mirror of https://github.com/tLDP/LDP
updated
This commit is contained in:
parent
337e67859a
commit
2208d14623
|
@ -945,7 +945,7 @@ TransparentProxy</ULink>, <CiteTitle>
|
||||||
Transparent Proxy with Squid mini-HOWTO</CiteTitle>
|
Transparent Proxy with Squid mini-HOWTO</CiteTitle>
|
||||||
</Para><Para>
|
</Para><Para>
|
||||||
<CiteTitle>
|
<CiteTitle>
|
||||||
Updated: January 2002</CiteTitle>.
|
Updated: August 2002</CiteTitle>.
|
||||||
Provides information on how to setup a transparent
|
Provides information on how to setup a transparent
|
||||||
caching HTTP proxy server using only Linux and squid. </Para>
|
caching HTTP proxy server using only Linux and squid. </Para>
|
||||||
</ListItem>
|
</ListItem>
|
||||||
|
|
|
@ -1577,7 +1577,7 @@ TransparentProxy</ULink>, <CiteTitle>
|
||||||
Transparent Proxy with Squid mini-HOWTO</CiteTitle>
|
Transparent Proxy with Squid mini-HOWTO</CiteTitle>
|
||||||
</Para><Para>
|
</Para><Para>
|
||||||
<CiteTitle>
|
<CiteTitle>
|
||||||
Updated: January 2002</CiteTitle>.
|
Updated: August 2002</CiteTitle>.
|
||||||
Provides information on how to setup a transparent
|
Provides information on how to setup a transparent
|
||||||
caching HTTP proxy server using only Linux and squid. </Para>
|
caching HTTP proxy server using only Linux and squid. </Para>
|
||||||
</ListItem>
|
</ListItem>
|
||||||
|
|
|
@ -1,435 +1,511 @@
|
||||||
<!doctype linuxdoc system>
|
<!doctype linuxdoc system>
|
||||||
|
|
||||||
<article>
|
<article>
|
||||||
|
|
||||||
<title>Transparent Proxy with Linux and Squid mini-HOWTO</title>
|
<title>Transparent Proxy with Linux and Squid mini-HOWTO</title>
|
||||||
<author>Daniel Kiracofe</author>
|
<author>Daniel Kiracofe</author>
|
||||||
<date>v1.13, January 2002</date>
|
<date>v1.15, August 2002</date>
|
||||||
<abstract>
|
<abstract>
|
||||||
This document provides information on how to setup a transparent caching
|
This document provides information on how to setup a transparent caching
|
||||||
HTTP proxy server using only Linux and squid.
|
HTTP proxy server using only Linux and squid.
|
||||||
</abstract>
|
</abstract>
|
||||||
|
|
||||||
<toc>
|
<toc>
|
||||||
|
|
||||||
<sect>
|
<sect>
|
||||||
Introduction
|
Introduction
|
||||||
<sect1>
|
<sect1>
|
||||||
Comments
|
Comments
|
||||||
<p>
|
<p>
|
||||||
Comments and general feedback on this mini HOWTO are welcome and can be
|
Comments and general feedback on this mini HOWTO are welcome and can be
|
||||||
directed to its author, Daniel Kiracofe, at drk@unxsoft.com.
|
directed to its author, Daniel Kiracofe, at drk@unxsoft.com.
|
||||||
</p>
|
</p>
|
||||||
<sect1>
|
<sect1>
|
||||||
Copyrights and Trademarks
|
Copyrights and Trademarks
|
||||||
<p>
|
<p>
|
||||||
Copyright 2000-2001 by UnxSoft Ltd (www.unxsoft.com)
|
Copyright 2000-2002 by Daniel Kiracofe
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
This manual may be reproduced in whole or in part, without fee, subject
|
This manual may be reproduced in whole or in part, without fee, subject
|
||||||
to the following restrictions:
|
to the following restrictions:
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
<itemize>
|
<itemize>
|
||||||
<item>
|
<item>
|
||||||
The copyright notice above and this permission notice must be preserved
|
The copyright notice above and this permission notice must be preserved
|
||||||
complete on all complete or partial copies
|
complete on all complete or partial copies
|
||||||
<item>
|
<item>
|
||||||
Translation to another language is permitted, provided that the author
|
Translation to another language is permitted, provided that the author
|
||||||
is notified prior to the translation.
|
is notified prior to the translation.
|
||||||
<item>
|
<item>
|
||||||
Any derived work must be approved by the author in writing
|
Any derived work must be approved by the author in writing
|
||||||
before distribution.
|
before distribution.
|
||||||
<item>
|
<item>
|
||||||
If you distribute this work in part, instructions for obtaining the complete
|
If you distribute this work in part, instructions for obtaining the complete
|
||||||
version of this manual must be included, and a means for obtaining a complete
|
version of this manual must be included, and a means for obtaining a complete
|
||||||
version provided.
|
version provided.
|
||||||
<item>
|
<item>
|
||||||
Small portions may be reproduced as illustrations for reviews or quotes
|
Small portions may be reproduced as illustrations for reviews or quotes
|
||||||
in other works without this permission notice if proper citation is given.
|
in other works without this permission notice if proper citation is given.
|
||||||
</itemize>
|
</itemize>
|
||||||
</p><p>
|
</p><p>
|
||||||
Exceptions to these rules may be granted for academic purposes: Write to
|
Exceptions to these rules may be granted for academic purposes: Write to
|
||||||
the author and ask. These restrictions are here to protect us as authors, not
|
the author and ask. These restrictions are here to protect us as authors, not
|
||||||
to restrict you as learners and educators. Any source code (aside from the
|
to restrict you as learners and educators. Any source code (aside from the
|
||||||
SGML this document was written in) in this document is placed under the GNU
|
SGML this document was written in) in this document is placed under the GNU
|
||||||
General Public License, available via anonymous FTP from the GNU archive.
|
General Public License, available via anonymous FTP from the GNU archive.
|
||||||
</p>
|
</p>
|
||||||
<sect1>
|
<sect1>
|
||||||
#include <disclaimer.h>
|
#include <disclaimer.h>
|
||||||
<p>
|
<p>
|
||||||
No warranty, expressed or implied, etc, etc, etc...
|
No warranty, expressed or implied, etc, etc, etc...
