Hello, AFAIK it is possible to use redocks software ( http://darkk.net.ru/redsocks/ ) with squid. On Wed, Oct 1, 2014 at 1:49 AM, James Harper <james@xxxxxxxxxxxxxxxxx> wrote: >> >> It's possible to redirect all ports to squid ? thru iptables ? >> For example port 25 smtp,143 imap, etc... >> Can squid handle that. In transparent mode. > > Yes. Kind of. You need: > . An appropriate rule in iptables nat table that ends with -j REDIRECT --to-ports 3129 (or whatever port you are listening on for this traffic) > . A https_port definition in squid.conf on that port with ssl-bump and a certificate (certificate doesn't get used unless you are doing actual https but the syntax requires it) and a port name > . an acl attached to the name of the listeners myportname > . an ssl_bump none that matches the traffic you are interested in (all if you aren't doing https interception) > > Now that you know you can do it, consider: > . I've asked this question on the list and the response from people who really do know what they are talking about is that squid is not designed as a general tcp proxy and there are probably other solutions that work better > . squid currently doesn't allow a sensible termination of the connection if it isn't allowed, or if there is nothing listening at the other end. Your smtp/pop3/imap/etc application won't like that. > . you have to do authentication out-of-band (eg ident), but that's the same with transparent http anyway > > To do this really nicely, squid would need: > . a "tcp_port" instead of "http_port" designed for exactly this sort of thing > . a way to call out to the destination before accepting the connection so that a 'connection refused' could be given if there is nothing listening > . a way to simply drop the connection if it doesn't succeed rather than the default response squid gives > . a way to redirect traffic to a helper (eg SMTP/IMAP/POP3 filter to scan for viruses, etc) (maybe this already exists already via other means?) > > So in short it works, but not as well as it could, and you might be better of finding another solution. The main reason I was interested is that Squid already has a very nice acl implementation, and there are already a number of good log analysis tools for it. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
