I wanted to setup an internet gateway+squid proxy server in transparent mode with user access control.
I configured new OpenSuse 11.0 system with two ethernet interfaces as router (Yast > Network Settings > Routing - marked ´Enable IP Forwarding´ and Firewall > Masquerading - Enable Masquerading) it worked fine as a router.
Installed squid and added option ´transparent’ in Yast > squid > httpports 192.168.1.1 with port 3128.
i browsed from another machine with browser configured to use the squid server (192.168.1.1 at 3128) and /var/log/squid/access.log shows activity. but with proxy settings turned off on the client browser, there is no activity in the squid access.log Does that mean client is not using squid server?
so, i have a few questions.
is it that, squid with transparent mode will not log user activities? or it gets bypassed?
should i turn off ´Enable ip forwarding´ in Network Settings > Routing and turn off ´Enable Masquerading´ in Firewall > Masquerading?
if i do this, applications on client systems other than browsing (mail clients, messengers etc.) gets disrupted.
Can i implement user access control with SQUID in transparent mode?
So how do i implement user based access control and ensure, all the users gets Internet access through squid only, with squid in transparent mode on the same system acting as Internet gateway with routing?
i promise i will write a nice ´how to´ document to share with all of the forum once i hit success. thanks in advance.
-srikanth s
For question 2. should i turn off ´Enable ip forwarding´ in Network Settings > Routing and turn off ´Enable Masquerading´ in Firewall > Masquerading?
if i do this, applications on client systems other than browsing (mail clients, messengers etc.) gets disrupted.
A: No, you don’t need to turn off it.
For question 3. Can i implement user access control with SQUID in transparent mode?
A: Yes, squid has acl function.
You shall read more detail information of iptables and squid.
Thank you df6269.
sorry, i didn’t use the
“# iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.0/24 --dport 80 -j REDIRECT --to-ports 3128” statement. i will try it today and post it.
one more clarification. is it enough i give this statement in the terminal window. or should i add it in a startup script?
If you will do that only in a terminal window it will work only until the firewall (suseFirewall2) rules are reloaded .
To keep them you have to add them in the “other rules” section - please have a look at the SuSEFirewall2 documentation.
Also good info is available here: 25.3. Proxy Server: Squid but you will need to adjust the settings accordingly since you are doing this on opensuse 11 and not on SLES9.
Regarding question 1: the in the setting you explained the proxy was bypassed because of the masqurading option (I think the default rule is you just enable masquarading is to allow all clients). That will be taken care off with the redirect rule to go to the proxy but from my knowledge it will be only the HTTP traffic (dport 80).
If you want to be more restrictive and allow only certain IPs to bypass you can add IP1/32 IP2/32 IP3/32 (not IP/24 - this will be your whole IP block) for FW_MASQ_NETS e.g.:
FW_MASQ_NETS="IP_1/32 IP_2/32"
(please notice that this is for an older version of suse and the structure of SuSEFirewall2 might have changed a lot since so I can not be sure that the setting up here is the right one)
From the other post I can guess that the implementing an transparent proxy can not be done using YaST yet and some manual configuration is still needed so you will have to work a little bit more. IIRC I once saw a similar post on this forum so a search could be good.
Can some one help me translate the “iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.0/24 --dport 80 -j REDIRECT --to-ports 3128” statement to SuSEFirewall2 syntax or step by step gui directions please?
