| 1 |
On 01/21/10 21:51, Stroller wrote: |
| 2 |
>>maybe it is not possible with single interface eth0 |
| 3 |
> |
| 4 |
>I believe that running Squid in conjunction with iptables is known as |
| 5 |
>running in "interception" mode. |
| 6 |
> |
| 7 |
>It may well indeed not be possible to do this with only one |
| 8 |
>interface. How do you ensure that packets reach this machine? I think |
| 9 |
>usually interception mode is run on a machine with two interfaces - |
| 10 |
>you'd route or (I guess) bridge through it. iptables can then snatch |
| 11 |
>the packets. I don't believe you can route through a machine with |
| 12 |
>only one interface (although my memory of routing is hazy, so I may |
| 13 |
>be quite mistaken) because packets going out will collide with those |
| 14 |
>coming in. So I'm not really sure how the machines on your LAN know |
| 15 |
>to send web packets to your Squid machine. Perhaps you can explain? |
| 16 |
> |
| 17 |
>I manage a site at which Squid sits on a machine with only one |
| 18 |
>interface. That machine is not a router, and Squid does not run in |
| 19 |
>interception mode. I ended up writing a wpad.dat file and pointing |
| 20 |
>the DNS for wpad.domain.local to the local webserver. This is not a |
| 21 |
>properly secure method of forcing the users to use the proxy - |
| 22 |
>really, the gateway should additionally use iptables to drop any web |
| 23 |
>connections coming from any machine except the proxy - but at this |
| 24 |
>site all the users are on a Windows domain, and they're unable (and |
| 25 |
>too clueless, anyway) to configure their browsers not to use the |
| 26 |
>proxy. |
| 27 |
> |
| 28 |
>I don't remember why I configured the site exactly this way - there's |
| 29 |
>a little more I want to do with Squid, but I haven't got around to |
| 30 |
>it. I set up this site a while ago and forgot about it. But I do know |
| 31 |
>that Squid can be run in different ways and interception mode isn't |
| 32 |
>suitable for all purposes (I had myself, as a beginner, assumed |
| 33 |
>everyone did use interception mode). |
| 34 |
> |
| 35 |
>This stuff is very well documented at the Squid site - |
| 36 |
>http://wiki.squid-cache.org/SquidFaq is a good start. My experience |
| 37 |
>was excellent support - which really answered my question and helped |
| 38 |
>me see where I was going wrong - from a Squid developer within 48 |
| 39 |
>hours of posting to the Squid mailing list. |
| 40 |
> |
| 41 |
>Stroller. |
| 42 |
|
| 43 |
Yes, it is possible, it took me a day to figure it out as I'm not a pro with iptables, check my post and follow the instructions: |
| 44 |
http://forums.gentoo.org/viewtopic-p-6142685.html#6142685 |
| 45 |
|
| 46 |
-- |
| 47 |
Joseph |
Archives