Topic: transparent proxy support

[Tony Smith]

I have a problem that is causign me much grief. I have installed an e-smith server to provide e-mail, internet gateway and internal directory services for a small firm locally (approx 60 users). It has been working well for some time, but now their parent company has provided them with access, via another gateway, to the company intranet.

This causes problems becuase the internet service provider enforces the use of a proxy. The existence of the proxy in the individual workstation browser setups means that the proxy is queried for the address of sites on the intranet, and of course fails to find them.  I have verified that the proxy is the cause of the problem by simply removing it from the browser setup which then allows full access to the intranet and very very s l o w access to the internet.

My research leads me to belive that if I can set up transparent proxy support on the e-smith server then I will not need to have any mention of a proxy in the +workstation setups.

I've tracked down the latest way to do that by way of a combination of squid and iptables. The latest version of e-smith has an appropriate version of squid and also has the iptables RPM installed, but does not sem to use iptables as all references I can find under /etc/rc.d refer to ipchains.

BUT, although I have a command line which is supposed to work, it does not for me and I fear I lack the skill to go much further by a wide margin.

The start of the command line invocation is something like "iptables -t nat" which is where it falls over being unable to find a "nat" table. I cannot locate in the documentation what this file should look like and where it is supposed to be.

Has anyone set up transparent proxy support in e-smith, and if so could they share?

My email is:- tony@pacifictoyota.com.au or the one above.

Any help from people who have actually set this up gratefully received.

Tony Smith

[David Helmuth]

There is one other thing you could try.  In the configuration (telent to admin) of e-smith 4.1.1 and greater, there is an option to have the Proxy server on e-Smith, forward all of its requests to another Proxy server.   Simply put the URL for the "outsided" proxy server in there.  (You will probably need to re-boot.)  Then have all of your internal clients set to a relatively permanent proxy setting of:

proxy.localnetwork.com 3128.

Then as the that outside proxy changes, the internal client machines don't have to make any changes.

-Dave

[Tony Smith]

David.

Thanks for your input, but it's not the proxy changing that is the problem,
it is its very existence.

Perhaps I didn't explain very clearly. On the internet side the service
provider enforces the use of proxies. Therefore if you don't set up a proxy
on the browser of the client desktop, you either surf very slowly or not at
all.

The difficulty arises where a page request is made of an address on the
organization's intranet. The browser makes the page request of the internet
proxy server, which of course has no idea of the intranet address space and
accordingly fails.

Implementing the proxy on the e-smith server as it stands gains me nothing
as it will still make the same request to the outside prosy server and
likewise fail.

However, from experimentation I know that at the client end, if I configure
it with two gateways and no proxy then if a request is made for a page from
the "currently in use gateway" and a failure results a request will then be
made automatically of the other gateway and that will succeed.

This is where transparent proxy support comes in. On the internet side all
requests must be made via the proxy, but if the e-smith server can be made
to do that automatically and then pass the resulting pages on to the client
browser without the client having to know anything about proxy support then
it will work perfectly (I hope).

E-smith as at 4.1.2 has the correct version of squid to do this and it also
has an installed (but unused?) copy of iptables. I lack the knowledge to set
up iptables either in place of ipchains or in addition to. I have made an
honest search for iptables documentation that I can understand and have not
found any. This is the help I am looking for.

Cheers

Tony Smith

Connected to the internet in Sunny Far North Queensland Australia
http://www.tonsyl.org

[Scott Smith]

Tony

This may or may not help. In the browser there is usually a setting to "Bypass proxy for local addresses" and also a setting to "Do not use proxy for addresses beginning with..." or similar names. I use IE5.5, but I recall this having been around for quite a long time so it is probably in Netscape and Opera. You could use this to bypass the proxy without having to change e-smith.

If you use an automatic configuration script (hey, is that an e-smith wish list item?) the administration of this would be very simple.

hth

Scott

[Simeon]

Sorry, I've only read your post quickly, so I may be answering the wrong question, but I think you are talking about installing transproxy.noarch.rpm onto your server so that you then don't need to set your browsers to use the e-smith box as their proxy.

I'm sure that its probably on the ftp site somewhere but I've used it by going to the HOWTO page, and then the squidGaurd HowTo and downloading it from there.

hope this helps.