Re: iptables + squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 2004-09-26 at 16:33, Jose Maria Lopez wrote:
> El dom, 26 de 09 de 2004 a las 16:27, Jason Opperisano escribió:
> > On Sun, 2004-09-26 at 01:35, it clown wrote:
> > > Hi All,
> > > 
> > > I want to run squid on the same box as iptables.I need to
> > > setup the client pc's that they have to go through the
> > > proxy to get to the internet... port 3128.They must not be
> > > able to by pass the proxy to get internet access.What rule
> > > do i need to add to iptables to only allow squid to have
> > > internet access?
> > > 
> > > I want to give the clients internet access through squid,
> > > thanks.
> > > 
> > > Regards
> > > _____________________________________________________________________
> > > For super low premiums ,click here http://www.dialdirect.co.za/quote
> > 
> > # allow clients to connect to squid proxy
> > iptables -A INPUT -i $INSIDE_IF -p tcp --syn --dport 3128 -j ACCEPT
> > 
> > # allow squid to fetch web content
> > iptables -A OUTPUT -o $OUTSIDE_IF -p tcp --syn --dport 80 -j ACCEPT
> > 
> > of course--this assumes that you do not allow clients through the
> > FORWARD chain on port 80.
> > 
> > -j

quoting OP:

"I need to setup the client pc's that they have to go through the proxy
to get to the internet..."

implies he is not asking for transparent proxying.

> I'd like to add that if they need the transparent proxy feature they
> need a rule like this:
> 
> iptables -t nat -A OUTPUT -A PREROUTING -i $INPUTIP -p tcp \
> --dport 80 -j REDIRECT --to-ports 3128

even if he is asking for transparent proxying, the proper NAT rule would
be:

  iptables -t nat -A PREROUTING -i $INSIDE_IF -p tcp --syn --dport 80 \
    -j REDIRECT --to-port 3128

> and they need to have the squid proxy properly configured to allow
> the transparent proxy feature.

yes.

-j

disclaimer:  the rules contained in this message are meant to illustrate
the requested functionality only, and not intended as a recommendation
of best practices.  never execute any commands without fully
understanding the implications.

-- 
Jason Opperisano <opie@xxxxxxxxxxx>
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux