Re: Proxy & Redirection help

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 02/11/10 22:54, Edmonds Namasenda wrote:
> Thank you, Amos.
> More queries inline below.
>
>         Hello All.
>         I request for help using openSuSe 11.2, Squid 3.0 and Shorewall
>         2.2.2
>
>         My squid.conf ACLs.
>
>         acl net_ed src 10.100.#.0/24 192.168.#.0/24 10.208.#.0/24    #
>         The three
>         networks
>         acl whrs1 time MTWHF 9:00-12:59      # Morning time to limit some
>         websites & control downloads
>         acl whrs2 time MTWHF 13:00-16:59    # Afternoon time to limit some
>         websites & control downloads
>         acl nowww dstdomain "/etc/squid/noWWW"    # Path to file of
>         limited websites
>         acl nodwnld urlpath_regex "/etc/squid/noDWNLD"   # Path to file of
>         controlled downloads
>
>         My squid.conf http_access
>         http_access deny nowww whrs1 whrs2
>         http_access deny nodwnld whrs1 whrs2
>         http_access allow net_ed
>
>         Content in /etc/squid/noWWW
>
>
>         Content in /etc/squid/noDWNLD
>         \.exe$
>         \.zip$
>         \.gz$
>         \.bz2$
>         \.mp3$
>         \.avi$
>         \.mp4$
>         \.mpg$
>         \.mpeg$
>         \.rar$
>         \.ram$
>         \.rpm$
>         \.wav$
>         \.cda$
>         \.wma$
>         \.wmv$
>         \.flv$
>         \.fla$
>
>
> Are my ACLs and other setting okay?
>
>
>     You seem to be asking how to bypass the proxy from inside. That is
>     not possible. The firewall needs to do bypass before anything gets
>     near the proxy.
>
> I am using the same machine for firewall and proxy
>
>     If you meant that some IPs need to get web access without the
>     download and site restrictions. That is just an ACL listing the IPs
>     and allowing them access first before applying the extra
>     restrictions for others.
>
> If I were to add ACLs with some an I.P Addresses to access the internet
> without any restrictions, how can I go about that?

By creating ..

  # "an ACL listing the IPs ..."
  acl foo src ...

  # " ... and allowing them access first ..."
  http_access allow foo

  # " ... before applying the extra restrictions for others."
  http_access deny nowww whrs1 whrs2
  http_access deny nodwnld whrs1 whrs2
  http_access allow net_ed

>     I have not used shorewall in over 5 years now. I find it's layered
>     abstraction maps more confusing than the iptables commands. Sorry, I
>     cant help with the specifics here.
>
> If I were to switch to iptables, what is the procedure and or commands?

http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
The example PREROUTING line that does "-s SQUIDIP ... -j ACCEPT" 
repeated as many times as IPs needing to bypass the proxy.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.2