* Squid Redirection
@ 2010-01-04 18:31 Aaron Clausen
2010-01-04 18:38 ` Kenneth Sande
2010-01-05 9:36 ` Mart Frauenlob
0 siblings, 2 replies; 8+ messages in thread
From: Aaron Clausen @ 2010-01-04 18:31 UTC (permalink / raw)
To: netfilter
I'm running Squid on my gateway router (on the internal ethernet only
of course) and have been struggling to figure out how to redirect port
80 traffic to it (transparent proxy). All the instructions I've seen
are for Squid hosted on another server. Anyone have any tips?
--
Aaron Clausen
mightymartianca@gmail.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Squid Redirection
2010-01-04 18:31 Squid Redirection Aaron Clausen
@ 2010-01-04 18:38 ` Kenneth Sande
2010-01-05 22:45 ` Aaron Clausen
2010-01-05 9:36 ` Mart Frauenlob
1 sibling, 1 reply; 8+ messages in thread
From: Kenneth Sande @ 2010-01-04 18:38 UTC (permalink / raw)
To: Aaron Clausen; +Cc: netfilter
I do it this way for my one internal subnet. There may be more and
better options, but this works for me.
"iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p
tcp --dport 80 --sport 1024:65535 -m state --state
NEW,ESTABLISHED,RELATED -j REDIRECT --to-port 3128"
Squid must also be set up to accept transparent connections.
-Ken Sande/KC8QNI
Aaron Clausen wrote:
> I'm running Squid on my gateway router (on the internal ethernet only
> of course) and have been struggling to figure out how to redirect port
> 80 traffic to it (transparent proxy). All the instructions I've seen
> are for Squid hosted on another server. Anyone have any tips?
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Squid Redirection
2010-01-04 18:31 Squid Redirection Aaron Clausen
2010-01-04 18:38 ` Kenneth Sande
@ 2010-01-05 9:36 ` Mart Frauenlob
2010-01-05 10:31 ` John Haxby
1 sibling, 1 reply; 8+ messages in thread
From: Mart Frauenlob @ 2010-01-05 9:36 UTC (permalink / raw)
To: netfilter
On 04.01.2010 19:31, Aaron Clausen wrote:
> I'm running Squid on my gateway router (on the internal ethernet only
> of course) and have been struggling to figure out how to redirect port
> 80 traffic to it (transparent proxy). All the instructions I've seen
> are for Squid hosted on another server. Anyone have any tips?
>
Besides the REDIRECT, there's also a newer target: TRPOXY -
http://www.balabit.com/downloads/files/tproxy/README.txt
regards
Mart
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Squid Redirection
2010-01-05 9:36 ` Mart Frauenlob
@ 2010-01-05 10:31 ` John Haxby
0 siblings, 0 replies; 8+ messages in thread
From: John Haxby @ 2010-01-05 10:31 UTC (permalink / raw)
To: netfilter; +Cc: Mart Frauenlob
On 05/01/10 09:36, Mart Frauenlob wrote:
> Besides the REDIRECT, there's also a newer target: TRPOXY -
> http://www.balabit.com/downloads/files/tproxy/README.txt
>
>
I've read that, but I'm still not clear what TPROXY gives me that
REDIRECT doesn't, except that it seems more complex.
For example, I have
iptables -A PREROUTING -p tcp -m tcp ! --dport 3128 -j REDIRECT
--to-ports 3128
I don't need anything else, just a process listening on port 3128 that
knows what to do with redirected connections.
What would TPROXY give me that that doesn't?
jch
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Squid Redirection
2010-01-04 18:38 ` Kenneth Sande
@ 2010-01-05 22:45 ` Aaron Clausen
2010-01-05 23:24 ` Kenneth Sande
0 siblings, 1 reply; 8+ messages in thread
From: Aaron Clausen @ 2010-01-05 22:45 UTC (permalink / raw)
To: netfilter
On Mon, Jan 4, 2010 at 10:38, Kenneth Sande <sandekt@wow-ia.net> wrote:
> I do it this way for my one internal subnet. There may be more and better
> options, but this works for me.
>
> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp
> --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j
> REDIRECT --to-port 3128"
>
> Squid must also be set up to accept transparent connections.
Thanks. Now for another question. I have about a dozen workstations
that I want to bypass squid (they are in the same subnet as the
workstations that I want traffic sent through squid). Reading squid's
documentation, they recommend that this be done at the client end or
via iptables. What's the rule to allow these hosts to bypass squid?
--
Aaron Clausen
mightymartianca@gmail.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Squid Redirection
2010-01-05 22:45 ` Aaron Clausen
@ 2010-01-05 23:24 ` Kenneth Sande
2010-01-06 9:41 ` Mart Frauenlob
0 siblings, 1 reply; 8+ messages in thread
From: Kenneth Sande @ 2010-01-05 23:24 UTC (permalink / raw)
To: netfilter
Aaron Clausen wrote:
> On Mon, Jan 4, 2010 at 10:38, Kenneth Sande <sandekt@wow-ia.net> wrote:
>
>> I do it this way for my one internal subnet. There may be more and better
>> options, but this works for me.
>>
>> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp
>> --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j
>> REDIRECT --to-port 3128"
>>
>> Squid must also be set up to accept transparent connections.
>>
>
> Thanks. Now for another question. I have about a dozen workstations
> that I want to bypass squid (they are in the same subnet as the
> workstations that I want traffic sent through squid). Reading squid's
> documentation, they recommend that this be done at the client end or
> via iptables. What's the rule to allow these hosts to bypass squid?
>
>
What I do is have a special portion of my subnet set aside for
"unfiltered" access, and I just put an ACCEPT chain in for that portion
before the REDIRECT for the whole subnet.
