[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Re: squidGuard by default



Eric,
	gotcha on squid redirect. i'll just have to bite the bullet and
roll out separate squid servers.
thanks, julius

On Mon, 3 Jun 2002, Eric Harrison wrote:

> On Mon, 3 Jun 2002, Julius Szelagiewicz wrote:
>
> >Yan,
> >	thanks, this gives me a ray of hope ;-)  it also means that i have
> >to recompile the kernel for iptables support. this is going to be next
> >week project. after this is done i just might have to take you up on your
> >offer of explaining the iptables rules. julius
>
> You don't need to recompile the kernel for iptables support, it's already
> available as modules.
>
> The problem with trying to do transparent proxying from the terminal itself
> is that the firewalling magic is done on the input or pre-routing rules.
> If you are initiating the connection from the server itself, which would
> be the case if were logged into a terminal, you would not hit the input/
> pre-routing rules. When you initiate a connection, it skips the input and
> forwarding rules and goes straight to the output rules.
>
> An alternative is to block port 80 and force browsers to use the proxy
> on port 3128. The problem here is that since it's on the same box, the
> port 80 block also blocks the proxy's outbound connections.
>
> In theory, you could do some magic by using firewall marks and get it to
> work. This would be a bit tricky to get it right, certainly more complicated
> that the one-liner rule used when setup up an external proxy server.
>
> -Eric
>
> >On Sun, 2 Jun 2002, Yan Seiner wrote:
> >
> >> > From: Julius Szelagiewicz <julius turtle com>
> >> > To: k12osn redhat com
> >> >         I am trying to configure squid / squidGuard for fully automatic
> >> > use from workstations. i am running squid on the same server that the
> >> > workstations boot from and i am not running an httpd server on the box.
> >> > squid and squidGuard work just fine if i change the netscape preferences
> >> > to proxy. when set to "direct internet connect" squid is being bypassed,
> >> > despite the fact that it listens on ports 80 and 3128. setting proxy to
> >> > local host and port 80 makes it work fine, but i don't want the users to
> >> > be able to bypass it at all. i must be missing something really easy. tia,
> >> > julius
> >>
> >>
> >> You need to redirect via iptables (not ipchains - why RH chose to dumb
> >> down iptables to ipchains I'll never know):
> >>
> >> First, you grab everything going to port 80 on any outside server and
> >> send it to squid:
> >>
> >> $IPTABLES --table nat --append PREROUTING \
> >>         --in-interface eth+ --protocol tcp --destination $OUTSIDE
> >> --dport http \
> >>         -j REDIRECT  --to-port 3128
> >>
> >> Now you make sure that you let the modified packets in to your box:
> >>
> >> $IPTABLES --table filter --append INPUT \
> >>         --protocol tcp --source $WAN --dport 3128 --destination $OUTSIDE
> >> \
> >>         -j ACCEPT
> >>
> >> Let me know if I need to explain these rules in detail.  For this to
> >> work, squid should *not* listed on port 80.
> >
> >
>
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN redhat com
> https://listman.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
>





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]