|
||||||
</p>
|
</p>
|
||||||
<sect>
|
<sect>
|
||||||
Overview of Transparent Proxying
|
Overview of Transparent Proxying
|
||||||
<sect1>
|
<sect1>
|
||||||
Motivation
|
Motivation
|
||||||
<p>
|
<p>
|
||||||
In ``ordinary'' proxying, the client specifies the hostname and port number
|
In ``ordinary'' proxying, the client specifies the hostname and port number
|
||||||
of a proxy in his web browsing software. The browser then makes requests to
|
of a proxy in his web browsing software. The browser then makes requests to
|
||||||
the proxy, and the proxy forwards them to the origin servers. This is all fine
|
the proxy, and the proxy forwards them to the origin servers. This is all fine
|
||||||
and good, but sometimes one of several situations arise. Either
|
and good, but sometimes one of several situations arise. Either
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
<itemize>
|
<itemize>
|
||||||
<item>
|
<item>
|
||||||
You want to force clients on your network to use the proxy, whether they
|
You want to force clients on your network to use the proxy, whether they
|
||||||
want to or not.
|
want to or not.
|
||||||
<item>
|
<item>
|
||||||
You want clients to use a proxy, but don't want them to know they're being
|
You want clients to use a proxy, but don't want them to know they're being
|
||||||
proxied.
|
proxied.
|
||||||
<item>
|
<item>
|
||||||
You want clients to be proxied, but don't want to go to all the work of
|
You want clients to be proxied, but don't want to go to all the work of
|
||||||
updating the settings in hundreds or thousands of web browsers.
|
updating the settings in hundreds or thousands of web browsers.
|
||||||
</itemize>
|
</itemize>
|
||||||
</p><p>
|
</p><p>
|
||||||
This is where transparent proxying comes in. A web request can be intercepted
|
This is where transparent proxying comes in. A web request can be intercepted
|
||||||
by the proxy, transparently. That is, as far as the client software knows,
|
by the proxy, transparently. That is, as far as the client software knows,
|
||||||
it is talking to the origin server itself, when it is really talking to
|
it is talking to the origin server itself, when it is really talking to
|
||||||
the proxy server. (Note that the transparency only applies to the client;
|
the proxy server. (Note that the transparency only applies to the client;
|
||||||
the server knows that a proxy is involved, and will see the IP address of
|
the server knows that a proxy is involved, and will see the IP address of
|
||||||
the proxy, not the IP address of the user. Although, squid may pass
|
the proxy, not the IP address of the user. Although, squid may pass
|
||||||
an X-Forwarded-For header, so that the server can determine the original
|
an X-Forwarded-For header, so that the server can determine the original
|
||||||
user's IP address if it groks that header).
|
user's IP address if it groks that header).
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
Cisco routers support transparent proxying. So do many switches. But,
|
Cisco routers support transparent proxying. So do many switches. But,
|
||||||
(surprisingly enough)
|
(surprisingly enough)
|
||||||
Linux can act as a router, and can perform transparent proxying by redirecting
|
Linux can act as a router, and can perform transparent proxying by redirecting
|
||||||
TCP connections to local ports. However, we also need to make our web proxy
|
TCP connections to local ports. However, we also need to make our web proxy
|
||||||
aware of the affect of the redirection, so that it can make connections to
|
aware of the affect of the redirection, so that it can make connections to
|
||||||
the proper origin servers. There are two general ways this works:
|
the proper origin servers. There are two general ways this works:
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
The first is when your web proxy is not transparent proxy aware. You can
|
The first is when your web proxy is not transparent proxy aware. You can
|
||||||
use a nifty little daemon called transproxy that sits in front of your web
|
use a nifty little daemon called transproxy that sits in front of your web
|
||||||
proxy and takes care of all the messy details for you. transproxy was written
|
proxy and takes care of all the messy details for you. transproxy was written
|
||||||
by John Saunders, and is available from
|
by John Saunders, and is available from
|
||||||
|
|
||||||
<htmlurl url="ftp://ftp.nlc.net.au/pub/linux/www/" name="ftp://ftp.nlc.net.au/pub/linux/www/">
|
<htmlurl url="ftp://ftp.nlc.net.au/pub/linux/www/" name="ftp://ftp.nlc.net.au/pub/linux/www/">
|
||||||
or your local metalab mirror. transproxy will not be discussed further in this
|
or your local metalab mirror. transproxy will not be discussed further in this
|
||||||
document.
|
document.
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
A cleaner solution is to get a web proxy that is aware of transparent proxying
|
A cleaner solution is to get a web proxy that is aware of transparent proxying
|
||||||
itself. The one we are going to focus on here is squid. Squid is an Open Source
|
itself. The one we are going to focus on here is squid. Squid is an Open Source
|
||||||
caching proxy server for Unix systems. It is available from <htmlurl url="http://www.squid-cache.org" name="www.squid-cache.org">
|
caching proxy server for Unix systems. It is available from <htmlurl url="http://www.squid-cache.org" name="www.squid-cache.org">
|
||||||
</p>
|
</p>
|
||||||
<p>Alternatively, instead of redirecting the connections to local ports, we could redirect the connections to remote ports. This is discussed in the <ref id="twoboxes" name="Transparent Proxy to a Remote Box"> section. Readers interested in this approach should skip down to that section. Readers interested on doing everything on one box can safely ignore that section.
|
<p>Alternatively, instead of redirecting the connections to local ports, we could redirect the connections to remote ports. This is discussed in the <ref id="twoboxes" name="Transparent Proxy to a Remote Box"> section. Readers interested in this approach should skip down to that section. Readers interested on doing everything on one box can safely ignore that section.
|
||||||
|
|
||||||
<sect1>
|
<sect1>
|
||||||
Scope of this document
|
Scope of this document
|
||||||
<p>
|
<p>
|
||||||
This document will focus on squid version 2.4 and Linux kernel version
|
This document will focus on squid version 2.4 and Linux kernel version
|
||||||
2.4, the most current stable releases as of this writing (December 2001). It
|
2.4, the most current stable releases as of this writing (August 2002). It
|
||||||
should also work with most of the later 2.3 kernels. If you need information
|
should also work with most of the later 2.3 kernels. If you need information
|
||||||
about earlier releases of squid or Linux, you can find some earlier
|
about earlier releases of squid or Linux, you can find some earlier
|
||||||
documents at <htmlurl url="http://www.unxsoft.com/transproxy.html" name="www.unxsoft.com/transproxy.html">.
|
documents at <htmlurl url="http://users.gurulink.com/transproxy/" name="http://users.gurulink.com/transproxy/">. Note that this site has moved from it's previous location.
