From: Amos Jeffries <squid3@treenet.co.nz>
To: Tarak Ranjan <tarak.ranjan@liqwidkrystal.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Gateway with Iptables
Date: Tue, 30 Oct 2007 22:00:30 +1300 [thread overview]
Message-ID: <4726F2AE.1060108@treenet.co.nz> (raw)
In-Reply-To: <4725BF05.5000708@liqwidkrystal.com>
Tarak Ranjan wrote:
>
>> Amos wrote:
>> I believe you need to exempt the traffic from squid (local machine
>> IPA) from the REDIRECT about here.
>>
>> $IPT -A PREROUTING -p tcp -s $SQUID_SERVER --dport 80 -j ACCEPT
>>
>> ... And use "http port 8080 transparent" in the squid.conf
>>
>>
>> > $IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
>> --to-port $SQUID_PORT
>> >
>> ###############################################################################
>>
> but after applying this users are able to connect to the Internet
> directly without enable proxy. what else i have to do to stop direct
> connection , they must use proxy.
>
Huh? that should ONLY exempt the proxy, not the client machines. I'm not
100% certain of the rule as I use shorewall to simplify the config a lot.
Do you mean the users are actually logged into the proxy server?
Or that it _looks_ like clients can connect directly. Check the
access.log of squid to be sure.
The entire point of transparent is so clients don't do any config, the
proxy silently makes internet 'just work' for any allowed browsing.
Amos
next prev parent reply other threads:[~2007-10-30 9:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-29 4:59 Gateway with Iptables Tarak Ranjan
2007-10-29 8:20 ` Amos Jeffries
2007-10-29 11:07 ` Tarak Ranjan
2007-10-29 16:12 ` Rob Sterenborg
2007-10-29 16:45 ` kernel warning NAT: no longer support implicit source local NAT Jeffrey Glass
2007-10-30 9:00 ` Amos Jeffries [this message]
-- strict thread matches above, loose matches on Subject: below --
2007-10-30 5:11 Gateway with Iptables Tarak Ranjan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4726F2AE.1060108@treenet.co.nz \
--to=squid3@treenet.co.nz \
--cc=netfilter@vger.kernel.org \
--cc=tarak.ranjan@liqwidkrystal.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox