1 |
On 21 Jan 2010, at 18:59, Joseph wrote: |
2 |
> ... |
3 |
> Yes, the squid is working OK. |
4 |
> But I'm not sure if it is possible to accomplish what I want. |
5 |
> |
6 |
> iptable + squid are running on a single box: so I want: |
7 |
> INCOMING access from Internet is OPEN - I don't need or want to |
8 |
> block anything; as I have an external firewall. |
9 |
> OUTBOUND access to Internet denied (except one or two domains) - so |
10 |
> I think squid is perfectly suitable to it and it is working OK. |
11 |
> iptable I only wanted to use to forwarder to squid proxy, so doesn't |
12 |
> matter what Browser user will use everything will go via squid |
13 |
> except access to localhost (127.0.0.1). |
14 |
> |
15 |
> ... |
16 |
> maybe it is not possible with single interface eth0 |
17 |
|
18 |
I believe that running Squid in conjunction with iptables is known as |
19 |
running in "interception" mode. |
20 |
|
21 |
It may well indeed not be possible to do this with only one interface. |
22 |
How do you ensure that packets reach this machine? I think usually |
23 |
interception mode is run on a machine with two interfaces - you'd |
24 |
route or (I guess) bridge through it. iptables can then snatch the |
25 |
packets. I don't believe you can route through a machine with only one |
26 |
interface (although my memory of routing is hazy, so I may be quite |
27 |
mistaken) because packets going out will collide with those coming in. |
28 |
So I'm not really sure how the machines on your LAN know to send web |
29 |
packets to your Squid machine. Perhaps you can explain? |
30 |
|
31 |
I manage a site at which Squid sits on a machine with only one |
32 |
interface. That machine is not a router, and Squid does not run in |
33 |
interception mode. I ended up writing a wpad.dat file and pointing the |
34 |
DNS for wpad.domain.local to the local webserver. This is not a |
35 |
properly secure method of forcing the users to use the proxy - really, |
36 |
the gateway should additionally use iptables to drop any web |
37 |
connections coming from any machine except the proxy - but at this |
38 |
site all the users are on a Windows domain, and they're unable (and |
39 |
too clueless, anyway) to configure their browsers not to use the proxy. |
40 |
|
41 |
I don't remember why I configured the site exactly this way - there's |
42 |
a little more I want to do with Squid, but I haven't got around to it. |
43 |
I set up this site a while ago and forgot about it. But I do know that |
44 |
Squid can be run in different ways and interception mode isn't |
45 |
suitable for all purposes (I had myself, as a beginner, assumed |
46 |
everyone did use interception mode). |
47 |
|
48 |
This stuff is very well documented at the Squid site - http://wiki.squid-cache.org/SquidFaq |
49 |
is a good start. My experience was excellent support - which really |
50 |
answered my question and helped me see where I was going wrong - from |
51 |
a Squid developer within 48 hours of posting to the Squid mailing list. |
52 |
|
53 |
Stroller. |