> Hey, > > I wrestled quite a bit with shorewall (version 3.0.4) lately to get > something to work which I expected to be fairly trivial. Most likely > it really is but I just can't figure it out.. > > Consider the following scenario: > All HTTP(S) Traffic from a local machine should be routed through a > SSH tunnel to a remote (squid) proxy. The SSH Tunnel locally listens > on port 3128. That's also the port on which everything ends up on the > remote machine (shouldn't matter though?!). The setup works as long as > I configure client programs manually to use this proxy > (localhost:3128) but I'd love to have a transparent proxy (i.e. the > clients don't know anything about it). > > I thought it was just a matter of redirecting any outgoing request to > port 80 resp. 443 to 127.0.0.1:3128 but either that's not the way to > go or I am not able to set those redirects up properly :) > > I managed to redirect the request to the remote proxy (via SSH > tunnel), however the original hostname seems to get lost along the way > since I only receive errors from the proxy. The squid logs show > something like > 1160238209.322 342 127.0.0.1 TCP_DENIED/400 1574 GET > /rss/newsonline_world_edition/front_page/rss.xml - NONE/- text/html > as opposed to the expected > 1160237922.254 362 127.0.0.1 TCP_REFRESH_MISS/200 16428 GET > http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml > - DIRECT/212.58.226.8 application/xml > > My shorewall rules file looks like that: > ACCEPT $FW net:remote-host tcp 22 > # Redirect HTTP requests to local tunnel to proxy > REDIRECT $FW 3128 tcp 80 > ACCEPT $FW net:127.0.0.1 tcp 3128 > > The policy file arranges for everything besides $FW to $FW to be dropped. > > Yes, my understanding of shorewall and iptables unfortunately is > pretty limited. I hope that somebody here can give me a nod into the > right direction, surely there must be a set up like this out there?!
Did you configure your Squid to act as a transparent proxy? Did you read http://www.shorewall.net/Shorewall_Squid_Usage.html and http://www.tldp.org/HOWTO/TransparentProxy.html? Simon ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