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
If you are using a development kernel or a development version of squid, you are on your own. This document may help you, but YMMV.
|
If you are using a development kernel or a development version of squid, you are on your own. This document may help you, but YMMV.
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
Note that this document focuses only on HTTP proxing. I get many emails asking
|
Note that this document focuses only on HTTP proxing. I get many emails asking
|
||||||
about transparent FTP proxying. Squid can't do it. Now, allegedly a program
|
about transparent FTP proxying. Squid can't do it. Now, allegedly a program
|
||||||
called Frox can. I have not tried this myself, so I cannot say how well it
|
called Frox can. I have not tried this myself, so I cannot say how well it
|
||||||
works. You can find it at <htmlurl url="http://www.hollo32.fsnet.co.uk/frox/" name ="http://www.hollo32.fsnet.co.uk/frox/">.
|
works. You can find it at <htmlurl url="http://www.hollo32.fsnet.co.uk/frox/" name ="http://www.hollo32.fsnet.co.uk/frox/">.
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
I only focus on squid here, but Apache can also function as a caching proxy
|
I only focus on squid here, but Apache can also function as a caching proxy
|
||||||
server. (If you are not sure which to use, I recommend squid, since it was
|
server. (If you are not sure which to use, I recommend squid, since it was
|
||||||
built from the ground up to be
|
built from the ground up to be
|
||||||
a caching proxy server, Apache's caching proxy features are more of
|
a caching proxy server, Apache's caching proxy features are more of
|
||||||
afterthought additions to an already existing system.)
|
afterthought additions to an already existing system.)
|
||||||
If you want use Apache instead of squid: follow all the instructions in this
|
If you want use Apache instead of squid: follow all the instructions in this
|
||||||
document that pertain to the kernel and iptables rules. Ignore the squid
|
document that pertain to the kernel and iptables rules. Ignore the squid
|
||||||
specific sections, and instead look at
|
specific sections, and instead look at
|
||||||
<htmlurl url="http://lupo.campus.uniroma2.it/progetti/mod_tproxy/" name="http://lupo.campus.uniroma2.it/progetti/mod_tproxy/"> for source code and
|
<htmlurl url="http://lupo.campus.uniroma2.it/progetti/mod_tproxy/" name="http://lupo.campus.uniroma2.it/progetti/mod_tproxy/"> for source code and
|
||||||
instructions for a transparent proxy module for Apache (thanks to Cristiano Paris (c.paris@libero.it) for contributing this).
|
instructions for a transparent proxy module for Apache (thanks to Cristiano Paris (c.paris@libero.it) for contributing this).
|
||||||
<p>Finally, as far as transparently proxing HTTPS (e.g. secure web pages using
|
<sect1>
|
||||||
SSL, etc.), you can't do it. Don't even ask. For the explanation, do a
|
HTTPS
|
||||||
search for 'man-in-the-middle attack'. Note that you probably don't
|
<p>Finally, as far as transparently proxing HTTPS (e.g. secure web pages using
|
||||||
really need to transparently proxy HTTPS anyway, since squid does not
|
SSL, TSL, etc.), you can't do it. Don't even ask. For the explanation, do a
|
||||||
cache secure pages.
|
search for 'man-in-the-middle attack'. Note that you probably don't
|
||||||
<sect>
|
really need to transparently proxy HTTPS anyway, since squid can not
|
||||||
Configuring the Kernel
|
cache secure pages.
|
||||||
<p>
|
<sect1>
|
||||||
First, we need to make sure all the proper options are set in your kernel.
|
Proxy Authentication
|
||||||
If you are using a stock kernel from your distribution, transparent proxying
|
<p>
|
||||||
may or may not be enabled.
|
You cannot use Proxy Authentication transparently. See the
|
||||||
If you are unsure, the best way to tell is to simply skip this section, and
|
<htmlurl url="http://www.squid-cache.org/Doc/FAQ/FAQ.html" name="Squid FAQ">
|
||||||
if the commands in the next section give you weird errors, it's probably because
|
for (slightly) more details.
|
||||||
the kernel wasn't configured properly.
|
<sect>
|
||||||
</p>
|
Configuring the Kernel
|
||||||
<p>
|
<p>
|
||||||
If your kernel is not configured for transparent proxying, you will need
|
First, we need to make sure all the proper options are set in your kernel.
|
||||||
to recompile. Recompiling a kernel is a complex process (at least at first),
|
If you are using a stock kernel from your distribution, transparent proxying
|
||||||
and it is beyond the scope of this document. If you need help compiling a kernel,
|
may or may not be enabled.
|
||||||
please see <htmlurl url="http://metalab.unc.edu/pub/Linux/docs/HOWTO/Kernel-HOWTO" name="The Kernel HOWTO">
|
If you are unsure, the best way to tell is to simply skip this section, and
|
||||||
</p>
|
if the commands in the next section give you weird errors, it's probably because
|
||||||
<p>
|
the kernel wasn't configured properly.
|
||||||
The options you need to set in your configuration are as follows (Note:
|
</p>
|
||||||
none of these can be built as modules)
|
<p>
|
||||||
</p>
|
If your kernel is not configured for transparent proxying, you will need
|
||||||
<p>
|
to recompile. Recompiling a kernel is a complex process (at least at first),
|
||||||
<itemize>
|
and it is beyond the scope of this document. If you need help compiling a kernel,
|
||||||
<item> Under General Setup
|
please see <htmlurl url="http://metalab.unc.edu/pub/Linux/docs/HOWTO/Kernel-HOWTO" name="The Kernel HOWTO">
|
||||||
<itemize>
|
</p>
|
||||||
<item>
|
<p>
|
||||||
Networking support
|
The options you need to set in your configuration are as follows (Note:
|
||||||
<item>
|
if you prefer modules, some (but not all) of these can be built as modules. Luckily, everything that is not modularizable is probably got in your kernel anyway.)
