[ILUG] either transparent proxy or iptables problem.

Michael Watterson watty at eircom.net
Fri Jan 4 23:03:35 GMT 2008 

Francis Daly wrote:
> On 04/01/2008, Darragh <lists at digitaldarragh.com> wrote:
>
>   
>> I set up squid guard and after getting rid of the initial configuration
>> problems, it finally gives me a status of ready to serve in it's logs.
>>
>> I've downloaded a reasonably decent blacklist and it's recognising it
>> however when I test squid, it's still not blocking anything.
>>     
>
> I'd say leave out squidGuard until you have plain squid working the
> way you want it to. Adding squidGuard -- after you've done it a few
> times with a few different squid versions -- is relatively
> straightforward, once you've got file permissions correct.
>
> On a philosophical note, I'd say trying to do transparent proxying is
> bad, and then transparently filtering stuff is worse. Of course, the
> network manager gets to choose what happens on the network; but I'd be
> slow to try anything other than telling people to use the proxy server
> if they want web access. Depending on the clients used and the rest of
> the network environment, it might just be a config change or two on a
> master server. And it'll remove the element of surprise when they get
> a message from their proxy admin saying why this particular web access
> attempt failed.
>
>   
>> I wanted to test it to make sure that there wasn't something wrong with
>> squids logging and it was definitly not working correctly but it definitly
>> seems like squid just is not getting any traffic.
>>     
>
> As in the earlier reply, I'd look closely at the tcpdump output to see
> whether the traffic was even getting to the squid server.
>
> If your client is 192.168.1.6, and is told that its default gateway is
> 192.168.1.5, while the machine that is 192.168.1.5 knows that its
> default gateway is 192.168.1.1 (all on the same subnet), then when the
> .6 machine tries to talk to something remote via .5, .5 will forward
> the traffic to .1 and send an icmp redirect to .6, telling it that for
> this remote host (or possibly a bigger network), .6 should go straight
> via .1 rather than .5. So any future requests, while .6 honours that
> redirect, won't go near .5 and your filtering attempt breaks down.
>
> I suspect that something like that might be happening.
>
>         f
>   

Your squid wants to have two network cards on different subnets. Then 
the Internet/Router is on a separate network to the clients and only 
traffic via squid works.

-- 
Mike


-- 
Mike

More information about the ILUG mailing list