i cant redirect packages to squid

[epsilon_da]

Hi. i am just investigating how to block msn messenger to certain computers, and i am trying this with squid.

So.
I have configured a few acl on squid and i need to make it transparent for centain computers on my lan becouse squidGuard doesnt have mime types support, and blocks the servers doesnt work.

once i have configured squid i have to block with my firewall the port 1863 on this machine to make msn comunicate throught port 80, and then redirect port 80 to 3128 (squid port), and all other computers goes directly without proxy.

a month ago i have updated and recompiled the kernel, but in my impresion is exactly the same configuration as it haves before. And for some reason, iptables is not redirecting port 80 and doesnt shows me any error.

iptables -t nat -A PREROUTING -m iprange --src-range 192.168.1.9-192.168.1.15 -p tcp --dport 80 -j REDIRECT --to-port 3128

i dont see any syntax error. And the next line also doesnt work:

iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/255.255.255.0 -p tcp --dport 80 -j REDIRECT --to-port 3128


the latest line was by default since a year ago before deside to deactivate the proxy and it was working correctly.


now i cant get any to work.
how do i test it?

i have configured firefox to proxy to 192.168.1.1 on port 3128 and works OK, but with proxy to 192.168.1.1 on port 80 which should be redirected to 3128 is not working.
without configuring any proxy works perfectly, of course, but i need to use squid as transparent for only some pcs.


redirect module is activated on the menuconfig and comes by default



some idea?

[moocha]

What squid version are you using? The firewall rules are perfectly fine, they're certainly not the ones causing problems. Note that in newer (2.6+) squid versions you need to tell it it's running in intercept (aka transparent proxy) mode in the http_port configuration directive:

[epsilon_da]

my installed squid is an old 2.5.11 and, as i read in some gentoo turorial, the lines pertinent to transparent proxies are:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

should i add this line too?

thanks

[moocha]

No, you don't need to. As I mentioned, that's for Squid 2.6 and newer. See Transparent Caching/Proxy in the Squid User's Guide for details.
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto

"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin

[epsilon_da]

mmmm, then i will try updating squid, but first

httpd_accel_port 80

shouldn't be 3128 if i am redirecting port 80 to 3128?

[epsilon_da]

httpd_accel_port 3128 didnt work

i was thinking:
in my firewall i have redirected port 80 to 3128, so should be the same for squid to comunicate in a proxy manner throught 3128 and throught 80 since it is redirected, and all comunication to squid comes from 3128.

im still thinking that is something on the firewall o kernel configuration.
Anyway, i will try updating squid tonight.

[epsilon_da]

update squid to 2.6.stable7 didnt work and no errors are shown on cache.log

any other idea? im still thinking that is a redirection problem

[americanskin]

MSN messenger uses a dispatch server: messenger.hotmail.com:1863 or when it uses the SOCKS-based connection it uses: gateway.messenger.hotmail.com:80. I would try adding the messenger.hotmail.com to a URL list in your blacklist inclusions. I have just blocked hotmail.com all together and it worked for me.
_________________
"This is not Nam; This is bowling; There are rules" -Walter Socheck