Thanx For Reply
On Fri, Nov 12, 2010 at 9:15 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 12/11/10 19:54, Arturas Kurlavicius wrote:
>>
>> Hello
>> First i want say sorry for bad english :(
>> Here mine situation
>>
>> I work in huge gonoverment netowk. Mine network uses proxy to acces
>> internet. Shame that proxy not transparent... so i must every time
>> tipe setting in every PC. Thats anoying. SO i want to change
>> situation.
>>
>> I made a bit stupid gateway PC (debian). With single network adapter.
>> Mess a bit with IP tables. And simple gateway working.
>> network Cnfig:
>> [CODE]
>> auto lo
>> iface lo inet loopback
>>
>> # The primary network interface
>> auto eth0
>> allow-hotplug eth0
>> #iface eth0 inet dhcp
>> iface eth0 inet static
>> address 10.0.8.226
>> netmask 255.255.255.0
>> gateway 10.0.8.1
>> [/CODE]
>> iptables Config:
>> [CODE]
>> ###Flush iptables configurations
>> iptables -F
>> iptables -X
>> iptables -t nat -F
>> iptables -t nat -X
>> iptables -t mangle -F
>> iptables -t mangle -X
>> iptables -P INPUT ACCEPT
>> iptables -P FORWARD ACCEPT
>> iptables -P OUTPUT ACCEPT
>>
>> ###Enable IP forwarding
>> echo 1> /proc/sys/net/ipv4/ip_forward
>>
>> ###Enable ip masquerading
>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>> [/CODE]
>> And all seemes working.. i can browse sies (with proxie esttings).
>>
>> So now i want with that Gateway make proxie transparent. So i'm
>> tryeing to forward 80 port to proxie.
>> Config:
>> [CODE]
>> ###Flush iptables configurations
>> iptables -F
>> iptables -X
>> iptables -t nat -F
>> iptables -t nat -X
>> iptables -t mangle -F
>> iptables -t mangle -X
>> iptables -P INPUT ACCEPT
>> iptables -P FORWARD ACCEPT
>> iptables -P OUTPUT ACCEPT
>>
>> ###Enable IP forwarding
>> echo 1> /proc/sys/net/ipv4/ip_forward
>>
>> ###Enable ip masquerading
>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>
>> ###bandau forwardint 80 porta
>> iptables -A FORWARD -j ACCEPT
>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
>> --to-destination 212.59.6.119:80
>
> Use an uncommon randomly picked --to-destination port here to avoid the
> security problems introduced by NAT. It is only used between this firewall
> and Squid, so can be firewalled in the "mangle" table to prevent external
> machines sending traffic directly there.
>
>> [/CODE]
>>
>> Well it seems forwarding working... but i try to get page (for example
>> www.inuxforums.org)... i get from proxy error
>> [CODE]
>> ERROR
>> The requested URL could not be retrieved
>>
>> --------------------------------------------------------------------------------
>> While trying to retrieve the URL: /
>>
>> The following error was encountered:
>>
>> •Invalid URL
>> Some aspect of the requested URL is incorrect. Possible problems:
>>
>> •Missing or incorrect access protocol (should be `http://'' or similar)
>> •Missing hostname
>> •Illegal double-escape in the URL-Path
>> •Illegal character in hostname; underscores are not allowed
>>
>> --------------------------------------------------------------------------------
>> Generated Thu, 11 Nov 2010 11:02:48 GMT by duke.cust.lt
>> (squid/3.0.STABLE25)
>> [/CODE]
>> But if i put proxie setting in browser (212.59.6.119:80) all again works
>> fine.
>>
>> So i want to advice what i'm doing wrong..
>
> You needs to create an http_port for the NAT traffic to enter Squid. It
> needs identical IP:port details identical to the firewall --to-destination.
> In 3.0 and older squid it has the flag "transparent" that tells Squid how
> to find and replace the missing hostname.
>
So... you saying i need to change squid configuration... Well that not
possible for me. I'm only user.
Is there another way to make proxy transparent ?? If i cant change
squid config???
Only WPAD/PAC?
>>
>> P.s. Auto proxie seetings not possible. And i hawe a lot of
>> notebooks.. so they every time need to change setting.. and thats bad
>> :(
>
> Do you mean transparent configuration aka WPAD/PAC? that would really be the
> best way. NAT interception adds some annoying security problems and
> restrictions.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.9
> Beta testers wanted for 3.2.0.3
>
Received on Fri Nov 12 2010 - 07:37:00 MST
This archive was generated by hypermail 2.2.0 : Fri Nov 12 2010 - 12:00:02 MST