SLUG Mailing List Archives
RE: [SLUG] ipchains & ipmasqadm
- To: "'Howard Lowndes'" <lannet@xxxxxxxxxxxxx>, "'Mail List - SLUG'" <slug@xxxxxxxxxxx>, "'Mail List - CLUG'" <linux@xxxxxxxxx>
- Subject: RE: [SLUG] ipchains & ipmasqadm
- From: Bernhard Lüder <bl@xxxxxxxxxxx>
- Date: Mon Sep 4 20:45:32 2000
I used transparent proxy on many setups with great success.
Here's what I do:
/sbin/ipchains -A input -p tcp -s $LOCALNET -d $ANYWHERE 80 -j REDIRECT 8080
Make sure the following is set in your /etc/squid/squid.conf. All these
exist in the standard RH6.0 - 6.2 setup. So change them to this:
Restart Squid and off you go. That's all I ever have to do.
> -----Original Message-----
> From: slug-admin@xxxxxxxxxxx
> [mailto:slug-admin@xxxxxxxxxxx]On Behalf Of
> Howard Lowndes
> Sent: Monday, September 04, 2000 7:59 PM
> To: Mail List - SLUG; Mail List - CLUG
> Subject: [SLUG] ipchains & ipmasqadm
> Let me start with an ASCII drawing, I find it helps to visualise my
> problem better. Its nothing unusual.
> | 192.168.x.1 |
> | |
> | |
> | Linux 2.2.16 |
> | Squid |
> | |
> | |
> | 139.130.a.b |
> / 139.130.a.z \
> / \
> / TBBI \
> The Linux box has several ipchains filters on it to restrict various
> incoming TCP connections and incoming UDP packets, some are
> accepted and
> others are denied or rejected. Basically the internal net is free to
> initiate outgoing connections. Everything works as it
> should, forwarding
> works OK as does masquerading.
> The masquerading rule is like:
> ipchains -A forward -i ppp0 -s 192.168.x.0/24 -j MASQ -b
> The kernel has all of the relevant configs set:
> and /proc/sys/net/ipv4/ip_forward is set to 1
> So far, no problems.
> Now, what I want to do is to set up squid on the box to listen on port
> 3128. That is done and it runs fine when the browsers on the private
> network set the proxy in their configurations.
> My problem is that I don't want to trust the users to configure their
> browsers, so I want to do transparent proxying with any
> requests from the
> private network to external port 80 at least, being redirected to the
> squid proxy.
> I tried the following:
> ipchains -A input -i eth0 -p tcp --dport 80 -j REDIRECT 3128
> but that didn't seem to work.
> I then opted to try the packet marking in ipchains and do marked
> redirection using ipmasqadm, thus:
> ipchains -A input -i eth0 -p tcp --dport 80 -m 1
> ipmasqadm mfw -A -m 1 -r 139.130.a.b 3128
> but this just seems to be ignored and the packet gets output thru ppp0
> after it has been masqueraded just as it had been before.
> Can anyone please advise me what is the correct combination
> here, should I
> leave the original masquerading rule in, or should I modify
> it to exclude
> those packets being handled by my other rules.
> LANNet Computing Associates <http://www.lannet.com.au>
> SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> More Info: http://slug.org.au/lists/listinfo/slug