>>>>> "Eliezer" == Eliezer Croitoru <eliezer@xxxxxxxxxxxx> writes:
> On 7/5/2012 4:48 AM, Ezequiel Birman wrote:
>>>>>>> "Amos" == Amos Jeffries <squid3@xxxxxxxxxxxxx> writes:
>>
>> > On 04.07.2012 15:54, Ezequiel Birman wrote: >>>>>>> "Eliezer"
>> == Eliezer Croitoru <eliezer@xxxxxxxxxxxx> writes: >> > <snip>
>>
>> >>
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/DebianWithRedirectorAndReporting
>> >> >> > this is a good way to start but it wont be a transparent
>> >> proxy but > a "nat" proxy but it can be good for your needs as
>> >> anyway you have > nat in the RV042. >> >> Are you sure? The
>> only mention to nat in is in order to redirect >> port 80 to 3128
>> on squid box. This is the intro: >> ...
>>
>> > Yes. There are 4 protocol layers involved. ebtables - rules
>> stops > it being a bridge "transparent relay/proxy" and makes it
>> routed > traffic. iptables - rules use NAT (interception proxy)
>> instead of > TPROXY (transparent proxy). squid - config file
>> uses > URL-rewriters to prevent Squid being a HTTP protocol
>> "transparent > proxy" (HTTP definition of "transparent proxy" is
>> the Squid > default behaviour).
>>
>> > There is a lot of people confused by the meaning of the word >
>> "transparent". With good reason, it has been used out of context
>> > so much.
>>
>> Where should I start then? Could yo point me to some doc,
>> tutorial or config example to implement what Eliezer suggested? I
>> mean beside the books which I didn't buy yet.
>>
>> Regards
>>
>>
> dont worry! i dont know anyone that masters linux and got it all
> from books he didnt bout :)
XD I meant, of course, the two squid books, Begginer's Guide and
advanced. Anyway, if i get this right maybe I'll write a tutorial
myself.
> it's pretty simple to implement as long you do understand the
> concepts. you will just need to practice and see how all of it
> actually fits together as a puzzle.
> start with a bridge interface and bridge tools. it depends on
> what linux distro you are using. debian is a nice and simple one.
> you need to install the bridge tools + ebtables and configure the
> bridge interface for two Ethernet interfaces. the next step is to
> add the bridge interface ip address and default route. all the
> above can be done in the /etc/...somewhere this link:
> http://wiki.debian.org/BridgeNetworkConnections#Libvirt_and_bridging
> can help you a bit.
> on debian it will work just like that.. config.. apply
> settings.. connect one cable .. connect second cable ...done.
> after that you can install\compile squid3.1 will be here to help
> if you need something.
> Eliezer
> -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for
> Nonprofit organizations eliezer <at> ngtech.co.il
I am using CentOS 6.2, for no better reason that I use fedora at home.
Bridge is working, then installed squid via yum.
squid-3.1.10-1.el6_2.4.x86_64
$ squid -v
Squid Cache: Version 3.1.10
configure options: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid'
'--localstatedir=/var' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid'
'--disable-dependency-tracking' '--enable-arp-acl'
'--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth'
'--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth'
'--enable-digest-auth-helpers=password,ldap,eDirectory'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter'
'--enable-referer-log' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs'
'--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--with-aio'
'--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl'
'--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.10
What now? If I understand correctly, I need to set up rules in ebtables
to drop (deviate) http packets. Then set iptables in order to redirect
to port 3129 (tproxy), and that's it? Am I right?
In http://wiki.squid-cache.org/Features/Tproxy4#Routing_configuration I
see rules applied to eth0, should i rewrite br0 in place of eth0?
Should i copy the setup from
http://wiki.squid-cache.org/Features/Tproxy4#iptables_Configuration
without changes?
Already did: "setsebol -P squid_connect_any=1 squid_use_tproxy=1". By
the way, i think setsebol variables don't accept "yes" as a value.
Anything else?
Thanks for your time
--
Ezequiel Birman
