On Mon, May 18, 2009 at 05:01:47PM -0600, Kirk Johnson wrote: > Any suggestions, URL's to how to's, etc?
Another reason training should take place at Guru Labs. Here's a transparent squid proxy courtesy of Bryan Croft that I have in my notes when I used to teach for the Guru Labs: You need two machines: a box hosting squid with no webserver that's connected to the internal LAN with Netfilter loaded and a separate box running your firewall that's connected to outside. This is generally best practice anyway- to place your servers off the box running your firewall. On the squid box (192.168.1.2): acl localnet src 192.168.1.0/255.255.255.0 http_access allow localnet httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128 On the firewall box (192.168.1.1): iptables -t mangle -A PREROUTING -s 192.168.1.2 -j ACCEPT -p tcp --dport 80 iptables -t mangle -A PREROUTING -s 192.168.1.1 -j ACCEPT iptables -t mangle -A PREROUTING -j MARK --set-mark 1 -p tcp --dport 80 ip rule add fwmark 1 table 2 ip route add default via 192.168.1.2 dev eth0 table 2 Done. In a nutshell, you're sending any port 80 packets to squid. The firewall and squid packets should not be sent to the squid proxy and we want to mark packets that are to be sent to squid, so we can route accordingly using a custom routing table. All of this done without the REDIRECT target. The problem with REDIRECT is it changes the DST address in the packet headers. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O
signature.asc
Description: Digital signature
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
