Difference between revisions of "Talk:Squid"

From ArchWiki
Jump to: navigation, search
m (moved squid related talk from NAT firewall howto to here)
 
(added my working setup, not sure if I should change the current example)
Line 13: Line 13:
 
  echo " # Transparently forward http traffic to Squid"
 
  echo " # Transparently forward http traffic to Squid"
 
  $IPTABLES -t nat -A PREROUTING -i eth0 ! -d 192.168.1.7 -p tcp --dport 80 -j REDIRECT --to-port 3128
 
  $IPTABLES -t nat -A PREROUTING -i eth0 ! -d 192.168.1.7 -p tcp --dport 80 -j REDIRECT --to-port 3128
 +
 +
== intercept ==
 +
I couldn't get the example working at all, however looking at [[http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat]] gave me the following setup that I then save using iptables-save and it works like a charm. After downgrading from squid 3.4.3 to 3.4.2, something is off with 3.4.3.
 +
 +
iptables-dnat-proxy-rules.sh
 +
<pre>
 +
#!/bin/sh
 +
#
 +
 +
# your proxy IP
 +
SQUIDIP=192.168.1.1
 +
 +
# your proxy listening port (port 8080 intercept in squid.conf)
 +
SQUIDPORT=8080
 +
 +
iptables -t nat -F
 +
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
 +
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $SQUIDIP:$SQUIDPORT
 +
iptables -t nat -A POSTROUTING -j MASQUERADE
 +
 +
iptables -t mangle -F
 +
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
 +
</pre>

Revision as of 20:40, 23 February 2014

iptables rules

I'm not sure if these also apply when using shorewall. This is based on the following assumptions:

  • iptables server is the gateway server
  • squid is listening on port 3128
  • local network is connecting to the server is 192.168.0.0/23 and already has basic nat rules set up
  • iptables server is 192.168.1.7

It took me a while to realise that in addition to redirecting the traffic, the squid port needed to be opened before it would work:

echo " # open access to proxy - squid - port 3128"
$IPTABLES -A open -p tcp --syn --dport 3128 -j ACCEPT

echo " # Transparently forward http traffic to Squid"
$IPTABLES -t nat -A PREROUTING -i eth0 ! -d 192.168.1.7 -p tcp --dport 80 -j REDIRECT --to-port 3128

intercept

I couldn't get the example working at all, however looking at [[1]] gave me the following setup that I then save using iptables-save and it works like a charm. After downgrading from squid 3.4.3 to 3.4.2, something is off with 3.4.3.

iptables-dnat-proxy-rules.sh

#!/bin/sh
# 

# your proxy IP
SQUIDIP=192.168.1.1

# your proxy listening port (port 8080 intercept in squid.conf)
SQUIDPORT=8080

iptables -t nat -F
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $SQUIDIP:$SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE

iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP