Amos Jeffries wrote:
Yan Seiner wrote:
Amos:
Since ordinary mortals like me ;-) apparently cannot edit the wiki,
here's my final form of the iptables and policy route rules.
First on the firewall:
iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s
squidboxIP
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
iptables -A FORWARD -i internalif -o internalif -p tcp --dport 80 -j
ACCEPT
Is this FORWARDING is not exactly part of the config. I would think
routers should allow internal routes by default anyway. But I'll add
it as a gotcha to be wary of anyway.
Normally yes. This is my firewall doing this; I DENY by default and
then enable only what I need. Since my forward chain has a default DENY
policy, then forwarding between internal if is forbidden. Also, this is
with a 2.4 kernel; IIRC the forwarding rules changed quite a bit with
2.6 kernels so on a box with 2.6 kernel you may well be right.
ip rule add fwmark 3 table proxy
ip route add default via squidboxIP dev internalif table proxy
Then on the squid box itself:
iptables -t nat -A PREROUTING -s localnet/24 -i lan0 -p tcp -m tcp
--dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A OUTPUT -s squidboxIP/32 -p tcp -m owner !
--uid-owner squid-user -m tcp --dport 80 -j REDIRECT --to-ports 3128
The first rule catches all of the requests that have been redirected
by the firewall for proxying.
The second rule catches all of the outbound packets originating on
the squidbox itself. This can have some weird side effects; my squid
box also handles several ipcams and so all this traffic is now routed
through squid. Note that you have to change the uid-owner to the uid
of the squid process.
This is avoidable if the ipcams are sending traffic to the squid box
for handling anyway. The NAT rules on the squid box need to omit
catching any traffic already destined to itself:
iptables -t nat -A PREROUTING -s SQUIDIP -p tcp --dport 80 -j ACCEPT
Good point. I'll add that.
--Yan
