Re: [squid-users] [help] setting up firewall policy for transparent (single-homed host) proxy

From: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@dont-contact.us>
Date: Sun, 16 Mar 2008 03:48:56 -0700 (PDT)

Hi Indunil :)

First of all, thanks a zillion for ur help before,
I was implemented ur suggested rules, and
its working, my squid box become transparent ;-)

Um, but there is some other problem disturbing
me here. Those rules working for a http traffic,
in fact, i have to redirect ftp traffic also.
Could u give me a favor solving this?!?! Is it
any added rules that i have to issue according
to this ftp traffic redirections, or what?

I couldn't really understanding about these line
of rules:
> iptables -t mangle -A PREROUTING -j MARK --set-mark
3 -p tcp --dport 80
> ip rule add fwmark 3 table 2

Could u explain me about iptable's MARK jumping
options, --set-mark flag, and about
the interconnection with ip rule, fwmark, table ?!??!

Thanks in advance
Rachmat Hidayat Al Anshar

--- Indunil Jayasooriya <indunil75@gmail.com> wrote:

> > All iptables rules here implemented on
> firewall-box.
> > I have also check the access.log of squid guys,
> > but there is nothing logged. :'(
> > Its looks like firewall-box didn't make it
> redirect all web
> > services to the squid-box.
>
> to riderect all web traffic ( i.e port 80) to squid
> server.
>
> your client's gateway should be the ip of the
> firewall. Pls check it.
>
> And also, check your Dns server entries in Client's
> PCs. If they have been set,
>
> Then, when clients browse internet ( i.e - accessing
> destination port
> 80), it should be redirected to squid box.
>
> Now, your clients' gateway is the ip address of the
> firewall.
> So, on your firewall box
>
> add below lines.
>
>
> iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
> --dport 80 -s squid-box
> iptables -t mangle -A PREROUTING -j MARK --set-mark
> 3 -p tcp --dport 80
> ip rule add fwmark 3 table 2
> ip route add default via squid-box dev eth1 table 2
> iptables -t nat -A POSTROUTING -o eth0 -s squid-box
> -j SNAT --to-source 1.2.3.4
>
> 1.2.3.4 is the external ip of the firewall (i.e - ip
> that connects to
> your ISP router.)
>
> Next step is, pls log in to your squid box.
>
> On squid box.
>
> add below rule
>
> iptables -A PREROUTING -t nat -i eth0 -p tcp --dport
> 80 -j REDIRECT
> --to-port 3128
>
> How can I solve this out...
>
> This is something easy. Anyway, pls try the above
> rules again. If
> there is no luck, pls draw your network diagram
> again. You have drwan
> once before. But it is not so clear. While you draw
> your network
> diagram, pls add your local ips( bogus ips). if you
> have any external
> ips (internet ips) ,pls write them as 1.2.3.4
> format. then , it would
> be eacier to, when I wtrite rules.
>
>
> --
> Thank you
> Indunil Jayasooriya
>

      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Received on Sun Mar 16 2008 - 04:52:01 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT