1 |
On 01/21/10 21:51, Stroller wrote: |
2 |
>>maybe it is not possible with single interface eth0 |
3 |
> |
4 |
>I believe that running Squid in conjunction with iptables is known as |
5 |
>running in "interception" mode. |
6 |
> |
7 |
>It may well indeed not be possible to do this with only one |
8 |
>interface. How do you ensure that packets reach this machine? I think |
9 |
>usually interception mode is run on a machine with two interfaces - |
10 |
>you'd route or (I guess) bridge through it. iptables can then snatch |
11 |
>the packets. I don't believe you can route through a machine with |
12 |
>only one interface (although my memory of routing is hazy, so I may |
13 |
>be quite mistaken) because packets going out will collide with those |
14 |
>coming in. So I'm not really sure how the machines on your LAN know |
15 |
>to send web packets to your Squid machine. Perhaps you can explain? |
16 |
> |
17 |
>I manage a site at which Squid sits on a machine with only one |
18 |
>interface. That machine is not a router, and Squid does not run in |
19 |
>interception mode. I ended up writing a wpad.dat file and pointing |
20 |
>the DNS for wpad.domain.local to the local webserver. This is not a |
21 |
>properly secure method of forcing the users to use the proxy - |
22 |
>really, the gateway should additionally use iptables to drop any web |
23 |
>connections coming from any machine except the proxy - but at this |
24 |
>site all the users are on a Windows domain, and they're unable (and |
25 |
>too clueless, anyway) to configure their browsers not to use the |
26 |
>proxy. |
27 |
> |
28 |
>I don't remember why I configured the site exactly this way - there's |
29 |
>a little more I want to do with Squid, but I haven't got around to |
30 |
>it. I set up this site a while ago and forgot about it. But I do know |
31 |
>that Squid can be run in different ways and interception mode isn't |
32 |
>suitable for all purposes (I had myself, as a beginner, assumed |
33 |
>everyone did use interception mode). |
34 |
> |
35 |
>This stuff is very well documented at the Squid site - |
36 |
>http://wiki.squid-cache.org/SquidFaq is a good start. My experience |
37 |
>was excellent support - which really answered my question and helped |
38 |
>me see where I was going wrong - from a Squid developer within 48 |
39 |
>hours of posting to the Squid mailing list. |
40 |
> |
41 |
>Stroller. |
42 |
|
43 |
Yes, it is possible, it took me a day to figure it out as I'm not a pro with iptables, check my post and follow the instructions: |
44 |
http://forums.gentoo.org/viewtopic-p-6142685.html#6142685 |
45 |
|
46 |
-- |
47 |
Joseph |