* Squid Redirection @ 2010-01-04 18:31 Aaron Clausen 2010-01-04 18:38 ` Kenneth Sande 2010-01-05 9:36 ` Mart Frauenlob 0 siblings, 2 replies; 8+ messages in thread From: Aaron Clausen @ 2010-01-04 18:31 UTC (permalink / raw) To: netfilter I'm running Squid on my gateway router (on the internal ethernet only of course) and have been struggling to figure out how to redirect port 80 traffic to it (transparent proxy). All the instructions I've seen are for Squid hosted on another server. Anyone have any tips? -- Aaron Clausen mightymartianca@gmail.com ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Squid Redirection 2010-01-04 18:31 Squid Redirection Aaron Clausen @ 2010-01-04 18:38 ` Kenneth Sande 2010-01-05 22:45 ` Aaron Clausen 2010-01-05 9:36 ` Mart Frauenlob 1 sibling, 1 reply; 8+ messages in thread From: Kenneth Sande @ 2010-01-04 18:38 UTC (permalink / raw) To: Aaron Clausen; +Cc: netfilter I do it this way for my one internal subnet. There may be more and better options, but this works for me. "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j REDIRECT --to-port 3128" Squid must also be set up to accept transparent connections. -Ken Sande/KC8QNI Aaron Clausen wrote: > I'm running Squid on my gateway router (on the internal ethernet only > of course) and have been struggling to figure out how to redirect port > 80 traffic to it (transparent proxy). All the instructions I've seen > are for Squid hosted on another server. Anyone have any tips? > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Squid Redirection 2010-01-04 18:38 ` Kenneth Sande @ 2010-01-05 22:45 ` Aaron Clausen 2010-01-05 23:24 ` Kenneth Sande 0 siblings, 1 reply; 8+ messages in thread From: Aaron Clausen @ 2010-01-05 22:45 UTC (permalink / raw) To: netfilter On Mon, Jan 4, 2010 at 10:38, Kenneth Sande <sandekt@wow-ia.net> wrote: > I do it this way for my one internal subnet. There may be more and better > options, but this works for me. > > "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp > --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j > REDIRECT --to-port 3128" > > Squid must also be set up to accept transparent connections. Thanks. Now for another question. I have about a dozen workstations that I want to bypass squid (they are in the same subnet as the workstations that I want traffic sent through squid). Reading squid's documentation, they recommend that this be done at the client end or via iptables. What's the rule to allow these hosts to bypass squid? -- Aaron Clausen mightymartianca@gmail.com ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Squid Redirection 2010-01-05 22:45 ` Aaron Clausen @ 2010-01-05 23:24 ` Kenneth Sande 2010-01-06 9:41 ` Mart Frauenlob 0 siblings, 1 reply; 8+ messages in thread From: Kenneth Sande @ 2010-01-05 23:24 UTC (permalink / raw) To: netfilter Aaron Clausen wrote: > On Mon, Jan 4, 2010 at 10:38, Kenneth Sande <sandekt@wow-ia.net> wrote: > >> I do it this way for my one internal subnet. There may be more and better >> options, but this works for me. >> >> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp >> --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j >> REDIRECT --to-port 3128" >> >> Squid must also be set up to accept transparent connections. >> > > Thanks. Now for another question. I have about a dozen workstations > that I want to bypass squid (they are in the same subnet as the > workstations that I want traffic sent through squid). Reading squid's > documentation, they recommend that this be done at the client end or > via iptables. What's the rule to allow these hosts to bypass squid? > > What I do is have a special portion of my subnet set aside for "unfiltered" access, and I just put an ACCEPT chain in for that portion before the REDIRECT for the whole subnet. So it looks similar to this: "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NOSQUID-NETWORK} -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT" "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j REDIRECT --to-port 3128" In my case the INT-NOSQUID-NETWORK is 192.168.0.32/28, which gives me 16 addresses that can bypass this--which I assign manually. I believe that you can also set up squid so that it makes these computers bypass the cache. I think it's the "always_direct [allow|deny] 'acl list'" directive. I haven't played with that too much, and not entirely sure if that is working right for my WSUS server. (Sending reply to the list this time) -Ken Sande/KC8QNI ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Squid Redirection 2010-01-05 23:24 ` Kenneth Sande @ 2010-01-06 9:41 ` Mart Frauenlob 2010-01-06 10:12 ` Mart Frauenlob 0 siblings, 1 reply; 8+ messages in thread From: Mart Frauenlob @ 2010-01-06 9:41 UTC (permalink / raw) To: netfilter On 06.01.2010 00:24, Kenneth Sande wrote: > Aaron Clausen wrote: >> On Mon, Jan 4, 2010 at 10:38, Kenneth Sande <sandekt@wow-ia.net> wrote: >> >>> I do it this way for my one internal subnet. There may be more and >>> better >>> options, but this works for me. >>> >>> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} >>> -p tcp >>> --dport 80 --sport 1024:65535 -m state --state >>> NEW,ESTABLISHED,RELATED -j >>> REDIRECT --to-port 3128" >>> >>> Squid must also be set up to accept transparent connections. >>> >> >> Thanks. Now for another question. I have about a dozen workstations >> that I want to bypass squid (they are in the same subnet as the >> workstations that I want traffic