Squid Transparent

[Jackd]

Right ive got squid setup as a transparent proxy its working fine proxying http requests, but as for https (and all other stuff) ive added a iptables rule

Code:

iptables -t nat -A POSTROUTING -j MASQURADE

which according to webmin should masqurade all but this isnt working i still cant access https pages through the proxy.

Thanks
Jack D

[Geoff]

You can't transparently proxy https.

[Jackd]

But that shouldnt be transparently proxying https? I probably didnt make my last post clear

[ChrisH]

It reads fine if you read it more than once . Look up shorewall its a bit easier to configure your firewall with it so you have a better idea of whats going on.

[dhicks]

It took me a fair bit of swearing and muttering to get HTTPS working with our transparent proxy setup, so I've included our squid setup script below for anyone who might find it useful (or for anyone out there who actually knows what they're doing with this kind of thing, in which case some pointers on how to do it properly would be much appreciated).

Note that the below doesn't proxy HTTPS, it simply makes sure that HTTPS is routed past the transparent proxy. The comments are there for my own benifit, as I was trying to remember what I was doing for the next time I needed to edit the file.



#!/bin/sh

# A script to set up iptables to set up Squid.
# This involves first setting up IPTables rules to handle transparent
# proxying and port forwading, then starting up the Squid process.

# First, flush any previous IPTables rules.
iptables -t filter --flush
iptables -t nat --flush

# Make sure that IP forwarding is enabled. I /think/ this is needed to get
# the FORWARD rules below working. No, I don't know why either...
echo "1" > /proc/sys/net/ipv4/ip_forward

# Forward established and related connections - i.e. if an HTTPS connection
# has been initiated from inside the firewall, then traffic coming the other
# way in reply to it is okay. This is /stateful/ packet filtering, seemingly.
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Forward any traffic to port 443 (HTTPS). Add further ports below here as
# needed. You might also need to add specific websites here - some websites
# that use cookie-based authetication for user accounts don't handle being
# cached/filtered very well, so simply add them (or their IP address) in
# here. Bear in mind that this misses out the filtering for that specific
# website, so make sure that the whole website is okay before you set this.
iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT

# Deal with data from forwarded ports, i.e. shove it through NAT so it knows
# where it's going.
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.5

# The following line basically tells the machine to forward all incoming TCP
# traffic not already caught by the above lines to port 3128, where squid
# is listening. Squid has been compiled to support transparent proxying.
# Squid isn't set to filter/proxy/cache anything else, so any other traffic
# you want to allow through will have to be forwaded via the rules above.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

# Run Squid. This script keeps an eye on the squid process and
# attempts to restart it if it conks out for some reason.
/usr/local/squid/bin/RunCache&



--
David Hicks

[Jackd]

It took me a fair bit of swearing and muttering to get HTTPS working with our transparent proxy setup, so I've included our squid setup script below for anyone who might find it useful (or for anyone out there who actually knows what they're doing with this kind of thing, in which case some pointers on how to do it properly would be much appreciated).

Note that the below doesn't proxy HTTPS, it simply makes sure that HTTPS is routed past the transparent proxy. The comments are there for my own benifit, as I was trying to remember what I was doing for the next time I needed to edit the file.
SCRIPT HERE



--
David Hicks

Is eth0 the local interface and eth1 the internet iface?