1 |
On 01/21/10 21:49, Adam wrote: |
2 |
>> http://www.linux.com/archive/articles/113733 |
3 |
> |
4 |
>Sorry my mistake, for the OUTPUT chain it makes sense as all those |
5 |
>packets are from squid. |
6 |
> |
7 |
>The log should have a URL after the GET command, ie; |
8 |
> |
9 |
>1264070023.044 103 192.168.1.12 TCP_MISS/200 33140 GET |
10 |
>http://safebrowsing-cache.google.com/safebrowsing/rd/goog-phish-shavar_a_82561-82720.82561-82614.82615-82720: |
11 |
>- DIRECT/150.101.98.208 application/vnd.google.safebrowsing-chunk |
12 |
> |
13 |
>Have you tried configuring the proxy in your browser to check that |
14 |
>squid's working? Once you've established that you then know if you have |
15 |
>to fix the squid config or the iptables config |
16 |
|
17 |
Yes, the squid is working OK. |
18 |
But I'm not sure if it is possible to accomplish what I want. |
19 |
|
20 |
iptable + squid are running on a single box: so I want: |
21 |
INCOMING access from Internet is OPEN - I don't need or want to block anything; as I have an external firewall. |
22 |
OUTBOUND access to Internet denied (except one or two domains) - so I think squid is perfectly suitable to it and it is working OK. |
23 |
iptable I only wanted to use to forwarder to squid proxy, so doesn't matter what Browser user will use everything will go via squid except access to localhost |
24 |
(127.0.0.1). |
25 |
|
26 |
And this is the part I'm having problem with, anything localhost (127.0.0.1) does not go through squid |
27 |
All I have in iptable for now: |
28 |
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT |
29 |
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT |
30 |
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128 |
31 |
|
32 |
maybe it is not possible with single interface eth0 |
33 |
|
34 |
-- |
35 |
Joseph |