[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Re: squidGuard by default



On Mon, 3 Jun 2002, Julius Szelagiewicz wrote:

>Yan,
>	thanks, this gives me a ray of hope ;-)  it also means that i have
>to recompile the kernel for iptables support. this is going to be next
>week project. after this is done i just might have to take you up on your
>offer of explaining the iptables rules. julius

You don't need to recompile the kernel for iptables support, it's already
available as modules.

The problem with trying to do transparent proxying from the terminal itself
is that the firewalling magic is done on the input or pre-routing rules.
If you are initiating the connection from the server itself, which would
be the case if were logged into a terminal, you would not hit the input/
pre-routing rules. When you initiate a connection, it skips the input and
forwarding rules and goes straight to the output rules.

An alternative is to block port 80 and force browsers to use the proxy
on port 3128. The problem here is that since it's on the same box, the
port 80 block also blocks the proxy's outbound connections.

In theory, you could do some magic by using firewall marks and get it to
work. This would be a bit tricky to get it right, certainly more complicated
that the one-liner rule used when setup up an external proxy server.

-Eric

>On Sun, 2 Jun 2002, Yan Seiner wrote:
>
>> > From: Julius Szelagiewicz <julius turtle com>
>> > To: k12osn redhat com
>> >         I am trying to configure squid / squidGuard for fully automatic
>> > use from workstations. i am running squid on the same server that the
>> > workstations boot from and i am not running an httpd server on the box.
>> > squid and squidGuard work just fine if i change the netscape preferences
>> > to proxy. when set to "direct internet connect" squid is being bypassed,
>> > despite the fact that it listens on ports 80 and 3128. setting proxy to
>> > local host and port 80 makes it work fine, but i don't want the users to
>> > be able to bypass it at all. i must be missing something really easy. tia,
>> > julius
>>
>>
>> You need to redirect via iptables (not ipchains - why RH chose to dumb
>> down iptables to ipchains I'll never know):
>>
>> First, you grab everything going to port 80 on any outside server and
>> send it to squid:
>>
>> $IPTABLES --table nat --append PREROUTING \
>>         --in-interface eth+ --protocol tcp --destination $OUTSIDE
>> --dport http \
>>         -j REDIRECT  --to-port 3128
>>
>> Now you make sure that you let the modified packets in to your box:
>>
>> $IPTABLES --table filter --append INPUT \
>>         --protocol tcp --source $WAN --dport 3128 --destination $OUTSIDE
>> \
>>         -j ACCEPT
>>
>> Let me know if I need to explain these rules in detail.  For this to
>> work, squid should *not* listed on port 80.
>
>





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]