1 |
On 22 Jan 2010, at 04:30, Joseph wrote: |
2 |
>> On 21 Jan 2010, at 23:52, Joseph wrote: |
3 |
>>> On 01/21/10 21:51, Stroller wrote: |
4 |
>>>>> maybe it is not possible with single interface eth0 |
5 |
>>>> |
6 |
>>>> I believe that running Squid in conjunction with iptables is |
7 |
>>>> known as running in "interception" mode. |
8 |
>>>> |
9 |
>>>> It may well indeed not be possible to do this with only one |
10 |
>>>> interface. How do you ensure that packets reach this machine? I |
11 |
>>>> think usually ... So I'm not really sure how the machines on your |
12 |
>>>> LAN know to send web packets to your Squid machine. Perhaps you |
13 |
>>>> can explain? |
14 |
>> |
15 |
>> ^ Could you answer these questions, please? |
16 |
> |
17 |
> Simple, it is done by iptable in the kernel. |
18 |
> You are sending the packets to port 80 (http) to go out via eth0 |
19 |
> that is the only way out, iptabls (your firewall) intercept the |
20 |
> traffic and does whatever you instruct it to do in my case below: |
21 |
> |
22 |
> Intercept everything to 127.0.0.1 (localhost) and let it go no need |
23 |
> to forward it to squid, harmless traffic :-) |
24 |
> iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.1 -j ACCEPT |
25 |
> |
26 |
> exempting squid, joseph, root from forwarding it to squid and |
27 |
> allowing Internet access without filtering; simple and self |
28 |
> explanatory |
29 |
> iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner |
30 |
> squid -j ACCEPT |
31 |
> iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner |
32 |
> squid -j ACCEPT |
33 |
> iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner |
34 |
> root -j ACCEPT |
35 |
> iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner |
36 |
> joseph -j ACCEPT |
37 |
> |
38 |
> everything else passes through squid, which permits or allow the |
39 |
> traffic; in my case I only allow access to two domain, everything |
40 |
> thing else is denied (squid is redirecting the traffic to port 80 |
41 |
> eth0 if permitted) |
42 |
> iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports |
43 |
> 3128 |
44 |
> |
45 |
> It is very simple. |
46 |
|
47 |
So squid is run on the same PC that you're browsing from? |
48 |
|
49 |
>>> Yes, it is possible, it took me a day to figure it out as I'm not |
50 |
>>> a pro with iptables, check my post and follow the instructions: |
51 |
>>> http://forums.gentoo.org/viewtopic-p-6142685.html#6142685 |
52 |
>> |
53 |
>> I don't see the explanation in this link. |
54 |
>> |
55 |
>> Stroller. |
56 |
> |
57 |
> I don't understand what kind of explanation you expect, just emerge |
58 |
> squid iptable (make sure kernel has the correct entries compiled IN) |
59 |
> and type those commends in at the command line; read the post above |
60 |
> some other users clearly suggested what to type at the command |
61 |
> line :-) |
62 |
> |
63 |
> It just works! I stated my objectives and I accomplished them. |
64 |
|
65 |
Maybe I'm being very dumb. I assumed a situation of router A, with |
66 |
Squid running on server B. The office staff are using browsers on |
67 |
client machines X, Y & Z. When a user on machine X browses to a |
68 |
website, his PC sends the packet to router A. The packet never reaches |
69 |
server B in order to be intercepted by B. We can configure B as the |
70 |
proxy in the browser settings of X, Y & Z, but then that no longer |
71 |
needs iptables configuration or interception mode. |
72 |
|
73 |
I'm not trying to argue with you, BTW. I'm just trying to learn from |
74 |
you. |
75 |
|
76 |
Stroller. |