|
||||||
Sysctl support
|
</p>
|
||||||
</itemize>
|
<p>
|
||||||
<item> Under Networking Options
|
<itemize>
|
||||||
<itemize>
|
<item> Under General Setup
|
||||||
<item>Network packet filtering
|
<itemize>
|
||||||
<item>TCP/IP networking
|
<item>
|
||||||
</itemize>
|
Networking support
|
||||||
<item> Under Networking Options -> IP: Netfilter Configuration
|
<item>
|
||||||
<itemize>
|
Sysctl support
|
||||||
<item>Connection tracking
|
</itemize>
|
||||||
<item>IP tables support
|
<item> Under Networking Options
|
||||||
<item>Full NAT
|
<itemize>
|
||||||
<item>REDIRECT target support
|
<item>Network packet filtering
|
||||||
</itemize>
|
<item>TCP/IP networking
|
||||||
<item>Under File Systems
|
</itemize>
|
||||||
<itemize>
|
<item> Under Networking Options -> IP: Netfilter Configuration
|
||||||
<item>/proc filesystem support
|
<itemize>
|
||||||
</itemize>
|
<item>Connection tracking
|
||||||
</itemize>
|
<item>IP tables support
|
||||||
You must say NO to ``Fast switching'' under Networking Options.
|
<item>Full NAT
|
||||||
</p><p>
|
<item>REDIRECT target support
|
||||||
Once you have your new kernel up and running, you may need to enable IP
|
</itemize>
|
||||||
forwarding. IP forwarding allows your computer to act as a router. Since this
|
<item>Under File Systems
|
||||||
is not what the average user wants to do, it is off by default and must be
|
<itemize>
|
||||||
explicitly enabled at run-time. However, your distribution might do this for
|
<item>/proc filesystem support
|
||||||
you already. To check, do ``cat /proc/sys/net/ipv4/ip_forward''. If you see
|
</itemize>
|
||||||
``1'' you're good. Otherwise, do ``echo '1' > /proc/sys/net/ipv4/ip_forward''.
|
</itemize>
|
||||||
You will then want to add that command to your appropriate bootup scripts (depending on your distribution, these may live in /etc/rc.d, /etc/init.d, or maybe somewhere else entirely).
|
You must say NO to ``Fast switching'' under Networking Options.
|
||||||
</p>
|
</p><p>
|
||||||
<sect>
|
Once you have your new kernel up and running, you may need to enable IP
|
||||||
Setting up squid
|
forwarding. IP forwarding allows your computer to act as a router. Since this
|
||||||
<p>
|
is not what the average user wants to do, it is off by default and must be
|
||||||
Now, we need to get squid up and running. Download the latest source tarball
|
explicitly enabled at run-time. However, your distribution might do this for
|
||||||
from <htmlurl url="http://www.squid-cache.org" name="www.squid-cache.org">.
|
you already. To check, do ``cat /proc/sys/net/ipv4/ip_forward''. If you see
|
||||||
Make sure you get a STABLE version, not a DEVEL version.
|
``1'' you're good. Otherwise, do ``echo '1' > /proc/sys/net/ipv4/ip_forward''.
|
||||||
The latest as of this writing was squid-2.4.STABLE3.tar.gz. Note that AFAIK, you must have squid-2.4 for linux kernel 2.4. The reason is that the
|
You will then want to add that command to your appropriate bootup scripts (depending on your distribution, these may live in /etc/rc.d, /etc/init.d, or maybe somewhere else entirely).
|
||||||
mechanism by which the process determines the original destination address
|
</p>
|
||||||
has changed from linux 2.2, and only squid-2.4 has this new code in it. (For those of you who are interested, previously the getsockname() call was hacked to provide the original destination address, but now the call is getsockopt() with a level of SOL_IP and an option of SO_ORIGINAL_DST).
|
<sect>
|
||||||
</p>
|
Setting up squid
|
||||||
<p>
|
<p>
|
||||||
Now, untar and gunzip the archive (use ``tar -xzf <filename>'').
|
Now, we need to get squid up and running. Download the latest source tarball
|
||||||
Run the autoconfiguration script and tell it to include netfilter code
|
from <htmlurl url="http://www.squid-cache.org" name="www.squid-cache.org">.
|
||||||
(``./configure --enable-linux-netfilter''), compile (``make'') and
|
Make sure you get a STABLE version, not a DEVEL version.
|
||||||
then install (``make install'').
|
The latest as of this writing was squid-2.4.STABLE4.tar.gz. Note that AFAIK,
|
||||||
</p>
|
you must have squid-2.4 for linux kernel 2.4. The reason is that the
|
||||||
<p>
|
mechanism by which the process determines the original destination address
|
||||||
Now, we need to edit the default squid.conf file (installed to /usr/local/squid/etc/squid.conf, unless you changed the defaults). The squid.conf file is heavily
|
has changed from linux 2.2, and only squid-2.4 has this new code in it. (For those of you who are interested, previously the getsockname() call was hacked to provide the original destination address, but now the call is getsockopt() with a level of SOL_IP and an option of SO_ORIGINAL_DST).
|
||||||
commented. In fact, some of the best documentation available for squid is in
|
</p>
|
||||||
the squid.conf file. After you get it all up and running, you should go back
|
<p>
|
||||||
and reread the whole thing. But for now, let's just get the minimum required.
|
Now, untar and gunzip the archive (use ``tar -xzf <filename>'').
|
||||||
Find the following directives, uncomment them, and change them to the
|
Run the autoconfiguration script and tell it to include netfilter code
|
||||||
appropriate values:
|
(``./configure --enable-linux-netfilter''), compile (``make'') and
|
||||||
</p>
|
then install (``make install'').
|
||||||
<p>
|
</p>
|
||||||
<itemize>
|
<p>
|
||||||
<item>
|
Now, we need to edit the default squid.conf file (installed to /usr/local/squid/etc/squid.conf, unless you changed the defaults). The squid.conf file is heavily
|
||||||
httpd_accel_host virtual
|
commented. In fact, some of the best documentation available for squid is in
|
||||||
<item>
|
the squid.conf file. After you get it all up and running, you should go back
|
||||||
httpd_accel_port 80
|
and reread the whole thing. But for now, let's just get the minimum required.
