| 1 |
On 01/22/10 03:49, Stroller wrote: |
| 2 |
>Thanks for posting Joseph. |
| 3 |
> |
| 4 |
>I would love to understand this better. |
| 5 |
> |
| 6 |
> |
| 7 |
>On 21 Jan 2010, at 23:52, Joseph wrote: |
| 8 |
>>On 01/21/10 21:51, Stroller wrote: |
| 9 |
>>>>maybe it is not possible with single interface eth0 |
| 10 |
>>> |
| 11 |
>>>I believe that running Squid in conjunction with iptables is |
| 12 |
>>>known as running in "interception" mode. |
| 13 |
>>> |
| 14 |
>>>It may well indeed not be possible to do this with only one |
| 15 |
>>>interface. How do you ensure that packets reach this machine? I |
| 16 |
>>>think usually ... So I'm not really sure how the machines on your |
| 17 |
>>>LAN know to send web packets to your Squid machine. Perhaps you |
| 18 |
>>>can explain? |
| 19 |
> |
| 20 |
>^ Could you answer these questions, please? |
| 21 |
|
| 22 |
Simple, it is done by iptable in the kernel. |
| 23 |
You are sending the packets to port 80 (http) to go out via eth0 that is the only way out, iptabls (your firewall) intercept the traffic and does whatever |
| 24 |
you instruct it to do in my case below: |
| 25 |
|
| 26 |
Intercept everything to 127.0.0.1 (localhost) and let it go no need to forward it to squid, harmless traffic :-) |
| 27 |
iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.1 -j ACCEPT |
| 28 |
|
| 29 |
exempting squid, joseph, root from forwarding it to squid and allowing Internet access without filtering; simple and self explanatory |
| 30 |
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT |
| 31 |
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT |
| 32 |
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT |
| 33 |
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner joseph -j ACCEPT |
| 34 |
|
| 35 |
everything else passes through squid, which permits or allow the traffic; in my case I only allow access to two domain, everything thing else is denied (squid |
| 36 |
is redirecting the traffic to port 80 eth0 if permitted) |
| 37 |
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128 |
| 38 |
|
| 39 |
It is very simple. |
| 40 |
|
| 41 |
> |
| 42 |
>>Yes, it is possible, it took me a day to figure it out as I'm not a |
| 43 |
>>pro with iptables, check my post and follow the instructions: |
| 44 |
>>http://forums.gentoo.org/viewtopic-p-6142685.html#6142685 |
| 45 |
> |
| 46 |
>I don't see the explanation in this link. |
| 47 |
> |
| 48 |
>Stroller. |
| 49 |
|
| 50 |
I don't understand what kind of explanation you expect, just emerge squid iptable (make sure kernel has the correct entries compiled IN) and type those |
| 51 |
commends in at the command line; read the post above some other users clearly suggested what to type at the command line :-) |
| 52 |
|
| 53 |
It just works! I stated my objectives and I accomplished them. |
| 54 |
|
| 55 |
-- |
| 56 |
Joseph |
Archives