sent through squid). Reading squid's >> documentation, they recommend that this be done at the client end or >> via iptables. What's the rule to allow these hosts to bypass squid? >> >> > What I do is have a special portion of my subnet set aside for > "unfiltered" access, and I just put an ACCEPT chain in for that portion > before the REDIRECT for the whole subnet. > So it looks similar to this: > > "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s > ${INT_NOSQUID-NETWORK} -p tcp > --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED > -j ACCEPT" > > "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp > --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j > REDIRECT --to-port 3128" > nat table rules 'see' only state 'NEW' packets. Better do filtering in the filter table. You could use the 'iprange' if the hosts are not in a complete subnet. If that does not match, you could use ipset and the set match. ipset -N no_squid ipmap ...add hosts to ipset: ipset --add no_squid ... iptables -t nat -A PREROUTING -i ... -m set ! --match-set no_squid -j REDIRECT ... regards Mart ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Squid Redirection 2010-01-06 9:41 ` Mart Frauenlob @ 2010-01-06 10:12 ` Mart Frauenlob 0 siblings, 0 replies; 8+ messages in thread From: Mart Frauenlob @ 2010-01-06 10:12 UTC (permalink / raw) To: netfilter On 06.01.2010 10:41, Mart Frauenlob wrote: > On 06.01.2010 00:24, Kenneth Sande wrote: >> Aaron Clausen wrote: >>> On Mon, Jan 4, 2010 at 10:38, Kenneth Sande <sandekt@wow-ia.net> wrote: >>> >>>> I do it this way for my one internal subnet. There may be more and >>>> better >>>> options, but this works for me. >>>> >>>> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} >>>> -p tcp >>>> --dport 80 --sport 1024:65535 -m state --state >>>> NEW,ESTABLISHED,RELATED -j >>>> REDIRECT --to-port 3128" >>>> >>>> Squid must also be set up to accept transparent connections. >>>> >>> >>> Thanks. Now for another question. I have about a dozen workstations >>> that I want to bypass squid (they are in the same subnet as the >>> workstations that I want traffic sent through squid). Reading squid's >>> documentation, they recommend that this be done at the client end or >>> via iptables. What's the rule to allow these hosts to bypass squid? >>> >>> >> What I do is have a special portion of my subnet set aside for >> "unfiltered" access, and I just put an ACCEPT chain in for that portion >> before the REDIRECT for the whole subnet. >> So it looks similar to this: >> >> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s >> ${INT_NOSQUID-NETWORK} -p tcp >> --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED >> -j ACCEPT" >> >> "iptables -t nat -A PREROUTING -i ${INT_INTERFACE} -s ${INT_NETWORK} -p tcp >> --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j >> REDIRECT --to-port 3128" >> > > nat table rules 'see' only state 'NEW' packets. > Better do filtering in the filter table. > > You could use the 'iprange' if the hosts are not in a complete subnet. > If that does not match, you could use ipset and the set match. > > ipset -N no_squid ipmap > > ...add hosts to ipset: ipset --add no_squid ... > > iptables -t nat -A PREROUTING -i ... -m set ! --match-set no_squid -j > REDIRECT ... > sorry, forgot the set flag :/ iptables -t nat -A PREROUTING -i ... -m set ! --match-set no_squid src -j REDIRECT ... ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Squid Redirection 2010-01-04 18:31 Squid Redirection Aaron Clausen 2010-01-04 18:38 ` Kenneth Sande @ 2010-01-05 9:36 ` Mart Frauenlob 2010-01-05 10:31 ` John Haxby 1 sibling, 1 reply; 8+ messages in thread From: Mart Frauenlob @ 2010-01-05 9:36 UTC (permalink / raw) To: netfilter On 04.01.2010 19:31, Aaron Clausen wrote: > I'm running Squid on my gateway router (on the internal ethernet only > of course) and have been struggling to figure out how to redirect port > 80 traffic to it (transparent proxy). All the instructions I've seen > are for Squid hosted on another server. Anyone have any tips? > Besides the REDIRECT, there's also a newer target: TRPOXY - http://www.balabit.com/downloads/files/tproxy/README.txt regards Mart ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Squid Redirection 2010-01-05 9:36 ` Mart Frauenlob @ 2010-01-05 10:31 ` John Haxby 0 siblings, 0 replies; 8+ messages in thread From: John Haxby @ 2010-01-05 10:31 UTC (permalink / raw) To: netfilter; +Cc: Mart Frauenlob On 05/01/10 09:36, Mart Frauenlob wrote: > Besides the REDIRECT, there's also a newer target: TRPOXY - > http://www.balabit.com/downloads/files/tproxy/README.txt > > I've read that, but I'm still not clear what TPROXY gives me that REDIRECT doesn't, except that it seems more complex. For example, I have iptables -A PREROUTING -p tcp -m tcp ! --dport 3128 -j REDIRECT --to-ports 3128 I don't need anything else, just a process listening on port 3128 that knows what to do with redirected connections. What would TPROXY give me that that doesn't? jch ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2010-01-06 10:12 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-01-04 18:31 Squid Redirection Aaron Clausen 2010-01-04 18:38 ` Kenneth Sande 2010-01-05 22:45 ` Aaron Clausen 2010-01-05 23:24 ` Kenneth Sande 2010-01-06 9:41 ` Mart Frauenlob 2010-01-06 10:12 ` Mart Frauenlob 2010-01-05 9:36 ` Mart Frauenlob 2010-01-05 10:31 ` John Haxby
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).