centos5.0+squid 2.6+iptables无法实现透明代理

lingping

我现在想配置成为一个透明代理，但按照以下配置实验多遍均无法成功，很是奇怪，烦请各位朋友分析，指点迷津。

注意：

当我取消对http_port 3128注释，而把http_port 3128 transparent注释掉时，在浏览器上设置代理服务器的IP地址时是可以正常上网的

当我停用squid,并把iptables -t nat -A PREROUTING -i eth1 -p tcp -s 192.168.152.0/24 --dport 80 -j REDIRECT --to-port 3128注释掉，浏览器上不设代理，让客户端直接从iptables nat出去也是可以正常上网的；

问题就是出现在不能同时启用两个，即使启用也无法实现透明代理的需求。


squid配置如下

cat /etc/squid/squid.conf
#  WELCOME TO SQUID 2.6.STABLE6
# ------------------------------
###### System Setting #######################################
#http_port 3128
http_port 3128 transparent
#http_port 192.168.152.254:3128 transparent

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

cache_mem 32 MB
cache_swap_low 90
cache_swap_high 95

maximum_object_size 512 KB
minimum_object_size 0 KB

cache_dir ufs /var/spool/squid 512 16 256
cache_effective_user squid
cache_effective_group squid

access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

refresh_pattern ^ftp:                1440        20%        10080
refresh_pattern ^gopher:        1440        0%        1440
refresh_pattern .                0        20%        4320

visible_hostname fw01.linux.org
dns_nameservers 202.181.224.2 168.95.1.1
cache_mgr ping.213@163.com
############################################################


###### No Cache List #######################################
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
############################################################



###### Access Control List ########################3####
acl SSL_ports port 443 8080 9525 9510 5222
acl Safe_ports port 80                        # http
acl Safe_ports port 21                        # ftp
acl Safe_ports port 443                        # https
acl Safe_ports port 8080                # dgsi.dg.gov.cn
acl Safe_ports port 9525 9510 5222      # ebgz.itownet.cn
#acl Safe_ports port 1025-65535         # unregistered ports

acl CONNECT method CONNECT

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

acl test_allow src "/etc/squid/test.allow"

acl file_mp3 urlpath_regex -i \.mp3$
acl file_scr urlpath_regex -i \.scr$
acl file_avi urlpath_regex -i \.avi$
acl file_exe urlpath_regex -i \.exe$
acl file_pif urlpath_regex -i \.pif$
acl file_pf urlpath_regex -i \.pf$
acl file_xdb urlpath_regex -i \.xdb$
acl file_mp4 urlpath_regex -i \.mp4$
acl file_rmvb urlpath_regex -i \.rmvb$
acl file_rm urlpath_regex -i \.rm$
acl file_bt urlpath_regex -i \.torrent$
############################################################


###### Rules ###############################################
http_access deny file_mp3
http_access deny file_scr
http_access deny file_avi
http_access deny file_exe
http_access deny file_pif
http_access deny file_pf
http_access deny file_xdb
http_access deny file_mp4
http_access deny file_rmvb
http_access deny file_rm
http_access deny file_bt

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#http_access allow test_allow
http_access allow all

############################################################

###### Modification/Update Date#############################
# 2007/11/28 by LingPing
# 2007/11/30 by LingPing
# 2007/12/12 by LingPing
# 2007/12/26 by LingPing


iptables 配置如下：

[root@fw01 ~]# cat /usr/local/iptables/fw.sh
#### Define networks #######################

#!/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH

EXTIF="eth0"
INIF="eth1"
INNET="192.168.152.0/24"

export EXTIF INIF INNET

#### PART I: Localhost Firewall Setting ####

#### 1. Clear any existing chains ####

iptables -F
iptables -X
iptables -Z

#### 2. Setting up default policies ####

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#### 3. Setting up interface l0 access policies ####

iptables -A INPUT -i l0 -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT

#### 5. Setting up Access Polices ####

iptables -A INPUT -p TCP -i $EXTIF --dport 22 -j ACCEPT     #ssh
iptables -A INPUT -p TCP -i $EXTIF --dport 23 -j ACCEPT     #telnet



#### PART II: Internal Server Filewall Setting ####

#### 1. Load any special modules ####

modprobe ip_tables             > /dev/null 2>&1
modprobe iptable_nat           > /dev/null 2>&1
modprobe ip_nat_ftp            > /dev/null 2>&1
modprobe ip_nat_irc            > /dev/null 2>&1
modprobe ip_conntrack          > /dev/null 2>&1
modprobe ip_conntrack_ftp      > /dev/null 2>&1
modprobe ip_conntrack_irc      > /dev/null 2>&1

#### 2. Clear NAT table rules ####

iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat

iptables -t nat -P PREROUTING   ACCEPT
iptables -t nat -P POSTROUTING  ACCEPT
iptables -t nat -P OUTPUT       ACCEPT

#### 3. Enable ip forward ####

iptables -A INPUT -i $INIF -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s $INNET -o $EXTIF -j MASQUERADE

#### Enable transparence proxy ####

iptables -t nat -A PREROUTING -i eth1 -p tcp -s 192.168.152.0/24 --dport 80 -j REDIRECT --to-port 3128



#### Note ####
#The End
#2007/12/26 by LingPing
#2007/12/28 by lingping
[root@fw01 ~]#