|
||||||
<item>
|
Find the following directives, uncomment them, and change them to the
|
||||||
httpd_accel_with_proxy on
|
appropriate values:
|
||||||
<item>
|
</p>
|
||||||
httpd_accel_uses_host_header on
|
<p>
|
||||||
</itemize>
|
<itemize>
|
||||||
</p><p>
|
<item>
|
||||||
Next, look at the cache_effective_user and cache_effective_group directives.
|
httpd_accel_host virtual
|
||||||
Unless the default nobody/nogroup has been created on your system (AFAIK, it
|
<item>
|
||||||
is not created out of the box on many popular distributions, including RH7.1),
|
httpd_accel_port 80
|
||||||
you'll either need to create those, or create another username/group for
|
<item>
|
||||||
squid to run under. I strongly recommend that you create a username/group of
|
httpd_accel_with_proxy on
|
||||||
squid/squid and run under that, but you could use any existing user/group
|
<item>
|
||||||
if you want.
|
httpd_accel_uses_host_header on
|
||||||
</p><p>
|
</itemize>
|
||||||
Finally, look at the http_access directive. The default is usually ``http_access
|
</p><p>
|
||||||
deny all''. This will prevent anyone from accessing squid. For now, you can
|
Next, look at the cache_effective_user and cache_effective_group directives.
|
||||||
change this to ``http_access allow all'', but once it is working, you will
|
Unless the default nobody/nogroup has been created on your system (AFAIK, it
|
||||||
probably want to read the directions on ACLs (Access Control Lists), and setup
|
is not created out of the box on many popular distributions, including RH7.1),
|
||||||
the cache such that only people on your local network (or whatever) can access
|
you'll either need to create those, or create another username/group for
|
||||||
the cache. This may seem silly, but you should put some kind of restrictions
|
squid to run under. I strongly recommend that you create a username/group of
|
||||||
on access to your cache. People behind filtering firewalls (such as porn
|
squid/squid and run under that, but you could use any existing user/group
|
||||||
filters, or filters in nations where speech is not very free) often ``hijack'' onto
|
if you want.
|
||||||
wide open proxies and eat up your bandwidth.
|
</p><p>
|
||||||
</p>
|
Finally, look at the http_access directive. The default is usually ``http_access
|
||||||
<p>
|
deny all''. This will prevent anyone from accessing squid. For now, you can
|
||||||
Initialize the cache directories with ``squid -z'' (if this is a not a
|
change this to ``http_access allow all'', but once it is working, you will
|
||||||
new installation of squid, you should skip this step).
|
probably want to read the directions on ACLs (Access Control Lists), and setup
|
||||||
</p>
|
the cache such that only people on your local network (or whatever) can access
|
||||||
<p>
|
the cache. This may seem silly, but you should put some kind of restrictions
|
||||||
Now, run squid using the RunCache script in the /usr/local/squid/bin/ directory.
|
on access to your cache. People behind filtering firewalls (such as porn
|
||||||
If it works, you should be able to set your web browser's proxy settings to
|
filters, or filters in nations where speech is not very free) often ``hijack'' onto
|
||||||
the IP of the box and port 3128 (unless you changed the default port number)
|
wide open proxies and eat up your bandwidth.
|
||||||
and access squid as a normal proxy.
|
</p>
|
||||||
</p>
|
<p>
|
||||||
<p>
|
Initialize the cache directories with ``squid -z'' (if this is a not a
|
||||||
For additional help configuring squid, see the squid FAQ at <htmlurl url="http://www.squid-cache.org" name="www.squid-cache.org">
|
new installation of squid, you should skip this step).
|
||||||
</p>
|
</p>
|
||||||
<sect>
|
<p>
|
||||||
Setting up iptables (Netfilter)
|
Now, run squid using the RunCache script in the /usr/local/squid/bin/ directory.
|
||||||
<p>
|
If it works, you should be able to set your web browser's proxy settings to
|
||||||
iptables is a new thing for Linux kernel 2.4 that replaces ipchains.
|
the IP of the box and port 3128 (unless you changed the default port number)
|
||||||
If your distribution came with a 2.4 kernel, it probably has iptables
|
and access squid as a normal proxy.
|
||||||
already installed. If not, you'll have to download it (and possibly
|
</p>
|
||||||
compile it). The homepage is <htmlurl url="http://netfilter.samba.org/" name="netfilter.samba.org">.
|
<p>
|
||||||
You make be able to find binary RPMs elsewhere, I haven't looked. For the
|
For additional help configuring squid, see the squid FAQ at <htmlurl url="http://www.squid-cache.org" name="www.squid-cache.org">
|
||||||
curious, there is plenty of documentation on the netfilter site.
|
</p>
|
||||||
</p>
|
<sect>
|
||||||
<p>
|
Setting up iptables (Netfilter)
|
||||||
To set up the rules, you will need to know two things, the interface that
|
<p>
|
||||||
the to-be-proxied requests are coming in on (I'll use eth0 as an example)
|
iptables is a new thing for Linux kernel 2.4 that replaces ipchains.
|
||||||
and the port squid is running on (I'll use the default of 3128 as an example).
|
If your distribution came with a 2.4 kernel, it probably has iptables
|
||||||
</p>
|
already installed. If not, you'll have to download it (and possibly
|
||||||
<p>
|
compile it). The homepage is <htmlurl url="http://netfilter.samba.org/" name="netfilter.samba.org">.
|
||||||
Now, the magic words for transparent proxying:
|
You make be able to find binary RPMs elsewhere, I haven't looked. For the
|
||||||
</p>
|
curious, there is plenty of documentation on the netfilter site.
|
||||||
<p>
|
</p>
|
||||||
<itemize>
|
<p>
|
||||||
<item>
|
To set up the rules, you will need to know two things, the interface that
|
||||||
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
|
the to-be-proxied requests are coming in on (I'll use eth0 as an example)
|
||||||
</itemize>
|
and the port squid is running on (I'll use the default of 3128 as an example).
|
||||||
</p><p>
|
</p>
|
||||||
You will want to add the above commands to your appropriate bootup script
|
<p>
|
||||||
under /etc/rc.d/. Readers upgrading from 2.2 kernels should note that
|
Now, the magic words for transparent proxying:
|
||||||
this is the only command needed. 2.2 kernels required two extra commands
|
</p>
|
||||||
in order to prevent forwarding loops. The infastructure of netfilter is
|
<p>
|
||||||
much nicer, and only this command is needed.
