From owner-freebsd-isp@FreeBSD.ORG Tue Sep 11 18:55:29 2007 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59A2016A419 for ; Tue, 11 Sep 2007 18:55:29 +0000 (UTC) (envelope-from infofarmer@FreeBSD.org) Received: from heka.cenkes.org (heka.cenkes.org [208.79.80.110]) by mx1.freebsd.org (Postfix) with ESMTP id 46D5F13C48D for ; Tue, 11 Sep 2007 18:55:29 +0000 (UTC) (envelope-from infofarmer@FreeBSD.org) Received: from localhost (ppp91-76-104-230.pppoe.mtu-net.ru [91.76.104.230]) (Authenticated sender: sat) by heka.cenkes.org (Postfix) with ESMTP id 1859A2E959B8; Tue, 11 Sep 2007 22:31:01 +0400 (MSD) Date: Tue, 11 Sep 2007 22:30:45 +0400 From: Andrew Pantyukhin To: Anwarul Mamun Message-ID: <20070911183044.GC83726@amilo.cenkes.org> References: <4857c35e0709110423w77c5217fs81a1f014d0a48adf@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4857c35e0709110423w77c5217fs81a1f014d0a48adf@mail.gmail.com> X-OS: FreeBSD amilo.cenkes.org 7.0-CURRENT FreeBSD 7.0-CURRENT User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-isp@freebsd.org Subject: Re: Squid proxy 2.6 with FreeBSD 6.2 X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2007 18:55:29 -0000 On Tue, Sep 11, 2007 at 05:23:28PM +0600, Anwarul Mamun wrote: > Hi All! > > I have a linux gateway server (using iptables on this) where my client hit > first. I want to direct the http traffic to the proxy server based on > FreeBSD ( i mean transparent proxy). I am using FreeBSD 6.2 and Squid proxy > 2.6. I have directed the http traffic from my linux gateway server to the > proxy server on FreeBSD as below. But the transparent proxying does not > work. Is there anyone worked with the issues on transparent proxy with > FreeBSD 6.2. who may suggest in this case? > > > /sbin/iptables -t nat -A PREROUTING -s 192.168.40.0/24 -p tcp --dport 80 -j > DNAT --to 172.16.3.1:8080 > /sbin/iptables -t nat -A PREROUTING -s 192.168.40.0/24 -p tcp --dport 8080 > -j DNAT --to 172.16.3.1:8080 Assuming your squid config is right, you should stop modifying packets (with little knowledge of iptables, I think -j DNAT --to ... does that). If you manage to reroute unmodified packets to the FreeBSD box, you'll need something like this to set up its ipfw: $cmd add 100 fwd 127.0.0.1,3128\ proto tcp src-ip $lan_local not src-ip me not dst-ip me\ dst-port $http_ports $cmd add 200 allow via lo0 $cmd add 500 deny dst-ip me dst-port 3128 not src-ip $lan_local