# This is driving me CRAZY - Remote Squid Proxy??

## Korr.ban

I have been trying to get my router to route transparently any requests from browsers on the network to a proxy on ip 192.168.0.2

ITS IMPOSSIBLE I TELL YA!

Router - eth1 = LAN , eth0 = INTERNET

I have tried using this:

```
iptables -t nat -A PREROUTING -i eth1 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128 

iptables -t nat -A POSTROUTING -o eth1 -s local-network -d squid-box -j SNAT --to iptables-box 

iptables -A FORWARD -s local-network -d squid-box -i eth1 -o eth1 -p tcp --dport 3128 -j ACCEPT 
```

from TLDP

All this does is give me in access.log is

```
1092073950.247 119663 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ -NONE/- text/html
```

And I get an error on the web browser on the clients telling me:

```
The requested URL could not be retrieved 

-------------------------------------------------------------------------------- 

While trying to retrieve the URL: http://www.gentoo.org/ 

The following error was encountered: 

Unable to determine IP address from host name for www.gentoo.org

The dnsserver returned: 

Name Error: The domain name does not exist. 

This means that: 

The cache was not able to resolve the hostname presented in the URL. 

Check if the address is correct. 

Your cache administrator is webmaster. 

```

If I tell the browser on client 192.168.0.43 to use a proxy at IP 192.168.0.2 port 3128 then the page loads NO PROBLEM. And I get access.log of:

```
1092073950.247 119663 192.168.0.43 TCP_MISS/503 1368 GET http://www.google.ca/ -NONE/- text/html
```

Router and Proxy can both access the internet no problem.

If someone has a remote proxy setup please post your squid.conf file and your iptables script with the remote proxy forwarding in it. I desparatly need to test my setup to make sure it is something with my config rather something not related to iptables.   :Embarassed: 

Thank you.[/code]

----------

## tumbak

did you uncomment these lines in your squid config?

```
httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_single_host off

httpd_accel_with_proxy on

httpd_accel_uses_host_header on
```

a great HOWTO can be found here, it works on my squid proxy, just ignore the DG parts.

http://dansguardian.org/downloads/DGandTransparent.txt

----------

## davidblewett

I'm pretty sure there is a tutorial on the squid site as well. I use Shorewall for my firewall scripting, and it has an easy example in the rules file to do what you want.

----------

## Korr.ban

I have tried all those tutorials, im not sure what it could be. Mabe someone who has this working could post their iptables script and squid.config

I would be able to figure out whats wrong from that.

----------

## davidblewett

I had it working at home, but disabled it because it played havoc editing my website from home. I couldn't figure out how to fine-tune it to exclude particular domains. I can post my squid.conf tonight, but I use Shorewall for the iptables config so there isn't just one script.

----------

## tumbak

hope this helps, I stripped the comments from squid.conf. I also need to note that I redirect all the web traffic to DansGuardian which in turn redirects it to squid

iptables script

```
#!/sbin/runscript

IPTABLES=/sbin/iptables

IPTABLESSAVE=/sbin/iptables-save

IPTABLESRESTORE=/sbin/iptables-restore

SAVEFILE=/root/saved_iptables_rules

EXTERNAL=ppp0

INTERNAL=eth0

opts="${opts} showstatus panic save restore showoptions rules"

depend() {

  need net

}

start() {

  ebegin "Starting firewall"

  #flush everything

  $IPTABLES -F

  $IPTABLES -X

  $IPTABLES -t filter -F

  $IPTABLES -t mangle -F

  $IPTABLES -t nat -F

  #lets do a simple SNAT

  $IPTABLES -t nat -A POSTROUTING -o ${EXTERNAL} -j MASQUERADE

  

  #redirect all web traffic to our dansguardian filter

  $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d ! 192.168.0.2 --dport 80 -j REDIRECT --to-port 8080

  $IPTABLES -t nat -A PREROUTING -i eth0 -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP

                                                                                                                      

  #dhcp works over udp  

  $IPTABLES -A INPUT -p udp -s 192.168.0.0/24 -j ACCEPT

  

  #accept all icmp

  $IPTABLES -A INPUT -p icmp -j ACCEPT

  $IPTABLES -A OUTPUT -p icmp -j ACCEPT                                                                                                           

  #set default policies

  $IPTABLES -P FORWARD ACCEPT

  $IPTABLES -P INPUT DROP

  $IPTABLES -P OUTPUT ACCEPT

  #turn on ip forward if not enabled

  /bin/echo 1 > /proc/sys/net/ipv4/ip_forward

   

  eend $?

}

```

squid.conf

```

http_port 3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_dir ufs /var/cache/squid 100 16 256

cache_access_log /var/log/squid/access.log

cache_store_log /var/log/squid/store.log

pid_filename /var/run/squid.pid

debug_options ALL,1

hosts_file /etc/hosts

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp:      1440   20%   10080

refresh_pattern ^gopher:   1440   0%   1440

refresh_pattern .      0   20%   4320

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80      # http

acl Safe_ports port 21      # ftp

acl Safe_ports port 443 563   # https, snews

acl Safe_ports port 70      # gopher

acl Safe_ports port 210      # wais

acl Safe_ports port 1025-65535   # unregistered ports

acl Safe_ports port 280      # http-mgmt

acl Safe_ports port 488      # gss-http

acl Safe_ports port 591      # filemaker

acl Safe_ports port 777      # multiling http

acl Safe_ports port 901      # SWAT

acl purge method PURGE

acl CONNECT method CONNECT

http_access allow all

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access deny all

http_reply_access allow all

icp_access allow all

cache_effective_user squid

cache_effective_group squid

visible_hostname quake

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

coredump_dir /var/cache/squid

```

----------

## Korr.ban

Thanks for all of your replies. I will try out your iptables proxy routing portion aswell as your squid.conf out today when I get home from work. I very much appreciate your help.

Edit:

Got home...tried using

```
#lets do a simple SNAT 

  $IPTABLES -t nat -A POSTROUTING -o ${EXTERNAL} -j MASQUERADE 

  

  #redirect all web traffic to our dansguardian filter 

  $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d ! 192.168.0.2 --dport 80 -j REDIRECT --to-port 8080 

  $IPTABLES -t nat -A PREROUTING -i eth0 -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP 

```

But, still get the same old msg when I try to access webpages that are not cached in the proxy. I think I will just wait and reinstall my firewall linux to debian and see what happens after that... Ill stick with gentoo on my client since it can handle a 2gig Linux OS, my firewall cant handle 2gigs since the HD is only 2gigs.

Thanks for the help.

----------

## davidblewett

Try out the Shorewall firewall script. It is a very nice front-end to iptables. I'm pretty sure that if you  use that squid.conf, plus use the examples in the Shorewall rules file you should be good to go.

----------

## DawgG

sounds like a dns-problem to me: cached pages can be served and new pages' names cannot be resolved.

can squid resolve names? (dns-servers in squid.conf) do the dns-requests that squid makes get thru the firewall?

i suggest you first try with minimal security settings and tighten them step-by-step.

----------