|
<itemize>
|
||||||
</p>
|
<item>
|
||||||
|
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
|
||||||
|
</itemize>
|
||||||
<sect>
|
</p><p>
|
||||||
Transparent Proxy to a Remote Box <label id="twoboxes">
|
You will want to add the above commands to your appropriate bootup script
|
||||||
<p>
|
under /etc/rc.d/. Readers upgrading from 2.2 kernels should note that
|
||||||
Now, the question naturally arises, if we can do all this nifty stuff
|
this is the only command needed. 2.2 kernels required two extra commands
|
||||||
redirecting HTTP connections to local ports, could we do the same thing
|
in order to prevent forwarding loops. The infastructure of netfilter is
|
||||||
but to a remote box (e.g., the machine with squid running is not the same
|
much nicer, and only this command is needed.
|
||||||
machine as iptables is running on). The answer is yes, but it takes a little different magic words. If you only want to redirect to the local box
|
</p>
|
||||||
(the normal case), skip this section.
|
|
||||||
(Thanks to Giles Coochey for help writing this section).
|
|
||||||
</p><p>
|
<sect>
|
||||||
For the purposes of example commands, let's assume we have two boxes called squid-box and iptables-box, and that they are on the network local-network. In the commands below, replace these strings with the actual IP addresses or
|
Transparent Proxy to a Remote Box <label id="twoboxes">
|
||||||
name of your machines and network.
|
<p>
|
||||||
</p><p>
|
Now, the question naturally arises, if we can do all this nifty stuff
|
||||||
First, the machine that squid will be running on, squid-box.
|
redirecting HTTP connections to local ports, could we do the same thing
|
||||||
You do not need iptables
|
but to a remote box (e.g., the machine with squid running is not the same
|
||||||
or any special kernel options on this machine, just squid. You *will*,
|
machine as iptables is running on). The answer is yes, but it takes a little different magic words. If you only want to redirect to the local box
|
||||||
however, need the 'http_accel' options as described above. (Previous version
|
(the normal case), skip this section.
|
||||||
of this HOWTO suggested that you did not need those options. That was a
|
</p><p>
|
||||||
mistake. Sorry to have confused people...)
|
For the purposes of example commands, let's assume we have two boxes called squid-box and iptables-box, and that they are on the network local-network. In the commands below, replace these strings with the actual IP addresses or
|
||||||
</p><p>
|
name of your machines and network.
|
||||||
Now, the machine that iptables will be running on, iptables-box You will need to configure the kernel as described above, except that you don't need the REDIRECT target support). Now, for the iptables commands. You need three:
|
</p><p>
|
||||||
</p><p>
|
I will present two different approaches here.
|
||||||
<itemize>
|
<sect1>
|
||||||
<item>iptables -t nat -A PREROUTING -i eth0 -s ! <bf>squid-box</bf> -p tcp --dport 80 -j DNAT --to <bf>squid-box</bf>:3128
|
First method (simpler, but does not work for some esoteric cases)
|
||||||
<item>iptables -t nat -A POSTROUTING -o eth0 -s <bf>local-network</bf> -d <bf>squid-box</bf> -j SNAT --to <bf>iptables-box</bf>
|
<p>
|
||||||
<item>iptables -A FORWARD -s <bf>local-network</bf> -d <bf>squid-box</bf> -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
|
|
||||||
</itemize>
|
First, we need to machine that squid will be running on, squid-box.
|
||||||
</p><p> The first one sends the packets to squid-box from iptables-box. The second
|
You do not need iptables
|
||||||
makes sure that the reply gets sent back through iptables-box, instead of
|
or any special kernel options on this machine, just squid. You *will*,
|
||||||
directly to the client (this is very important!). The last one makes sure
|
however, need the 'http_accel' options as described above. (Previous version
|
||||||
the iptables-box will forward the appropriate packets to squid-box. It may
|
of this HOWTO suggested that you did not need those options. That was a
|
||||||
not be needed. YMMV. Note that we specified '-i eth0' and then '-o eth0',
|
mistake. Sorry to have confused people...)
|
||||||
which stands for input interface eth0 and output interface eth0. If your
|
</p><p>
|
||||||
packets are
|
Now, the machine that iptables will be running on, iptables-box You will need to configure the kernel as described in section 3 above, except that you don't need the REDIRECT target support). Now, for the iptables commands. You need three:
|
||||||
entering and leaving on different interfaces, you will need to adjust the
|
</p><p>
|
||||||
commands accordingly.
|
<itemize>
|
||||||
</p><p>
|
<item>iptables -t nat -A PREROUTING -i eth0 -s ! <bf>squid-box</bf> -p tcp --dport 80 -j DNAT --to <bf>squid-box</bf>:3128
|
||||||
Add these commands to your appropriate startup scripts under /etc/rc.d/
|
<item>iptables -t nat -A POSTROUTING -o eth0 -s <bf>local-network</bf> -d <bf>squid-box</bf> -j SNAT --to <bf>iptables-box</bf>
|
||||||
</p><p>
|
<item>iptables -A FORWARD -s <bf>local-network</bf> -d <bf>squid-box</bf> -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
|
||||||
|
</itemize>
|
||||||
<sect1>What if iptables-box is on a dynamic IP?
|
</p><p> The first one sends the packets to squid-box from iptables-box. The second
|
||||||
<p>
|
makes sure that the reply gets sent back through iptables-box, instead of
|
||||||
If the iptables-box is on a dynamic IP address (e.g. a dialup PPP connection, or a DHCP assigned IP address from a cable modem, etc.), then you will want to
|
directly to the client (this is very important!). The last one makes sure
|
||||||
make a slight change to the above commands. Replace the second command with this one:
|
the iptables-box will forward the appropriate packets to squid-box. It may
|
||||||
</p><p>
|
not be needed. YMMV. Note that we specified '-i eth0' and then '-o eth0',
|
||||||
<itemize>
|
which stands for input interface eth0 and output interface eth0. If your
|
||||||
<item>iptables -t nat -A POSTROUTING -o eth0 -s <bf>local-network</bf> -d <bf>squid-box</bf> -j MASQUERADE
|
packets are
|
||||||
</itemize>
|
entering and leaving on different interfaces, you will need to adjust the
|
||||||
<p>
|
commands accordingly.
