From owner-freebsd-isp@FreeBSD.ORG Wed Sep 12 08:40:36 2007 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8530816A50A for ; Wed, 12 Sep 2007 08:40:36 +0000 (UTC) (envelope-from infofarmer@FreeBSD.org) Received: from heka.cenkes.org (heka.cenkes.org [208.79.80.110]) by mx1.freebsd.org (Postfix) with ESMTP id 5A9E813C4D5 for ; Wed, 12 Sep 2007 08:40:36 +0000 (UTC) (envelope-from infofarmer@FreeBSD.org) Received: from localhost (ppp91-76-104-230.pppoe.mtu-net.ru [91.76.104.230]) (Authenticated sender: sat) by heka.cenkes.org (Postfix) with ESMTP id 1B1DB2E959BF; Wed, 12 Sep 2007 12:40:48 +0400 (MSD) Date: Wed, 12 Sep 2007 12:40:33 +0400 From: Andrew Pantyukhin To: Anwarul Mamun Message-ID: <20070912084032.GF82150@amilo.cenkes.org> References: <4857c35e0709110423w77c5217fs81a1f014d0a48adf@mail.gmail.com> <20070911183044.GC83726@amilo.cenkes.org> <4857c35e0709112150y2cb082dcgb707f8fbdfbd934b@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4857c35e0709112150y2cb082dcgb707f8fbdfbd934b@mail.gmail.com> X-OS: FreeBSD amilo.cenkes.org 7.0-CURRENT FreeBSD 7.0-CURRENT User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-isp@freebsd.org Subject: Re: Squid proxy 2.6 with FreeBSD 6.2 X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: infofarmer@FreeBSD.org List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2007 08:40:36 -0000 On Wed, Sep 12, 2007 at 10:50:38AM +0600, Anwarul Mamun wrote: > On 9/12/07, Andrew Pantyukhin wrote: > > On Tue, Sep 11, 2007 at 05:23:28PM +0600, Anwarul Mamun wrote: > > > Hi All! > > > > > > I have a linux gateway server (using iptables on this) where my client > > hit > > > first. I want to direct the http traffic to the proxy server based on > > > FreeBSD ( i mean transparent proxy). I am using FreeBSD 6.2 and Squid > > proxy > > > 2.6. I have directed the http traffic from my linux gateway server to > > the > > > proxy server on FreeBSD as below. But the transparent proxying does not > > > work. Is there anyone worked with the issues on transparent proxy with > > > FreeBSD 6.2. who may suggest in this case? > > > > > > > > > /sbin/iptables -t nat -A PREROUTING -s 192.168.40.0/24 -p tcp --dport 80 > > -j > > > DNAT --to 172.16.3.1:8080 > > > /sbin/iptables -t nat -A PREROUTING -s 192.168.40.0/24 -p tcp --dport > > 8080 > > > -j DNAT --to 172.16.3.1:8080 > > > > Assuming your squid config is right, you should stop modifying > > packets (with little knowledge of iptables, I think -j DNAT --to > > ... does that). If you manage to reroute unmodified packets to > > the FreeBSD box, you'll need something like this to set up its > > ipfw: > > > > $cmd add 100 fwd 127.0.0.1,3128\ > > proto tcp src-ip $lan_local not src-ip me not dst-ip me\ > > dst-port $http_ports > > $cmd add 200 allow via lo0 > > $cmd add 500 deny dst-ip me dst-port 3128 not src-ip $lan_local > > I am using two different server. One is running under linux and using > iptables from which i want to forward http traffic to the FreeBSD box where > i am running Squid proxy and want to make it run as transparent proxy. The > problem is that the FreeBSD box is not working as a transparent proxy in > this scenario. It seems that the Squid proxy server at FreeBSD box doesn't > see the packet forwarded to it through the linux server. > > Any suggestion? Eh, did you read what I posted? (a) you need to deliver packets from the linux box to the FreeBSD box unmodified, (b) inside the FreeBSD box you've got to use those ipfw rules to get the packets to squid.