1 |
On 01/22/10 03:49, Stroller wrote: |
2 |
>Thanks for posting Joseph. |
3 |
> |
4 |
>I would love to understand this better. |
5 |
> |
6 |
> |
7 |
>On 21 Jan 2010, at 23:52, Joseph wrote: |
8 |
>>On 01/21/10 21:51, Stroller wrote: |
9 |
>>>>maybe it is not possible with single interface eth0 |
10 |
>>> |
11 |
>>>I believe that running Squid in conjunction with iptables is |
12 |
>>>known as running in "interception" mode. |
13 |
>>> |
14 |
>>>It may well indeed not be possible to do this with only one |
15 |
>>>interface. How do you ensure that packets reach this machine? I |
16 |
>>>think usually ... So I'm not really sure how the machines on your |
17 |
>>>LAN know to send web packets to your Squid machine. Perhaps you |
18 |
>>>can explain? |
19 |
> |
20 |
>^ Could you answer these questions, please? |
21 |
|
22 |
Simple, it is done by iptable in the kernel. |
23 |
You are sending the packets to port 80 (http) to go out via eth0 that is the only way out, iptabls (your firewall) intercept the traffic and does whatever |
24 |
you instruct it to do in my case below: |
25 |
|
26 |
Intercept everything to 127.0.0.1 (localhost) and let it go no need to forward it to squid, harmless traffic :-) |
27 |
iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.1 -j ACCEPT |
28 |
|
29 |
exempting squid, joseph, root from forwarding it to squid and allowing Internet access without filtering; simple and self explanatory |
30 |
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT |
31 |
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT |
32 |
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT |
33 |
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner joseph -j ACCEPT |
34 |
|
35 |
everything else passes through squid, which permits or allow the traffic; in my case I only allow access to two domain, everything thing else is denied (squid |
36 |
is redirecting the traffic to port 80 eth0 if permitted) |
37 |
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128 |
38 |
|
39 |
It is very simple. |
40 |
|
41 |
> |
42 |
>>Yes, it is possible, it took me a day to figure it out as I'm not a |
43 |
>>pro with iptables, check my post and follow the instructions: |
44 |
>>http://forums.gentoo.org/viewtopic-p-6142685.html#6142685 |
45 |
> |
46 |
>I don't see the explanation in this link. |
47 |
> |
48 |
>Stroller. |
49 |
|
50 |
I don't understand what kind of explanation you expect, just emerge squid iptable (make sure kernel has the correct entries compiled IN) and type those |
51 |
commends in at the command line; read the post above some other users clearly suggested what to type at the command line :-) |
52 |
|
53 |
It just works! I stated my objectives and I accomplished them. |
54 |
|
55 |
-- |
56 |
Joseph |