| 1 |
On 01/21/10 21:49, Adam wrote: |
| 2 |
>> http://www.linux.com/archive/articles/113733 |
| 3 |
> |
| 4 |
>Sorry my mistake, for the OUTPUT chain it makes sense as all those |
| 5 |
>packets are from squid. |
| 6 |
> |
| 7 |
>The log should have a URL after the GET command, ie; |
| 8 |
> |
| 9 |
>1264070023.044 103 192.168.1.12 TCP_MISS/200 33140 GET |
| 10 |
>http://safebrowsing-cache.google.com/safebrowsing/rd/goog-phish-shavar_a_82561-82720.82561-82614.82615-82720: |
| 11 |
>- DIRECT/150.101.98.208 application/vnd.google.safebrowsing-chunk |
| 12 |
> |
| 13 |
>Have you tried configuring the proxy in your browser to check that |
| 14 |
>squid's working? Once you've established that you then know if you have |
| 15 |
>to fix the squid config or the iptables config |
| 16 |
|
| 17 |
Yes, the squid is working OK. |
| 18 |
But I'm not sure if it is possible to accomplish what I want. |
| 19 |
|
| 20 |
iptable + squid are running on a single box: so I want: |
| 21 |
INCOMING access from Internet is OPEN - I don't need or want to block anything; as I have an external firewall. |
| 22 |
OUTBOUND access to Internet denied (except one or two domains) - so I think squid is perfectly suitable to it and it is working OK. |
| 23 |
iptable I only wanted to use to forwarder to squid proxy, so doesn't matter what Browser user will use everything will go via squid except access to localhost |
| 24 |
(127.0.0.1). |
| 25 |
|
| 26 |
And this is the part I'm having problem with, anything localhost (127.0.0.1) does not go through squid |
| 27 |
All I have in iptable for now: |
| 28 |
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT |
| 29 |
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT |
| 30 |
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128 |
| 31 |
|
| 32 |
maybe it is not possible with single interface eth0 |
| 33 |
|
| 34 |
-- |
| 35 |
Joseph |
Archives