 -j ACCEPT > -A FORWARD -d 192.168.12.0/255.255.255.0 -j ACCEPT > -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.80 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.82 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.87 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.74 -j > REJECT > -A FORWARD -s 192.168.14.0/255.255.255.0 -j ACCEPT > -A FORWARD -d 192.168.14.0/255.255.255.0 -j ACCEPT > -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.80 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.82 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.87 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.74 -j > REJECT > -A FORWARD -s 192.168.15.0/255.255.255.0 -j ACCEPT > -A FORWARD -d 192.168.15.0/255.255.255.0 -j ACCEPT > -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.80 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.82 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.87 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.74 -j > REJECT > -A FORWARD -s 192.168.16.0/255.255.255.0 -j ACCEPT > -A FORWARD -d 192.168.16.0/255.255.255.0 -j ACCEPT > -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.80 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.82 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.87 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.74 -j > REJECT > -A FORWARD -s 192.168.24.0/255.255.248.0 -j ACCEPT > -A FORWARD -d 192.168.24.0/255.255.248.0 -j ACCEPT > # > -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.80 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.82 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.87 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.74 -j > REJECT > -A FORWARD -s 192.168.64.0/255.255.224.0 -j ACCEPT > -A FORWARD -d 192.168.64.0/255.255.224.0 -j ACCEPT > # > -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.80 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.82 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.87 -j > REJECT > -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.74 -j > REJECT > -A FORWARD -s 192.168.96.0/255.255.224.0 -j ACCEPT > -A FORWARD -d 192.168.96.0/255.255.224.0 -j ACCEPT > # > -A FORWARD -s xx.xx.184.32/255.255.255.224 -j ACCEPT > -A FORWARD -d xx.xx.184.32/255.255.255.224 -j ACCEPT > -A FORWARD -s xx.xx.184.64/255.255.255.224 -j ACCEPT > -A FORWARD -d xx.xx.184.64/255.255.255.224 -j ACCEPT > -A FORWARD -s xx.xx.184.120/255.255.255.248 -j ACCEPT > -A FORWARD -d xx.xx.184.120/255.255.255.248 -j ACCEPT > -A FORWARD -s xx.xx.184.128/255.255.255.248 -j ACCEPT > -A FORWARD -d xx.xx.184.128/255.255.255.248 -j ACCEPT > -A FORWARD -s xx.xx.184.0/255.255.255.240 -j ACCEPT > -A FORWARD -d xx.xx.184.0/255.255.255.240 -j ACCEPT > -A FORWARD -s xx.xx.184.144/255.255.255.240 -j ACCEPT > -A FORWARD -d xx.xx.184.144/255.255.255.240 -j ACCEPT > # > # -A OUTPUT -j ACCEPT > -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT > -A OUTPUT -p tcp -m tcp --sport 778 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 778 -j ACCEPT > -A OUTPUT -p tcp -m tcp --sport 1863 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 1863 -j ACCEPT > -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT > -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT > -A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT > -A OUTPUT -p udp -m udp --sport 53 -j ACCEPT > -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT > # > COMMIT > # Completed on Thu Dec 23 08:44:33 2004 > # Generated by iptables-save v1.2.8 on Thu Dec 23 08:44:33 2004 > *nat > :PREROUTING ACCEPT [77:4447] > :POSTROUTING ACCEPT [85:7701] > :OUTPUT ACCEPT [85:7701] > # > -A PREROUTING -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 80 -j > REDIRECT --to-ports 8080 > -A PREROUTING -s 192.168.11.0/255.255.255.0 -p tcp -m tcp --dport 80 -j > REDIRECT --to-ports 8080 > -A PREROUTING -s 192.168.12.0/255.255.255.0 -p tcp -m tcp --dport 80 -j > REDIRECT --to-ports 8080 > -A PREROUTING -s 192.168.14.0/255.255.255.0 -p tcp -m tcp --dport 80 -j > REDIRECT --to-ports 8080 > -A PREROUTING -s 192.168.15.0/255.255.255.0 -p tcp -m tcp --dport 80 -j > REDIRECT --to-ports 8080 > -A PREROUTING -s 192.168.16.0/255.255.255.0 -p tcp -m tcp --dport 80 -j > REDIRECT --to-ports 8080 > -A PREROUTING -s 192.168.24.0/255.255.248.0 -p tcp -m tcp --dport 80 -j > REDIRECT --to-ports 8080 > -A PREROUTING -s 192.168.64.0/255.255.224.0 -p tcp -m tcp --dport 80 -j > REDIRECT --to-ports 8080 > -A PREROUTING -s 192.168.96.0/255.255.224.0 -p tcp -m tcp --dport 80 -j > REDIRECT --to-ports 8080 > # > -A POSTROUTING -s 192.168.10.0/255.255.255.0 -j SAME --nodst --to > xx.xx.184.65-xx.xx.184.66 > -A POSTROUTING -s 192.168.11.0/255.255.255.0 -j SAME --nodst --to > xx.xx.184.67-xx.xx.184.68 > -A POSTROUTING -s 192.168.12.0/255.255.255.0 -j SAME --nodst --to > xx.xx.184.69-xx.xx.184.70 > -A POSTROUTING -s 192.168.14.0/255.255.255.0 -j SAME --nodst --to > xx.xx.184.71-xx.xx.184.72 > -A POSTROUTING -s 192.168.15.0/255.255.255.0 -j SAME --nodst --to > xx.xx.184.73-xx.xx.184.74 > -A POSTROUTING -s 192.168.16.0/255.255.255.0 -j SAME --nodst --to > xx.xx.184.75-xx.xx.184.76 > -A POSTROUTING -s 192.168.24.0/255.255.248.0 -j SAME --nodst --to > xx.xx.184.77-xx.xx.184.80 > -A POSTROUTING -s 192.168.64.0/255.255.224.0 -j SAME --nodst --to > xx.xx.184.1-xx.xx.184.6 > -A POSTROUTING -s 192.168.96.0/255.255.224.0 -j SAME --nodst --to > xx.xx.184.145-xx.xx.184.150 > COMMIT > # Completed on Thu Dec 23 08:44:33 2004 > > Thank you very much, > > Wennie > > > -- Thank you Indunil Jayasooriya
