| 1 |
On 22 Jan 2010, at 04:30, Joseph wrote: |
| 2 |
>> On 21 Jan 2010, at 23:52, Joseph wrote: |
| 3 |
>>> On 01/21/10 21:51, Stroller wrote: |
| 4 |
>>>>> maybe it is not possible with single interface eth0 |
| 5 |
>>>> |
| 6 |
>>>> I believe that running Squid in conjunction with iptables is |
| 7 |
>>>> known as running in "interception" mode. |
| 8 |
>>>> |
| 9 |
>>>> It may well indeed not be possible to do this with only one |
| 10 |
>>>> interface. How do you ensure that packets reach this machine? I |
| 11 |
>>>> think usually ... So I'm not really sure how the machines on your |
| 12 |
>>>> LAN know to send web packets to your Squid machine. Perhaps you |
| 13 |
>>>> can explain? |
| 14 |
>> |
| 15 |
>> ^ Could you answer these questions, please? |
| 16 |
> |
| 17 |
> Simple, it is done by iptable in the kernel. |
| 18 |
> You are sending the packets to port 80 (http) to go out via eth0 |
| 19 |
> that is the only way out, iptabls (your firewall) intercept the |
| 20 |
> traffic and does whatever you instruct it to do in my case below: |
| 21 |
> |
| 22 |
> Intercept everything to 127.0.0.1 (localhost) and let it go no need |
| 23 |
> to forward it to squid, harmless traffic :-) |
| 24 |
> iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.1 -j ACCEPT |
| 25 |
> |
| 26 |
> exempting squid, joseph, root from forwarding it to squid and |
| 27 |
> allowing Internet access without filtering; simple and self |
| 28 |
> explanatory |
| 29 |
> iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner |
| 30 |
> squid -j ACCEPT |
| 31 |
> iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner |
| 32 |
> squid -j ACCEPT |
| 33 |
> iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner |
| 34 |
> root -j ACCEPT |
| 35 |
> iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner |
| 36 |
> joseph -j ACCEPT |
| 37 |
> |
| 38 |
> everything else passes through squid, which permits or allow the |
| 39 |
> traffic; in my case I only allow access to two domain, everything |
| 40 |
> thing else is denied (squid is redirecting the traffic to port 80 |
| 41 |
> eth0 if permitted) |
| 42 |
> iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports |
| 43 |
> 3128 |
| 44 |
> |
| 45 |
> It is very simple. |
| 46 |
|
| 47 |
So squid is run on the same PC that you're browsing from? |
| 48 |
|
| 49 |
>>> Yes, it is possible, it took me a day to figure it out as I'm not |
| 50 |
>>> a pro with iptables, check my post and follow the instructions: |
| 51 |
>>> http://forums.gentoo.org/viewtopic-p-6142685.html#6142685 |
| 52 |
>> |
| 53 |
>> I don't see the explanation in this link. |
| 54 |
>> |
| 55 |
>> Stroller. |
| 56 |
> |
| 57 |
> I don't understand what kind of explanation you expect, just emerge |
| 58 |
> squid iptable (make sure kernel has the correct entries compiled IN) |
| 59 |
> and type those commends in at the command line; read the post above |
| 60 |
> some other users clearly suggested what to type at the command |
| 61 |
> line :-) |
| 62 |
> |
| 63 |
> It just works! I stated my objectives and I accomplished them. |
| 64 |
|
| 65 |
Maybe I'm being very dumb. I assumed a situation of router A, with |
| 66 |
Squid running on server B. The office staff are using browsers on |
| 67 |
client machines X, Y & Z. When a user on machine X browses to a |
| 68 |
website, his PC sends the packet to router A. The packet never reaches |
| 69 |
server B in order to be intercepted by B. We can configure B as the |
| 70 |
proxy in the browser settings of X, Y & Z, but then that no longer |
| 71 |
needs iptables configuration or interception mode. |
| 72 |
|
| 73 |
I'm not trying to argue with you, BTW. I'm just trying to learn from |
| 74 |
you. |
| 75 |
|
| 76 |
Stroller. |
Archives