Squid proxy remote server

From Skytech
Revision as of 20:00, 10 April 2011 by 192.168.0.250 (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Howto run transparant proxy on same network on seperate server

This is a blatant ripoff from this source: http://tldp.org/HOWTO/TransparentProxy-6.html All credits goes there. I just spent a long time to find it, so reposted here for easy access again.

Chapter 6

6. Transparent Proxy to a Remote Box

Now, the question naturally arises, if we can do all this nifty stuff redirecting HTTP connections to local ports, could we do the same thing but to a remote box (e.g., the machine with squid running is not the same machine as iptables is running on). The answer is yes, but it takes a little different magic words. If you only want to redirect to the local box (the normal case), skip this section.

For the purposes of example commands, let's assume we have two boxes called squid-box and iptables-box, and that they are on the network local-network. In the commands below, replace these strings with the actual IP addresses or name of your machines and network.

I will present two different approaches here.

6.1 First method (simpler, but does not work for some esoteric cases)

First, we need to machine that squid will be running on, squid-box. You do not need iptables or any special kernel options on this machine, just squid. You *will*, however, need the 'http_accel' options as described above. (Previous version of this HOWTO suggested that you did not need those options. That was a mistake. Sorry to have confused people...)

Now, the machine that iptables will be running on, iptables-box You will need to configure the kernel as described in section 3 above, except that you don't need the REDIRECT target support). Now, for the iptables commands. You need three: 

iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

The first one sends the packets to squid-box from iptables-box. The second makes sure that the reply gets sent back through iptables-box, instead of directly to the client (this is very important!). The last one makes sure the iptables-box will forward the appropriate packets to squid-box. It may not be needed. YMMV. Note that we specified '-i eth0' and then '-o eth0', which stands for input interface eth0 and output interface eth0. If your packets are entering and leaving on different interfaces, you will need to adjust the commands accordingly.

Add these commands to your appropriate startup scripts under /etc/rc.d/

(Thanks to Giles Coochey for help writing this section).

Retrieved from "https://wiki.skytech.dk/index.php?title=Squid_proxy_remote_server&oldid=1646"