[ale] Transparent Proxy - Almost There

James P. Kinney III jkinney at localnetsolutions.com
Thu May 20 09:25:12 EDT 2004 

On Thu, 2004-05-20 at 00:58, BruceG wrote:
> On Monday 03 May 2004 09:50, James P. Kinney III wrote:
> > On Mon, 2004-05-03 at 09:12, BruceG wrote:
> > > You are supposed to be able to add the script to cron for weekly diffs
> > > and monthly full updates. I haven't got that far yet. I think I'll let
> > > this run for a week or so, then consider adding a second nic to the
> > > server and making it a transparent proxy.  That seems like a steep
> > > learning curve, so I'll give it a little more thought.
> >
> > It's not as hard as you think! Just make the the squid box the gateway
> > and run the following iptables command:
> >
> > iptables -t nat -I PREROUTING -p tcp -i <ethx for internal connection>
> > --dport 80 -j REDIRECT --to-port <ip address of gateway>:<port that
> > squid listens on>
> >
> > This requires no changes on any web browser that uses that gateway
> > machine, i.e., transparent.
> 
> James - thanks for the info above. Could you clarify please?
> I have a Linksys BEFSX41 router with 192.168.1.0 subnet on it's LAN port. My 
> office laptop is on that subnet (don't want to go through the proxy, it 
> caused problems with PC firewall and VPN software). So - 192.168.1.0 is my 
> non-filtered subnet.
> 
> I set up a VLAN on my switch for proxied devices. My proxy server has 2 nics. 
> Eth0 (192.168.1.25) on the 192.168.1.0 subnet. Eth1 (192.168.2.1) on the 
> 192.168.2.0 subnet. I am not doing NAT on the proxy as I am doing NAT on the 
> Linksys. My wireless WAP54G and WET11 bridge, desktop and kids laptop are on 
> the 192.168.2.0 subnet.
> 
> Routing is working. All packets from the 192.168.2.0 subnet are hitting my 
> proxy server on eth1 and routing out through eth0, then on to the Linksys. 
> DHCP is working, and I'm just pointing to the Linksys for DNS. Manual 
> proxying is fine (specifying the proxy server and port in Mozilla).
> 
> Now - to force packets through the proxy, would I do:
> iptables -t -l PREROUTING -p tcp -i eth0 -dport 80 -j REDIRECT --to-port 
> 192.168.1.25:3128
> 
> Is that the last step?

Almost. The -i eth0 should be -i eth1. You want the 192.168.2 traffic
coming in on eth1 to go to the proxy. the unfiltered traffic is on eth0
(or else I need more coffee. Well, I need more coffee anyway...)
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 
> !DSPAM:40ac39da249611064316355!
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list