> > Another reason training should take place at Guru Labs. Here's a > transparent squid proxy courtesy of Bryan Croft that I have in my notes > when I used to teach for the Guru Labs: > > You need two machines: a box hosting squid with no webserver that's > connected to the internal LAN with Netfilter loaded and a separate box > running your firewall that's connected to outside. This is generally > best practice anyway- to place your servers off the box running your > firewall. > > On the squid box (192.168.1.2): > > acl localnet src 192.168.1.0/255.255.255.0 > http_access allow localnet > httpd_accel_port 80 > httpd_accel_host virtual > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128 > > On the firewall box (192.168.1.1): > > iptables -t mangle -A PREROUTING -s 192.168.1.2 -j ACCEPT -p tcp --dport 80 > iptables -t mangle -A PREROUTING -s 192.168.1.1 -j ACCEPT > iptables -t mangle -A PREROUTING -j MARK --set-mark 1 -p tcp --dport 80 > ip rule add fwmark 1 table 2 > ip route add default via 192.168.1.2 dev eth0 table 2 > > Done. In a nutshell, you're sending any port 80 packets to squid. The > firewall and squid packets should not be sent to the squid proxy and > we want to mark packets that are to be sent to squid, so we can route > accordingly using a custom routing table. All of this done without the > REDIRECT target. The problem with REDIRECT is it changes the DST address > in the packet headers. > > > So What if it is just one box?
-- Capt. Kirk Johnson Linux User #437442 Linux, Because a PC is a terrible thing to waste
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