|
||||||
This change avoids having to specify the IP address of iptables-box in the command. Since it will change often, you'd have to change your commands to
|
</p><p>
|
||||||
reflect it. This will save you a lot of hassle.
|
Add these commands to your appropriate startup scripts under /etc/rc.d/
|
||||||
</p>
|
</p><p>
|
||||||
</sect1>
|
(Thanks to Giles Coochey for help writing this section).
|
||||||
</sect>
|
<sect1>
|
||||||
<sect>
|
Second method (more complicated, but more general)
|
||||||
Transparent Proxy With Bridging
|
<p>
|
||||||
<p>
|
Our first shot at this works good, but there is a minor drawback in that
|
||||||
Warning, this is really esoteric stuff. If you need it, you'll know. If
|
HTTP/1.0 connections without the Host header do not get handled properly.
|
||||||
not, skip this section. Thanks to Lewis Shobbrook (lshobbrook@fasttrack.net.au) for contributing to this section.
|
Connections that are fully or partially HTTP/1.1 compliant work fine. As
|
||||||
<p>
|
most modern web browsers send the Host header, this is not a problem for
|
||||||
If you are trying to setup a transparent proxy on a Linux machine that has
|
most people. However, some small programs or embedded devices may send
|
||||||
been configured as a bridge, you will need to add one additional command.
|
only very simple HTTP/1.0 requests. If you want to support these, we'll
|
||||||
Specifically, you need to explicitly allow connections to the machine
|
need to do a little more work.
|
||||||
on port 3128 (or any other port squid is listening on), otherwise the
|
Namely, on iptables-box we'll need the following options enabled in the kernel
|
||||||
machine will just forward them over to the other interface like a good
|
in addition to what was specified above:
|
||||||
little bridge. Here's the magic words:
|
|
||||||
<itemize><item>
|
<itemize>
|
||||||
iptables -A INPUT -i <bf>interface</bf> -p tcp -d <bf>your_bridge_ip</bf> -s <bf>local-network</bf> --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
|
<item>IP: advanced router
|
||||||
</item></itemize>
|
<item>IP: policy routing
|
||||||
Replacing <bf>interface</bf> with the interface that corresponds to
|
<item>IP: use netfilter MARK value as routing key
|
||||||
<bf>your_bridge_ip</bf> (typically eth0 or eth1). First time bridge users
|
<item>IP: Netfilter Configuration -> Packet mangling
|
||||||
should also note that you'll probably want to repeat the same command with
|
<item>IP: Netfilter Configuration -> MARK target support
|
||||||
``3128'' replaced by ``telnet'' if you want to administer your bridge
|
</itemize>
|
||||||
remotely.
|
|
||||||
</sect>
|
You'll also need the iproute2 tools. Your distribution probably already
|
||||||
|
has them installed, but if not, look at ftp://ftp.inr.ac.ru/ip-routing/
|
||||||
<sect>
|
<p>
|
||||||
Put it all together
|
You'll want to use the following set of commands on iptables-box:
|
||||||
<p>
|
<itemize>
|
||||||
If everything has gone well so far, go to another machine, change it's
|
<item>iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s <bf>squid-box</bf>
|
||||||
gateway to the IP of the box with iptables running on it, and surf away. To make sure that
|
<item>iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
|
||||||
requests are really being forwarded through your proxy instead of straight
|
<item>ip rule add fwmark 3 table 2
|
||||||
to the origin server, check the log file /usr/local/squid/logs/access.log
|
<item>ip route add default via <bf>squid-box</bf> dev eth1 table 2
|
||||||
</p>
|
</itemize>
|
||||||
<sect>
|
Note that the choice of firewall mark (3) and routing table (2) was fairly
|
||||||
Troubleshooting
|
arbitrary. If you are already using policy routing or firewall marking for
|
||||||
<p>
|
some other purpose, make sure you choose unique numbers here. Otherwise,
|
||||||
There is one problem that occurs often enough to mention here. If you
|
don't worry about it.
|
||||||
get the following error:
|
<p>
|
||||||
<tscreen>
|
|
||||||
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o
|
Next, squid-box. Use this command, which should look remarkably similar to a
|
||||||
init_modules: Device or resource busy
|
command we've seen previously.
|
||||||
Hints: insmod errors can be caused by incorrect module parameters;
|
<itemize>
|
||||||
including invalid IO or IRQ parameters.<p>
|
<item>iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
|
||||||
perhaps iptables or your kernel needs to be upgraded...<p>
|
</itemize>
|
||||||
</tscreen>
|
As before, add all of these commands to the appropriate startup scripts.
|
||||||
then you are probably running Red Hat 7.1. The folks at Red Hat, in all
|
<p>
|
||||||
their wisdom, decided to load the ipchains module by default on startup.
|
Here is a brief explanation of how this works: in method one, we used Network
|
||||||
I guess this was for backwards compatibility for those who haven't learned
|
Address Translation to get the packets to the other box. The result of this
|
||||||
iptables yet. However, the problem is that ipchains and iptables are
|
is that the packet gets altered. This alteration is what causes some kinds
|
||||||
mutually incompatible. Since ipchains has been secretly loaded by RH, you
|
of clients mentioned above to fail. In method two,
|
||||||
cannot use iptables commands. To see if this is your problem, do the
|
we use a magic thing called policy routing. The first thing we do is to
|
||||||
command ``lsmod'' and look for the module named ``ipchains''. If you
|
select the packets we want. Thus, all packets on port 80, except those
|
||||||
see it, that is your problem. The quick fix is to execute the command
|
coming from squid-box itself, are MARKed. Then, when the kernel goes to
|
||||||
``rmmod ipchains'' before you issue any iptables commands. Long term,
|
make a routing decision, the MARKed packets aren't routing using the normal
|
||||||
you'll want to search through RH's setup scripts and remove the reference
|
routing table that you access with the ``route'' command but with a special
|
||||||
to ipchains in the first place (I don't really know where this is, as
|
table. This special table has only one entry, a default gateway to squid-box.
|
||||||
I've never used RH 7.1 myself).
