Squid Interception Proxying Troubles

Erik Bixby erik.bixby at gmail.com
Wed Nov 1 15:10:04 MST 2006 

As I said in my initial post, I have read every word of Squid's FAQ on
the matter, and I have my iptables set up properly:
root at filter:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere            tcp
dpt:www redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root at filter:~#

I have no expectation that we will be filtering SSL.  There was a post
on the matter earlier, from someone else.  Perhaps, you are confusing
the two.  Although, I do appreciate your attention and willingness to
try and help.

Where I've run into trouble is it seems as though I have everything
setup properly.  Squid works if you connect directly to it.  The GRE
tunnel establishes a connection to the router.  Squid registers itself
with the router and is recognized.  Traffic is forwarded to the Squid
box.  I've verified this with Ethereal; with Squid not registered with
the router, eth0 doesn't see traffic from my browser.  With Squid
registered with the router, I see the traffic on eth0, but nothing
more ever happens...
-Erik

On 11/1/06, JT Moree <moreejt at pcxperience.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Erik Bixby wrote:
> > SquidGuard runs fine.  With a browser configured to use the proxy
> > directly, everything works.  It's only when trying to intercept
> > traffic that things fall down.  I can get the packets from the client
> > to the web server to either the Ethernet or GRE virtual interface on
> > the Squid box, but Squid does nothing with them.  That is my problem;
> > how to get Squid to act on HTTP requests that are neither originated
> > from nor destined for it.
>
> huh?  Try using the firewall on the squid box to forward incoming
> traffic for port 80 to the squid port.  Unless you are running squid at
> port 80--which is possible I suppose.
>
> If you are trying to automatically forward port 443 (ssl) i don't think
> that will work.  ssl traffic will need to use the proxy setup in the
> browser.
>
> If I understand what you are trying to do it involves more than just
> squid to do it.  Probably need to re-direct all port 80 traffic that is
> not from the squid box to the squid box on the real firewall.  Then
> allow squid box to access port 80 through the firewall.
>
> Is the proxy server (squid) the same as the firewall?  same principles
> apply just on one machine rather than over the network.
>
> - --
> JT Morée
> PC Xperience, Inc.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFSRc61JwGi/ukQqERAknMAKCtam7ERmuApzoJDvWFQB5TaWlr/ACg00MG
> 2/JopxMfDzXeYudhm+B+mJc=
> =WndH
> -----END PGP SIGNATURE-----
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> MailScanner thanks transtec Computers for their support.
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

More information about the PLUG-discuss mailing list