RE: [squid-users] transparent proxy

Hello,

> -A input -s 192.168.2.0/255.255.255.0 -d 80:80 0.0.0.0/0.0.0.0 -p tcp -j
REDIRECT 10000
I changed the entry in the ipchains rule from 80:80 to 80 on the destination
side and that fix it from what i can see in the logs!
> -A input -s 192.168.2.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 80 -p tcp -j
REDIRECT 10000

> -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -l -j ACCEPT

this rule is and always has been evaluated later than the REDIRECT rule, its
just that the REDIRECT rule was not being matched!.

I shall include a config of what i have done on the ipchains side of stuff
as well as with the squid & squidGuard stuff!

i hope this helps.

If you can't be bothered to go through the whole lot of this config but you
have some suggestions on how i could improve this i would greatly appreciate
it.

ipchains is as follows:
-----------------------

:input ACCEPT
:forward ACCEPT
:output ACCEPT
#This first rule handles anything from my network going to intranets on port
80 on my network.
-A input -s 192.168.2.0/255.255.255.0 -d 192.168.2.0/255.255.255.0 80 -p
tcp -j ACCEPT
#This rule handles anything on my network going to anywhere on any network
-A input -s 192.168.2.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 80 -p tcp -j
REDIRECT 10000
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -j ACCEPT
#The following REJECT rules i dont really care about (defaults) i dont think
they even get used.
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 0:1023 -p 6 -j REJECT -y
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 2049:2049 -p 6 -j REJECT -y
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 0:1023 -p 17 -j REJECT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 2049:2049 -p 17 -j REJECT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 6000:6009 -p 6 -j REJECT -y
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 7100:7100 -p 6 -j REJECT -y
#Any request for any other type of info (ftp, ntp, ldap, etc) i shall
masquerade it.
-A forward -s 192.168.2.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ

squid.conf is as follows:
-------------------------

# The proxy/cache port is:
 http_port 10000

# ICP Port is disabled with
 icp_port 0

# Some stuff will never be cached these are:
 acl QUERY urlpath_regex cgi-bin \?
 no_cache deny QUERY

# Cache low and high water values
# cache_swap_low 90
# cache_swap_high 95
# These have been disabled... i do not know any better on these maybe
somebody else does

# Log the destination ip addresses when going direct... good for blocking of
any sort
 log_ip_on_direct on

# Do you want to do DNS lookups for fully qualified domain names?, i don't
so:
 log_fqdn off

#The client netmask range i am using does proxy/cache for my whole network.
And this helps to
#log the correct ip's
 client_netmask 255.255.255.255

#I have specified a redirect program to handle http filtering
 redirect_program /usr/sbin/squidGuard -c /etc/squid/squidGuard.conf

#I have also specified that the number of spawns this program shall have is
5, this can change!
redirect_children 5

#Because i would like to produce reports of the log files i have chosen to
use idents this means
#i need to provide a timeout for the information therefore i give it 10
seconds.
 ident_timeout 10 seconds

#My acl's
 acl http_clients src 192.168.2.0/255.255.255.0

#And this is how i use them

 http_access allow http_clients
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# And finally deny all other access to this proxy
 http_access allow all
#You may be wandering about the above access rule but read the next
paragraph and that is my
#reasoning! please advice if i am wrong in any shape or manner!
># If none of the "access" lines cause a match, the default is the
># opposite of the last line in the list. If the last line was
># deny, then the default is allow. Conversely, if the last line
># is allow, the default will be deny. For these reasons, it is a
># good idea to have an "deny all" or "allow all" entry at the end
># of your access lists to avoid potential confusion.

#My IPC access rule
icp_access allow all
#The above paragraph applies to this too!

#Cache manager info is quite important for those that don't know what to do
when something weird happens
#, so i filled it in!
 cache_mgr webmaster@domain.co.uk

#Stuff to do with transparent proxying:
 httpd_accel_host virtual
 httpd_accel_port 80
 httpd_accel_with_proxy on
 httpd_accel_uses_host_header on

#More info on the cache manager stuff
#This says the cache managers password is <password> and they have these
privileges <shutdown,info,stats/objects>
 cachemgr_passwd password shutdown
 cachemgr_passwd password info stats/objects

And that's my config for squid. Many of you may be asking yourselves for
more info... look in the squid.conf its got very good descriptions and
explanations for every option within it pretty much!

squidGuard.conf is as follows:
------------------------------

#Definitions of where certain files are kept, such as the database files and
the log files.
dbhome /usr/local/squidGuard/db
logdir /var/log/squidGuard

#These src rule are what i am basing any blocking on that i am doing
src blockedip {
        ip 192.168.2.135
}

sac genera lip {
        imp 192.168.2.11-192.168.2.128
}

#These are the database files which contain info about what site need to be
blocked.
#And where the appropriate log entry will be made.
dust porn {
                log porn
                domain list porn/domains
                ugliest porn/burls
}

dust blacklist {
                log blacklist
                domainlist blacklist/domains
}

dust hacking {
                log hacking
                domainlist hacking/domains
                urllist hacking/urls
}

dust violence {
                log violence
                domainlist violence/domains
                urllist violence/urls
}

dust gambling {
                log gambling
                domainlist gambling/domains
                urllist gambling/urls
}

dust warez {
                log warez
                domainlist warez/domains
                urllist warez/urls
}

dest local-block {
                log local-block
                domainlist local-block/domains
                urllist local-block/urls
}

dest local-ok {
                log local-ok
                domainlist local-ok/domains
                urllist local-ok/urls
}

#These are how i am going to control the usage and the redirect condition i
am using is to
#redirect to a cgi page which is given the info necessary info from
squid/squidGuard
acl {
        blockedip {
                pass local-ok none
                redirect
http://192.168.2.4/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&client
user=%i&clie
ntgroup=%s&targetgroup=%t&url=%u&lang=en
        }
        generalip {
                pass local-ok !blocklist !porn !hacking !violence !gambling
!warez !local-block all
                redirect
http://192.168.2.4/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&client
user=%i&clie
ntgroup=%s&targetgroup=%t&url=%u&lang=en
        }
        default {
                pass none
                redirect
http://192.168.2.4/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&client
user=%i&clie
ntgroup=%s&targetgroup=%t&url=%u&lang=en
        }
}

#done!

If anyone has any suggestions on how i could improve this i would greatly
appreciate it.

Thanks for all your help so far!

regards

Kamesh
Received on Wed Aug 21 2002 - 05:11:45 MDT