| 1 |
On 21 Jan 2010, at 18:59, Joseph wrote: |
| 2 |
> ... |
| 3 |
> Yes, the squid is working OK. |
| 4 |
> But I'm not sure if it is possible to accomplish what I want. |
| 5 |
> |
| 6 |
> iptable + squid are running on a single box: so I want: |
| 7 |
> INCOMING access from Internet is OPEN - I don't need or want to |
| 8 |
> block anything; as I have an external firewall. |
| 9 |
> OUTBOUND access to Internet denied (except one or two domains) - so |
| 10 |
> I think squid is perfectly suitable to it and it is working OK. |
| 11 |
> iptable I only wanted to use to forwarder to squid proxy, so doesn't |
| 12 |
> matter what Browser user will use everything will go via squid |
| 13 |
> except access to localhost (127.0.0.1). |
| 14 |
> |
| 15 |
> ... |
| 16 |
> maybe it is not possible with single interface eth0 |
| 17 |
|
| 18 |
I believe that running Squid in conjunction with iptables is known as |
| 19 |
running in "interception" mode. |
| 20 |
|
| 21 |
It may well indeed not be possible to do this with only one interface. |
| 22 |
How do you ensure that packets reach this machine? I think usually |
| 23 |
interception mode is run on a machine with two interfaces - you'd |
| 24 |
route or (I guess) bridge through it. iptables can then snatch the |
| 25 |
packets. I don't believe you can route through a machine with only one |
| 26 |
interface (although my memory of routing is hazy, so I may be quite |
| 27 |
mistaken) because packets going out will collide with those coming in. |
| 28 |
So I'm not really sure how the machines on your LAN know to send web |
| 29 |
packets to your Squid machine. Perhaps you can explain? |
| 30 |
|
| 31 |
I manage a site at which Squid sits on a machine with only one |
| 32 |
interface. That machine is not a router, and Squid does not run in |
| 33 |
interception mode. I ended up writing a wpad.dat file and pointing the |
| 34 |
DNS for wpad.domain.local to the local webserver. This is not a |
| 35 |
properly secure method of forcing the users to use the proxy - really, |
| 36 |
the gateway should additionally use iptables to drop any web |
| 37 |
connections coming from any machine except the proxy - but at this |
| 38 |
site all the users are on a Windows domain, and they're unable (and |
| 39 |
too clueless, anyway) to configure their browsers not to use the proxy. |
| 40 |
|
| 41 |
I don't remember why I configured the site exactly this way - there's |
| 42 |
a little more I want to do with Squid, but I haven't got around to it. |
| 43 |
I set up this site a while ago and forgot about it. But I do know that |
| 44 |
Squid can be run in different ways and interception mode isn't |
| 45 |
suitable for all purposes (I had myself, as a beginner, assumed |
| 46 |
everyone did use interception mode). |
| 47 |
|
| 48 |
This stuff is very well documented at the Squid site - http://wiki.squid-cache.org/SquidFaq |
| 49 |
is a good start. My experience was excellent support - which really |
| 50 |
answered my question and helped me see where I was going wrong - from |
| 51 |
a Squid developer within 48 hours of posting to the Squid mailing list. |
| 52 |
|
| 53 |
Stroller. |
Archives