Hi Chadd, Thanks for informing this link, Great link.
Rachmat Hidayat Al Anshar ----- Original Message ---- > From: Adrian Chadd <[EMAIL PROTECTED]> > To: Rachmat Hidayat Al Anshar <[EMAIL PROTECTED]> > Cc: squid cache <squid-users@squid-cache.org> > Sent: Thursday, January 10, 2008 8:21:19 PM > Subject: Re: [squid-users] Re: [help] setting up firewall policy for > transparent (single-homed host) proxy > > http://wiki.squid-cache.org/ConfigExamples/ has a bunch. > > > On Wed, Jan 09, 2008, Rachmat Hidayat Al Anshar wrote: > > I have been searching on the squid-user archive, there is some post > > > > that similar with my needs, but there is nothing was succeed for me. > > > > I don't know if someone (is already there) suggest this suggest... > > > > > > > > It will be nice if squid developers spends a little time to make a > > > > complete documentation about how-to transparently implementing > > > > squid in a network. So if there is someone needs or having through > > > > this problem, they just "redirect" to that documentation. > > > > > > > > > > Thanks > > Rachmat Hidayat Al Anshar > > > > ----- Original Message ---- > > > From: Rachmat Hidayat Al Anshar > > > To: squid cache > > > Cc: Chris Zhang > > > Sent: Thursday, January 10, 2008 6:40:14 AM > > > Subject: [squid-users] Re: [help] setting up firewall policy > for > transparent (single-homed host) proxy > > > > > > Hay ho Chris, > > > Thanks for replying. > > > > > > First of all, I have reference to that link, but in other > > > disscussion > > > > > forum > > > I found someone out there says that... > > > " The traffic is being caught by the first rule, since > the > connection > > > probably isn't coming from the squid box. Before that rule, > you > need > > > to put in an ACCEPT for http packets aimed at the firewall box: > > > iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \ > > > --dport 80 -j ACCEPT"..something like that... > > > I have been trying for many times, and I still can't solve > > > this > > > > > problem. > > > > > > Is it about compiling options, > > > What command that I have to issue to get informed, what configure > > > option that squid used to compile at compiling process for a > > > first > > > > > time??? > > > > > > Can we re-compile squid? If so, what should I do? > > > > > > Thanks in advance > > > Rachmat Hidayat Al Anshar > > > > > > > > > > > > ----- Original Message ---- > > > > From: Chris Zhang > > > > To: Rachmat Hidayat Al Anshar > > > > Cc: [EMAIL PROTECTED] > > > > Sent: Wednesday, January 9, 2008 7:11:46 PM > > > > Subject: Re: [clug] [help] setting up firewall policy for > > > transparent > > > > > (single-homed host) proxy > > > > > > > > Hi Rachmat, > > > > > > > > > > > > Maybe you want to try it again without this line > > > > > > > > > > > > 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > > > > --dport > > > > > > > 80 > > > > -j ACCEPT' > > > > > > > > > > > > Also I think you will have to change squid.conf file (see > > > > http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 ) > > > > > > > > > > > > Chris > > > > > > > > > > > > Rachmat Hidayat Al Anshar wrote: > > > > > var YAHOO = {'Shortcuts' : {}}; > > > > > YAHOO.Shortcuts.hasSensitiveText = false; > > > > > YAHOO.Shortcuts.sensitivityType = []; > > > > > YAHOO.Shortcuts.doUlt = false; > > > > > YAHOO.Shortcuts.location = "us"; > > > > > YAHOO.Shortcuts.document_id = 0; > > > > > YAHOO.Shortcuts.document_type = ""; > > > > > YAHOO.Shortcuts.document_title = "[help] setting up firewall > > > > policy > > > > > > > for transparent (single-homed host) proxy"; > > > > > YAHOO.Shortcuts.document_publish_date = ""; > > > > > YAHOO.Shortcuts.document_author > = > "[EMAIL PROTECTED]"; > > > > > YAHOO.Shortcuts.document_url = ""; > > > > > YAHOO.Shortcuts.document_tags = ""; > > > > > YAHOO.Shortcuts.annotationSet = { > > > > > "lw_1199853885_0": { > > > > > "text": "Yahoo! Mobile", > > > > > "extended": 0, > > > > > "startchar": 1530, > > > > > "endchar": 1542, > > > > > "start": 1530, > > > > > "end": 1542, > > > > > "extendedFrom": "", > > > > > "predictedCategory": "ORGANIZATION", > > > > > "predictionProbability": "0.679211", > > > > > "weight": 0.661212, > > > > > > > > > "type": > > > > > > > ["shortcuts:/us/instance/organization/company/yahoo_property"], > > > > > "category": ["ORGANIZATION"], > > > > > "context": "friend newshound and know-it-all with Yahoo > Mobile > Try > > > > it > > > > > > > now", > > > > > "metaData": { > > > > > "yprop_name": "Yahoo! Mobile", > > > > > "yprop_url": "http://mobile.yahoo.com/"; > > > > > } > > > > > } > > > > > }; > > > > > > > > > > Hi all... > > > > > > > > > > I am on my research deploying a transparent single-homed > host > proxy > > > > > server on my virtual