how to configure iptables so my proxy runs transparent?? both iptabels and squid are on same machine, squid is running perfect no probs...
eth0=10.0.0.20 gw:10.0.0.1 (my router)
eth1=192.168.1.1
the clients on the 192.168.1.0/24 net should be allowed access through the proxy server running on default port 3128.

how do i set up the script???

now it looks like this: (and doesnt work)
#!/bin/bash

iptables -F
iptables -t nat -F

iptables -P FORWARD DROP
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 10.0.0.20

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

iptables -A FORWARD -i eth0 -p tcp -s 192.168.1.0/24 --sport 1024: --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -p udp -s 192.168.1.0/24 --sport 1024: --dport 53 -j ACCEPT

iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.0/24 --dport 1024: --sport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp -d 192.168.1.0/24 --dport 1024: --sport 53 -j ACCEPT


/etc/init.d/iptables save

if i remove the prerouting line and manualy writes the proxy settings in the browser it works fine!! what to do??? plz help me out here....

http://www.ibiblio.org/pub/Linux/docs/HOWTO/mini/other-formats/html_single/TransparentProxy.html

Perhaps search next time?

Filp.

read it, tried it, doesnt work .... it gets a bit to transparent!!!... it doesnt use my acl's .... or i might be doing something all wrong...

Did you compile squid from source with the relevant options? Reading some stuff from google on this, the default eg RH9 squid will not work for this, you need to compile from source with the relevant options. Try this one:

http://users.gurulink.com/drk/transproxy/TransparentProxy.html

I may look into this myself as I could get round some right awkward issues at work but never thought of doing it this way!

Good luck,

nry

mmmm, all I did was compile the latest squid and used the following iptables command

iptables -t nat -A PREROUTING -i $INTIF1 -d ! $INTIP -p tcp --dport www -j REDIRECT --to-port 3128

from squid.conf set the following

httpd_accel_host virtual
httpd_accel_port 80

To quote the URL I posted before:

"4. Setting up squid
Now, we need to get squid up and running. Download the latest source tarball from www.squid-cache.org. Make sure you get a STABLE version, not a DEVEL version. The latest as of this writing was squid-2.4.STABLE3.tar.gz. Note that AFAIK, you must have squid-2.4 for linux kernel 2.4. The reason is that the mechanism by which the process determines the original destination address has changed from linux 2.2, and only squid-2.4 has this new code in it. (For those of you who are interested, previously the getsockname() call was hacked to provide the original destination address, but now the call is getsockopt() with a level of SOL_IP and an option of SO_ORIGINAL_DST).

Now, untar and gunzip the archive (use ``tar -xzf <filename>''). Run the autoconfiguration script and tell it to include netfilter code (``./configure --enable-linux-netfilter''), compile (``make'') and then install (``make install''). "

I'd say it's worth looking at the link I posted if ur still stuck. It appears you don't just run squid as normal: you need to run it in http accellerator mode and if you're not it may be why it isn't working. I've never done this though so I'm not talking from experience!

nry