hi ilias can you hepl me about configure transparent proxy ?

[sothy]

Dear alias and ricky I'm very happy when i know you and saw answer that you reply me back how ever i still have problem with trasparent proxy again .It mean i want to tell you step by step ok :
(1) i install squid it woriking so fine this myconfigure:          
#cd /etc/squid/squid.conf
#Default:
http_port 3128

#Default:
icp_port 3130

#We recommend you to use the following two lines.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


#Default:
cache_dir ufs /var/cache/squid 100 16 256

#Default:
cache_access_log /var/log/squid/access.log

#Default:
cache_log /var/log/squid/cache.log

#Default:
cache_store_log /var/log/squid/store.log

#Default:
pid_filename /var/run/squid.pid

#Recommended minimum configuration:
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

#Suggested default:
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

#Recommended minimum configuration:
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https,
snews acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl CONNECT method CONNECT

acl local_net src 192.168.0.0/255.255.255.0
acl local_net src 10.1.1.0/255.255.255.255

## Computer
acl bh src 192.168.0.38/255.255.255.255
acl lr  src 192.168.0.27/255.255.255.255
     http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access deny ads_akamai
http_access deny ads_doubleclick

http_access deny local_net

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access deny all

#Default:
#icp_access deny all
#
#Allow ICP queries from everyone
icp_access allow all

#Default setting:
#miss_access allow all
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
 .................................................................................................
When My squid it working so fine but all my client must add proxy in them machin mean (Tool_Option_connection_Lan_proxy )


####So now my question mean i dont want my client when they use internet no need add proxy on them machin ..............
I dont know my question it so hard for ask you but i still hope you can understan my question and i waiting for your answer all the time ....
Thank you again gain for your reading my question ................

[Ricky]

Hello.. somehow your question is still unattempted. Well its never late...

First of I would like you to see this tutorial again and check the configuration issues Squid configuration

Here you have not properly followed the rules, ie your config file is bad.

Secondly.. you need transparent proxy and the tutorial above fits you well.

[ilias]

u first install the transparent proxy and add the IP address of the server machine in ur client. Give the Ip as Gateway

[sothy]

Dear Ilias & Ricky


Now my configure squid transparent proxy it working fine i just done it worked yesterday but i have some problem with port because some webside in cambodian they use port other port 80 so now i want to ask you how can we open port for access some internet ?
.......Thank You For Your Reading Happy When You Reply Back ...............

[Ricky]

well.. whatever port any website uses, proxy will never have problem. Its the headache of the web hosting company to make sure it opens without problem at the user end.

may be you can describe little more.

[sothy]

Dear Ricky

I happy when i saw your message and i just want to ask you about my problem with other port 80 . Such as i just want to tell you in here i use MRTG for control limit of my client by useing port 8080 but when i go to this web side by useing port 8080 it can't open it . so i want to know what is my fault or i must add new scripts :
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j REDIRECT --to-port 3128  
0r i must chang on configure /etc/squid/squid.conf  :
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

So every thing that i descripts to you i think can make you understant what i want to ask you  ? How ever i still say thank you and happy when i know you and try to learning from you ...............................................

[Ricky]

sorry .. this time I m not able to get it, what you are trying to open with 8080 .
r u saying that u r using 8080 instead of 80 to server proxy requests ?

[sothy]

Dear Ricky
Now i want to tell some problem that i meet about port now day i have squid on SuSe 9.1and it woking with transparent proxy it working fine but it working with port 80 all my client can suffing intenet without proxy but now i meet problem with other because now day i use webmail and my webmail it use port 32000 but if i use proxy i can login to my webmial and if i use without proxy i can't login to my webmail .....
so i hope my explain it can make you understand my porblem and i hope i will saw your reply back ........................................................

[ilias]

As u have configured ur proxy as transparent it should work without Browser connection setting. Pls check what's the Gateway u have given in the client machine, bcoz for transparent proxy to work u should give Gateway.

[sothy]

Dear alias

all my client that want to ckeck internet without configure option broswer it must at default getways ( Eth0 in boun IP ) and DNS it(Eth1 out boun ip )
i can suffing internet all website but when i want to login to my mail sever that use port 32000 it cant work all port other port 80 like port 8080 0r 32000 it cant work i dont know why ...........................................
Did you have any idea for telll me ? i waiting your idea because i know you can understand my problem and im thank you and ricky that allway help some one that meet problem like me or other .wish you have a good luck ..............

[Ricky]

Sothy,
In all your replies its not yet clear that if you have configured  your transparent proxy properly.

In trasparet proxy you have configure your client to use proper dns server and gateways as the IP of the box running squid. After that you can surf internt properly, you don't need to touch your client's browser at all. I hope you know how to configure client machine to have specific gatway and dns server.

So first all I want to know --> do your setup is like above as I said or something else ?