So it looks similar to this:
"iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s
${INT_NOSQUID-NETWORK} -p tcp
--dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED
-j ACCEPT"
"iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp
--dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j
REDIRECT --to-port 3128"
In my case the INT-NOSQUID-NETWORK is 192.168.0.32/28, which gives me 16
addresses that can bypass this--which I assign manually.
I believe that you can also set up squid so that it makes these
computers bypass the cache. I think it's the "always_direct [allow|deny]
'acl list'" directive. I haven't played with that too much, and not
entirely sure if that is working right for my WSUS server.
(Sending reply to the list this time)
-Ken Sande/KC8QNI
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Squid Redirection
2010-01-05 23:24 ` Kenneth Sande
@ 2010-01-06 9:41 ` Mart Frauenlob
2010-01-06 10:12 ` Mart Frauenlob
0 siblings, 1 reply; 8+ messages in thread
From: Mart Frauenlob @ 2010-01-06 9:41 UTC (permalink / raw)
To: netfilter
On 06.01.2010 00:24, Kenneth Sande wrote:
> Aaron Clausen wrote:
>> On Mon, Jan 4, 2010 at 10:38, Kenneth Sande <sandekt@wow-ia.net> wrote:
>>
>>> I do it this way for my one internal subnet. There may be more and
>>> better
>>> options, but this works for me.
>>>
>>> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK}
>>> -p tcp
>>> --dport 80 --sport 1024:65535 -m state --state
>>> NEW,ESTABLISHED,RELATED -j
>>> REDIRECT --to-port 3128"
>>>
>>> Squid must also be set up to accept transparent connections.
>>>
>>
>> Thanks. Now for another question. I have about a dozen workstations
>> that I want to bypass squid (they are in the same subnet as the
>> workstations that I want traffic sent through squid). Reading squid's
>> documentation, they recommend that this be done at the client end or
>> via iptables. What's the rule to allow these hosts to bypass squid?
>>
>>
> What I do is have a special portion of my subnet set aside for
> "unfiltered" access, and I just put an ACCEPT chain in for that portion
> before the REDIRECT for the whole subnet.
> So it looks similar to this:
>
> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s
> ${INT_NOSQUID-NETWORK} -p tcp
> --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED
> -j ACCEPT"
>
> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp
> --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j
> REDIRECT --to-port 3128"
>
nat table rules 'see' only state 'NEW' packets.
Better do filtering in the filter table.
You could use the 'iprange' if the hosts are not in a complete subnet.
If that does not match, you could use ipset and the set match.
ipset -N no_squid ipmap
...add hosts to ipset: ipset --add no_squid ...
iptables -t nat -A PREROUTING -i ... -m set ! --match-set no_squid -j
REDIRECT ...
regards
Mart
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Squid Redirection
2010-01-06 9:41 ` Mart Frauenlob
@ 2010-01-06 10:12 ` Mart Frauenlob
0 siblings, 0 replies; 8+ messages in thread
From: Mart Frauenlob @ 2010-01-06 10:12 UTC (permalink / raw)
To: netfilter
On 06.01.2010 10:41, Mart Frauenlob wrote:
> On 06.01.2010 00:24, Kenneth Sande wrote:
>> Aaron Clausen wrote:
>>> On Mon, Jan 4, 2010 at 10:38, Kenneth Sande <sandekt@wow-ia.net> wrote:
>>>
>>>> I do it this way for my one internal subnet. There may be more and
>>>> better
>>>> options, but this works for me.
>>>>
>>>> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK}
>>>> -p tcp
>>>> --dport 80 --sport 1024:65535 -m state --state
>>>> NEW,ESTABLISHED,RELATED -j
>>>> REDIRECT --to-port 3128"
>>>>
>>>> Squid must also be set up to accept transparent connections.
>>>>
>>>
>>> Thanks. Now for another question. I have about a dozen workstations
>>> that I want to bypass squid (they are in the same subnet as the
>>> workstations that I want traffic sent through squid). Reading squid's
>>> documentation, they recommend that this be done at the client end or
>>> via iptables. What's the rule to allow these hosts to bypass squid?
>>>
>>>
>> What I do is have a special portion of my subnet set aside for
>> "unfiltered" access, and I just put an ACCEPT chain in for that portion
>> before the REDIRECT for the whole subnet.
>> So it looks similar to this:
>>
>> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s
>> ${INT_NOSQUID-NETWORK} -p tcp
>> --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED
>> -j ACCEPT"
>>
>> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp
>> --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j
>> REDIRECT --to-port 3128"
>>
>
> nat table rules 'see' only state 'NEW' packets.
> Better do filtering in the filter table.
>
> You could use the 'iprange' if the hosts are not in a complete subnet.
> If that does not match, you could use ipset and the set match.
>
> ipset -N no_squid ipmap
>
> ...add hosts to ipset: ipset --add no_squid ...
>
> iptables -t nat -A PREROUTING -i ... -m set ! --match-set no_squid -j
> REDIRECT ...
>
sorry, forgot the set flag :/
iptables -t nat -A PREROUTING -i ... -m set ! --match-set no_squid src
-j REDIRECT ...
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2010-01-06 10:12 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-01-04 18:31 Squid Redirection Aaron Clausen
2010-01-04 18:38 ` Kenneth Sande
2010-01-05 22:45 ` Aaron Clausen
2010-01-05 23:24 ` Kenneth Sande
2010-01-06 9:41 ` Mart Frauenlob
2010-01-06 10:12 ` Mart Frauenlob
2010-01-05 9:36 ` Mart Frauenlob
2010-01-05 10:31 ` John Haxby
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).