mån 2006-11-06 klockan 15:41 -0800 skrev John Oliver:
> I've been Googling and testing and trying and massaging, but nothing is
> working. Every example I find about how to do this is different. Most
> are assuming that Squid is running on the same box as iptables, which is
> *not* the case for me.
Doing this when the proxy is not running on the router is a little
trickier, but not impossible.
For best results I recommend you to move the proxy to a separate network
interface and use the following rules to policy route port 80 traffic
sessions initiated from the internal network and have it forwarded to
the proxy:
internal=eth0
proxy=192.168.2.2
iptables -t mangle -A PREROUTING -i $internal -m state --state NEW -p tcp --dport 80 -j CONNMARK --set-ma rk 1
iptables -t mangle -A PREROUTING -i $internal -j CONNMARK --restore-mark
ip rule add pref 1000 fwmark 1 table 1
ip route add table 1 default via $proxy
Then on the proxy you need the normal interception rule
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
It is also possible to do a similar setup while having the proxy in the
same LAN as the clients, but the setup then either becomes more complex,
or plagued by MTU issues..
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:03 MST