[sothy]

Dear Ricky
i think my problem that i explain you maybe not enought for make you understand about my problem how i still happy that i saw your reply back to me now i understand what you tell me and i had done it all like you say above it mean i dont touch my client's browser and they can suffing it fine but now i chang my question ! can you tell explain me that trainsparent it working only port 80 right other port it working or not and the meaning of this script :
iptables -t nat -A PREROUTING -i eth0 -p tcp --dpor 80 -j REDIRECT --to-port 3128 ( it working only port 80 and other port can't work right )
now i problem is i can't suffing other it just working with only port 80 ....
i hope my explain will make you understan and im sorry because i just know it little so i can't explain clearly to you and i'm happy to wait your answer that with good result .............

[Ricky]

ya this command is only redirecting port 80 request, in transparent proxy setup given by me, the other port requests are fullfilled directly via NAT.

I can see that english is not your native language, anyways np.

I am afraid here that you have not properly configured your transparent proxy. Either your NAT is not working or your squid is not working. But one of them is working properly.

To confirm your NAT is working -->
stop squid and make sure your client are using proper Dns server, proper gateway ie ip of ur computer running NAT and set your browsers not to use proxy.
If you are able to open websites, messenger then its working.

To confirm if Squid is working -->
Turn off NAT. To do so

Code: [Select]

/sbin/iptables --flush -t nat
Now set your browsers to use squid proxy then surf the sites. If you are successful then squid is also working fine.

Now to confirm transparent proxy -->
Restart your PC or re-execute rc.nat script. Make sure your broswer is not using proxy. And your client are using right DNS server, gateway etc. then if you are able to surf then ur transparent proxy is working.

May be you are running somefirewall which blocks 32000 port ! .. btw. u plze confirm above then we will discuss it further.

[sothy]

Im so happy when i get good experien from you and now i know my problem why i can suffing web on port other port 80 becuase i forgot that i have pix firewall and when i assige it all my client can access all port !
How ever i still say thank you Ricky and Ilias that you all way help when some one meet problem and i wish you have a good luck and when you get married pleas tell me i will wish you again hahahahaha....I'm joke ...

Thank you

[sothy]

Dear everybody i have problem with transparent proxy that i can't provid to my client to use internet on transparent proxy . befor time i have done it worked one time but maybe a few day i have to meet problem about that my server it hang so i haved to format it and install again but when i install squid (SuSe 9.3) it working fine with squid proxy but when i go to install transparent proxy it doesn't work , but i meet some strang on squid that when i typed scripts for use transparent proxy it does't appear on iptables record it mean like this :

the first i cheack ipforward : 1 and then i typed scripts

linux:~ # iptables --append FORWARD --in-interface eth0 -j ACCEPT

linux:~ # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

linux:~ # iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
 
and when i go to show this scripts it doesn't appears anything

linux:~ # iptables -v -n --list
Chain INPUT (policy ACCEPT 9852 packets, 3134K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 9265 packets, 3321K bytes)
 pkts bytes target     prot opt in     out     source               destination
linux:~ #


so i dont know why it strang like this or my configure on squid have a problem :

///////////////////

#Default:
http_port 3128

#Default:
icp_port 3130

#We recommend you to use the following two lines.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


#Default:
cache_dir ufs /var/cache/squid 100 16 256

#Default:
cache_access_log /var/log/squid/access.log

#Default:
cache_log /var/log/squid/cache.log

#Default:
cache_store_log /var/log/squid/store.log

#Default:
pid_filename /var/run/squid.pid

#Recommended minimum configuration:
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

#Suggested default:
refresh_pattern ^ftp:      1440   20%   10080
refresh_pattern ^gopher:   1440   0%   1440
refresh_pattern .      0   20%   4320

#Recommended minimum configuration:
acl SSL_ports port 443 563
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443 563   # https, snews
acl Safe_ports port 70      # gopher
acl Safe_ports port 210      # wais
acl Safe_ports port 1025-65535   # unregistered ports
acl Safe_ports port 280      # http-mgmt
acl Safe_ports port 488      # gss-http
acl Safe_ports port 591      # filemaker
acl Safe_ports port 777      # multiling http
acl CONNECT method CONNECT

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl CONNECT method CONNECT

acl local_net src 192.168.0.0/255.255.255.0
acl local_net src 10.1.1.0/255.255.255.0

## Computer
#acl bh src 192.168.0.53/255.255.255.255
acl bh1   src 192.168.0.38/255.255.255.255
#acl bh2 src 192.168.0.81/255.255.255.255
acl bs src 192.168.0.72/255.255.255.255
acl bs1 src 192.168.0.63/255.255.255.255
acl bunna src 192.168.0.10/255.255.255.255

#Default configuration:
http_access allow manager local_net
http_access deny manager
# Allow Access to Internet
#
## Admin
#http_access allow bh
http_access allow bh1
#http_access allow bh2
http_access allow bs
http_access allow bs1
http_access allow bunna
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports

http_access deny local_net

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#http_access deny all

#Default:
#icp_access deny all
#
#Allow ICP queries from everyone
icp_access allow all

#Default setting:
miss_access allow all

httpd_accel_host virtual
#httpd_accel_port 8080
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on