Hi my name is Damian, I am from Argentina and I am a member of mailing list of SQUID users. I want that all the traffic of my local net goes across my SQUID proxy server. I want to say that all the packages will be forwarded to the port 3128 of my Squid Server. maybe you can help me. Here it is an example of my current Net in my office -->LocalNet 192.168.0.1/27----ETH0--> (SQUID 192.168.0.28:3128 SERVER)<-- ETH1 -->INTERNET I have ready set up a couple of rules with Iptables, but I can?t understand what I am doing wrong. I want that HTTP, HTTPS, MSN, POP3, SMTP all of these ports, and others without much importance will be forwarded across my Squid proxy server. Here are the rules. #|/bin/sh #Cargamos los Modulos de Kernel necesarios: /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_REDIRECT /sbin/modprobe ipt_TOS /sbin/modprobe ipt_MASQUERADE /sbin/modprobe ipt_LOG /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc #Habilitamos el reenvio de direcciones IP #if [ -e /proc/sys/net/ipv4/ip_forward ]; then # echo 0 > /proc/sys/net/ipv4/ip_forward #fi echo "1" > /proc/sys/net/ipv4/ip_forward # Estableciendo politica de reenvio del enmascaramiento /sbin/iptables -t filter -P FORWARD DROP # Reenvio de trafico interno-externo y externo-interno /sbin/iptables -t filter -A FORWARD -d 0/0 -s 192.168.0.0/255.255.255.0 -o eth0 -j ACCEPT /sbin/iptables -t filter -A FORWARD -d 192.168.0.0/255.255.255.0 -j ACCEPT #Enmascaramiento del todo el trafico saliente, NOTA: la salida a internet es por la interfaz eth1 /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE #No Enmascaramos trafico Externo /sbin/iptables -t nat -A POSTROUTING -o eth1 -d 0/0 -j ACCEPT #Permitir al trafico de la red interna ir a donde sea /sbin/iptables -t filter -A INPUT -s 192.168.0.0/255.255.255.0 -d 0/0 -j ACCEPT /sbin/iptables -t filter -A OUTPUT -s 192.168.0.0/255.255.255.0 -d 0/0 -j ACCEPT /sbin/iptables -t filter -A OUTPUT -p icmp -s 192.168.0.0/255.255.255.0 -d 0/0 -j ACCEPT #Re-direccionamiento hacia el puerto 3128 (Donde escucha el SQUID las peticiones) #Para cualquier peticion originada desde la red local hacia servicios que utilicen protocolos #HTTP, HTTPS, FTP. Pueden anadirse mas re-direccionamientos a discrecion del administrador #Nota: Recordamos que la red local se accede con la interfaz eth0 #HTTP /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 #POP3 /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j REDIRECT --to-port 3128 #SMTP /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 3128 #HTTPS /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128 #MSN /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1863 -j REDIRECT --to-port 3128 #FTP /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20 -j REDIRECT --to-port 3128 /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 3128 #END OF THE RULES And here it is an example of my squid.conf file ____________________________________________________________________________ ____________________ http_port 3128 icp_port 0 #no_cache deny QUERY cache_mem 16 MB cache_dir ufs /var/spool/squid 700 16 256 redirect_rewrites_host_header off dns_nameservers 192.168.0.2 icon_directory /usr/share/squid/icons cache_replacement_policy GDSF #Habilitacion de Puertos seguros acl SSL_ports port 443 8443 563 777 acl Safe_ports port 25 80 110 443 563 777 1863 210 119 70 21 1025-65535 acl CONNECT method CONNECT #Autentificacion de usuario para salida http auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/.password auth_param basic children 5 auth_param basic realm ACARA Proxy Server - TODO ACCESO A LA RED QUEDA REGISTRADO # Uncommented by GH 24/09/03 for password authentication and blocking exe zip gz bz2 mp3 mpg mpeg ram rpm avi plus more acl password proxy_auth REQUIRED acl download urlpath_regex -i "/etc/squid/downloadeny.txt" # GH 24/09/03 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl redlocal src "/etc/squid/redlocal" # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed # acl our_networks src 192.168.1.0/24 192.168.2.0/24 # http_access allow our_networks # Used to block downloads and allow other users - GH 07/01/03 http_access allow password http_access allow localhost http_access allow redlocal http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny download http_access deny all httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on #cache control acl NOCACHE urlpath_regex -i \.php no_cache deny NOCACHE cache_mgr dmantelli@xxxxxxxxxxxx cache_effective_user squid cache_effective_group squid log_icp_queries off buffered_logs on #END OF SQUID.CONF FILE ____________________________________________________________________________ ________________________________________ Pardon for the inconveniences. Thanks you very much for your help. Damian Mantelli ARGENTINA