network. My squid box is not on the same > > > > box > > > > > > > where the > > > > > firewall applied. I didn't have any idea how to set up the > > > > iptables > > > > > > > running on > > > > > the firewall, so I can redirect all client's web request to my > > > > proxy > > > > > > > box, > > > > > and make it as the only host on the network may request web > > > > services > > > > > > > through > > > > > firewall to the Internet...??? > > > > > > > > > > > > > > > INTERNET <---> FIREWALL <---> switch <---> NAT > DEV<---> > INTRANET > > > > > ^ > > > > > | > > > > > v > > > > > > > > > > squid web > > > > > proxies > > > > > > > > > > I try to use this following firewall script... > > > > > > > > > > #!/bin/sh > > > > > # Firewall Script > > > > > ############################################################### > > > > > ### interfaces > > > > > EXT_DEV=eth0 > > > > > INT_DEV=eth1 > > > > > INT_NET=10.1.1.0/24 > > > > > > > > > > ### Loading firewall modules > > > > > modprobe ip_conntrack > > > > > modprobe ip_conntrack_ftp > > > > > > > > > > ############################################################### > > > > > ### Enable Packet Forwarding > > > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > > > > > > > > ### Remove all previous rules, and delete any user > defined > chains > > > > > iptables -F > > > > > iptables -X > > > > > iptables -t nat -F > > > > > iptables -t nat -X > > > > > > > > > > ### Set the default policies to drop > > > > > iptables -P INPUT DROP > > > > > iptables -P OUTPUT DROP > > > > > iptables -P FORWARD DROP > > > > > > > > > > ### Loopback device OK > > > > > iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 > -j > ACCEPT > > > > > iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 > -j > ACCEPT > > > > > > > > > > ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH. > > > > > iptables -A INPUT -p icmp --icmp-type any -j ACCEPT > > > > > iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT > > > > > iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT > > > > > > > > > > ### Allow all Internal traffic to Server > > > > > iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET > -j > ACCEPT > > > > > iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET > -j > ACCEPT > > > > > > > > > > ### OUTBOUND Rule: Allow ALL packets out the external device > > > > > iptables -A OUTPUT -o $EXT_DEV -j ACCEPT > > > > > iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT > > > > > > > > > > ### INBOUND Rule: Allow ALL EXT packets if a connection > > > > already > > > > > > > exists (See "NEW" Inbound Rules) > > > > > iptables -A INPUT -i $EXT_DEV -m state --state > > > > RELATED,ESTABLISHED > > > > > > > -j ACCEPT > > > > > iptables -A FORWARD -i $EXT_DEV -m state --state > > > > RELATED,ESTABLISHED > > > > > > > -j ACCEPT > > > > > > > > > > ### Squid Transparent Proxy > > > > > iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > > > > --dport > > > > > > > 80 -j ACCEPT > > > > > iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp > > > > --dport > > > > > > > 80 -j DNAT --to squid-box:3128 > > > > > > > > > > iptables -t nat -A POSTROUTING -o eth0 -s local-network -d > > > > squid-box > > > > > > > -j SNAT --to iptables-box > > > > > iptables -A FORWARD -s local-network -d squid-box -i eth0 > -o > eth0 > > > > -p > > > > > > > tcp --dport 3128 -j ACCEPT > > > > > > > > > > and the result is: > > > > > - client's web browser ignore the squid proxy > > > > > the http service is directly passing through the firewall > > > > > > > > > > All response will greatly appreciated. > > > > > > > > > > > > > > > Thanks in advance (^^,) > > > > > Rachmat Hidayat Al Anshar > > > > > > > > > > Be a better friend, newshound, and > > > > > know-it-all with Yahoo! Mobile. Try it now. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________________________________________ > > > > _____ > > > > > Never miss a thing. Make Yahoo your home page. > > > > > http://www.yahoo.com/r/hs > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________________________________________ > _ > > > ____ > > > Be a better friend, newshound, and > > > know-it-all with Yahoo! Mobile. Try it > > > now. > > > > > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > > > > > > > > > > > > > > > > > > > _______________________________________________________________________________ > _____ > > Looking for last minute shopping deals? > > Find them fast with Yahoo! > Search. > http://tools.search.yahoo.com/newsearch/category.php?category=shopping > > -- > - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial > Squid > Support - > - $25/pm entry-level VPSes w/ capped bandwidth charges available in > WA > - > ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
