[plug] Squid / Transparent Proxying / iptables

Ben Jensz jensz at wn.com.au
Tue Sep 18 22:06:57 WST 2001


I assume that iptables rules work in the say way ipchains rules do and that
is that the first rule which matches wins.  So if you set a rule to allow
HTTP traffic which is destined locally first, and then add the rules after
that which redirect external HTTP requests through your transparent proxy
and squid it should then stop locally destined HTTP traffic from being
redirected through the proxy.

I'm not up on the specifics of iptables yet as I haven't put a 2.4 kernel
onto a machine to have a "play" with yet.


/ Ben

----- Original Message -----
From: "Arkem" <arkem at mornmist.2y.net>
To: <plug at plug.linux.org.au>
Sent: Tuesday, September 18, 2001 9:41 PM
Subject: [plug] Squid / Transparent Proxying / iptables


Hi Everyone

Recently I decided to dedicate some of my ample /var/ partition free
space to a nice large web cache also to help those on the same lan
using my computer as a gateway I made it transparent (changed the
recommended settings in squid) by forwarding all port 80 traffic not
coming in through the external interface to the proxy server using
the command:

/sbin/iptables -t nat -A PREROUTING -p tcp -i !ppp0 --dport 80 \
-j DNAT --to 192.168.0.10:8080

This works great but now I seem to be getting some slowdowns when web
surfing (I haven't really investigated the cause much but since it
just acts unresponsive... speed is still there just the response time
is shocked) I've decided that I'd like to make my redirection a
little more specific to make locally bound web traffic not be passed
to the proxy. I tried a couple of things but it didn't seem to work
the attempt that I had the most hope in was:

/sbin/iptables -t nat -N cache_check
/sbin/iptables -t nat -A PREROUTING -p tcp -i !ppp0 --dport 80 \
-j cache_check
/sbin/iptables -t nat -A cache_check -p tcp -d 192.168.0.0/16 \
-j ACCEPT
/sbin/iptables -t nat -A cache_check -p tcp -d 127.0.0.1/32 -j ACCEPT
/sbin/iptables -t nat -A cache_check -p tcp --dport 80 -j DNAT \
--to 192.168.0.10:8080

Though unfortunately this still seem to route all web traffic through
squid even the local traffic. Can anyone see a problem with this or
make any suggestions (about the redirection problem or about the
squid problem) They'd be very appreciated.

Regards, Paul Chamberlain





More information about the plug mailing list