On 01/21/10 21:51, Stroller wrote:
maybe it is not possible with single interface eth0
I believe that running Squid in conjunction with iptables is known as
running in "interception" mode.
It may well indeed not be possible to do this with only one
interface. How do you ensure that packets reach this machine? I think
usually interception mode is run on a machine with two interfaces -
you'd route or (I guess) bridge through it. iptables can then snatch
the packets. I don't believe you can route through a machine with
only one interface (although my memory of routing is hazy, so I may
be quite mistaken) because packets going out will collide with those
coming in. So I'm not really sure how the machines on your LAN know
to send web packets to your Squid machine. Perhaps you can explain?
I manage a site at which Squid sits on a machine with only one
interface. That machine is not a router, and Squid does not run in
interception mode. I ended up writing a wpad.dat file and pointing
the DNS for wpad.domain.local to the local webserver. This is not a
properly secure method of forcing the users to use the proxy -
really, the gateway should additionally use iptables to drop any web
connections coming from any machine except the proxy - but at this
site all the users are on a Windows domain, and they're unable (and
too clueless, anyway) to configure their browsers not to use the
proxy.
I don't remember why I configured the site exactly this way - there's
a little more I want to do with Squid, but I haven't got around to
it. I set up this site a while ago and forgot about it. But I do know
that Squid can be run in different ways and interception mode isn't
suitable for all purposes (I had myself, as a beginner, assumed
everyone did use interception mode).
This stuff is very well documented at the Squid site -
http://wiki.squid-cache.org/SquidFaq is a good start. My experience
was excellent support - which really answered my question and helped
me see where I was going wrong - from a Squid developer within 48
hours of posting to the Squid mailing list.
Stroller.
Yes, it is possible, it took me a day to figure it out as I'm not a pro with
iptables, check my post and follow the instructions:
http://forums.gentoo.org/viewtopic-p-6142685.html#6142685
--
Joseph