[seul-edu] Transparent proxy and Red Escolar Linux.

[Arturo Espinosa Aldama <arturo@mezcal.dyndns.org>]

Red Escolar Linux 1.0-14 incorporates the transparent proxy configuration
suggested in this mailing list. To give something back, here is our
configuration:

ipchains:

:input ACCEPT
:forward DENY
:output ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 1 -j DENY
-A input -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i ppp0 -j DENY
-A input -s 192.168.1.0/255.255.255.0 -d 192.168.1.1 80 -p tcp -j REDIRECT 18001
-A input -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 80 -p tcp -j REDIRECT 3128
-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ


As you can see, connections comming from the LAN to the www port of the
server are redirected to port 18001. With proxy cache-olny machines, this
is normally just DENYed, to avoid a loop that the setup creates, but we
are also running a web server. So, we set Roxen to both listen to port 80
(for outside connections) and port 18001, for the LAN. This is still
transparent for the user.

Remember that, as the squid FAQ says, the transparent proxy sacrifices the
FTP proxying. We had to modprobe the ip_masq_ftp module to make ftp
accessible. We think that FTP access is not that usual, and that it normally
is for large files, which surpass our acceptable object policy for squid,
anyways.

Then, the suggested squid configuration:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Tu sum up, this setup avoids proxy configuration for the workstations, and
the ip_masq_ftp module makes it possible to use FTP software that does not
know about proxies. This also makes it better for sdimple http clients that
don't know about proxies too.

I'm still considering the ipchains config that was suggested here. It is
just that I haven't had much time lately.

Greetings,
Arturo