|
Thus, the packet is sent merrily on it's way without every having been altered.
|
||||||
|
So, even HTTP/1.0 connections can be handled perfectly.
|
||||||
<sect>
|
(Thanks to Michal Svoboda for suggesting and helping to write this section)
|
||||||
Further Resources
|
<p>
|
||||||
<p>
|
|
||||||
Should you still need assistance, you may wish to check the squid FAQ or
|
<sect1>Method One: What if iptables-box is on a dynamic IP?
|
||||||
the squid mailing list at www.squid-cache.org. You may also e-mail me at drk@unxsoft.com, and I'll try to answer your questions if time permits (sometimes
|
<p>
|
||||||
it does, but sometimes it doesn't). Please, please, please, send the output of
|
If the iptables-box is on a dynamic IP address (e.g. a dialup PPP connection, or a DHCP assigned IP address from a cable modem, etc.), then you will want to
|
||||||
``iptables -t nat -L'' and relavent portions of any configuration files in your e-mail, or else I will probably not be able to help you out much.
|
make a slight change to the above commands. Replace the second command with this one:
|
||||||
Regrettably, even though this document has been translated to many
|
</p><p>
|
||||||
different languages, I can only answer questions asked in English.
|
<itemize>
|
||||||
</p>
|
<item>iptables -t nat -A POSTROUTING -o eth0 -s <bf>local-network</bf> -d <bf>squid-box</bf> -j MASQUERADE
|
||||||
|
</itemize>
|
||||||
</article>
|
<p>
|
||||||
|
This change avoids having to specify the IP address of iptables-box in the command. Since it will change often, you'd have to change your commands to
|
||||||
|
reflect it. This will save you a lot of hassle.
|
||||||
|
</p>
|
||||||
|
</sect1>
|
||||||
|
</sect>
|
||||||
|
<sect>
|
||||||
|
Transparent Proxy With Bridging
|
||||||
|
<p>
|
||||||
|
Warning, this is really esoteric stuff. If you need it, you'll know. If
|
||||||
|
not, skip this section. Thanks to Lewis Shobbrook (lshobbrook@fasttrack.net.au) for contributing to this section.
|
||||||
|
<p>
|
||||||
|
If you are trying to setup a transparent proxy on a Linux machine that has
|
||||||
|
been configured as a bridge, you will need to add one additional iptables
|
||||||
|
command to what we had in section 5.
|
||||||
|
Specifically, you need to explicitly allow connections to the machine
|
||||||
|
on port 3128 (or any other port squid is listening on), otherwise the
|
||||||
|
machine will just forward them over to the other interface like a good
|
||||||
|
little bridge. Here's the magic words:
|
||||||
|
<itemize><item>
|
||||||
|
iptables -A INPUT -i <bf>interface</bf> -p tcp -d <bf>your_bridge_ip</bf> -s <bf>local-network</bf> --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||||
|
</item></itemize>
|
||||||
|
Replacing <bf>interface</bf> with the interface that corresponds to
|
||||||
|
<bf>your_bridge_ip</bf> (typically eth0 or eth1). First time bridge users
|
||||||
|
should also note that you'll probably want to repeat the same command with
|
||||||
|
``3128'' replaced by ``telnet'' if you want to administer your bridge
|
||||||
|
remotely.
|
||||||
|
</sect>
|
||||||
|
|
||||||
|
<sect>
|
||||||
|
Put it all together
|
||||||
|
<p>
|
||||||
|
If everything has gone well so far, go to another machine, change it's
|
||||||
|
gateway to the IP of the box with iptables running on it, and surf away. To make sure that
|
||||||
|
requests are really being forwarded through your proxy instead of straight
|
||||||
|
to the origin server, check the log file /usr/local/squid/logs/access.log
|
||||||
|
</p>
|
||||||
|
<sect>
|
||||||
|
Troubleshooting
|
||||||
|
<p>
|
||||||
|
There is one problem that occurs often enough to mention here. If you
|
||||||
|
get the following error:
|
||||||
|
<tscreen>
|
||||||
|
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o
|
||||||
|
init_modules: Device or resource busy
|
||||||
|
Hints: insmod errors can be caused by incorrect module parameters;
|
||||||
|
including invalid IO or IRQ parameters.<p>
|
||||||
|
perhaps iptables or your kernel needs to be upgraded...<p>
|
||||||
|
</tscreen>
|
||||||
|
then you are probably running Red Hat 7.x. The folks at Red Hat, in all
|
||||||
|
their wisdom, decided to load the ipchains module by default on startup.
|
||||||
|
I guess this was for backwards compatibility for those who haven't learned
|
||||||
|
iptables yet. However, the problem is that ipchains and iptables are
|
||||||
|
mutually incompatible. Since ipchains has been secretly loaded by RH, you
|
||||||
|
cannot use iptables commands. To see if this is your problem, do the
|
||||||
|
command ``lsmod'' and look for the module named ``ipchains''. If you
|
||||||
|
see it, that is your problem. The quick fix is to execute the command
|
||||||
|
``rmmod ipchains'' before you issue any iptables commands. To permanently
|
||||||
|
remove these commands from your startup scripts, the following command
|
||||||
|
should work: ``/sbin/chkconfig --level 2345 ipchains off''.
|
||||||
|
(Thanks to Rasmus Glud for pointing this command out to me).
|
||||||
|
|
||||||
|
<sect>
|
||||||
|
Further Resources
|
||||||
|
<p>
|
||||||
|
Should you still need assistance, you may wish to check the squid FAQ or
|
||||||
|
the squid mailing list at www.squid-cache.org. You may also e-mail me at
|
||||||
|
drk@unxsoft.com, and I'll try to answer your questions if time permits (sometimes
|
||||||
|
it does, but sometimes it doesn't). Please, please, please, send the output of
|
||||||
|
``iptables -t nat -L'' and relavent portions of any configuration files in your
|
||||||
|
e-mail, or else I will probably not be able to help you out much. And please
|
||||||
|
make sure you've read the whole HOWTO before asking a question.
|
||||||
|
Regrettably, even though this document has been translated to many
|
||||||
|
different languages, I can only answer questions asked in English.
|
||||||
|
</p>
|
||||||
|
|
||||||
|
</article>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue