Re: transparent squid with internal sites as well

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2002-11-27 at 09:26, Henti Smith wrote:
> On 27 Nov 2002 09:15:19 +0200
> Raymond Leach <Ray@work> wrote:
> 
> > > I'm way new to transparent proxy, but I've done a bit of playing iptables. 
> > > I'm going to play around witha  few more ideas tho.
> > We also use squid as a transparent proxy here. For internal websites
> > though, do you need them to go through the proxy? Is there some tracking
> > that you need to do, or would it not be possible to 'catch' the requests
> > to the servers using iptables before they get redirected to squid? This
> > is what we do, and it works fine.
> 
> internal browsing we don't care about ... but I do need to provide stats for external traffic
> if I can redirect the internal stuff before it gets to the proxy cool .. 
> as long as the rest still goes to proxy and I get stats as per usual on how much they download
> 
> > Also, check what interface squid is using to process the request. It
> > might be trying to use the external interface instead of the internal
> > one.
> 
> any ideas how to do that ? 

Here are my rules:
$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp --dport 80 -d
$IP_INET_WEB1 -j DNAT --to $IP_INT_WEB1
$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp --dport 8080 -d
$IP_INET_WEB1 -j DNAT --to $IP_INT_WEB1
$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp --dport 80 -d
$IP_INET_WEB2 -j DNAT --to $IP_INT_WEB2
$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp --dport 80 -d
$IP_INET_WEB3 -j DNAT --to $IP_INT_WEB3
$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp --dport 8080 -d
$IP_INET_WEB3 -j DNAT --to $IP_INT_WEB3
$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp --dport 80 -d
$IP_INET_WEB4 -j DNAT --to $IP_INT_WEB4
$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp --dport 80 -d
$IP_INET_WEB6 -j DNAT --to $IP_INT_WEB6
$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp --dport 8080 -d
$IP_INET_WEB6 -j DNAT --to $IP_INT_WEB6
$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp --dport 80 -d
$IP_INET_WEB7 -j DNAT --to $IP_INT_WEB7
$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -s $NET_INT --dport
80:90 -j REDIRECT --to-port 3128
$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -s $NET_INT --dport
443 -j REDIRECT --to-port 3128
$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -s $NET_INT --dport
8080 -j REDIRECT --to-port 3128

If you need explainations, just SHOUT !

> 
> Henti 
--

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux