Re: intercept vs. accel vhost allow-direct

sknz <sakibnizam@xxxxxxxxx> · Thu, 12 Sep 2019 04:53:58 -0500 (CDT)

Hello,

<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377788/test.png> 

etho0 is for WAN and eth1 is for LAN side.

and more detailed firewall settings:

# Generated by iptables-save v1.4.21 on Thu Sep 12 15:46:58 2019
*nat
:PREROUTING ACCEPT [3911:298328]
:INPUT ACCEPT [384:30494]
:OUTPUT ACCEPT [273:20568]
:POSTROUTING ACCEPT [13:3456]
-A PREROUTING -s 10.1.0.0/24 ! -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport
80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Sep 12 15:46:58 2019
# Generated by iptables-save v1.4.21 on Thu Sep 12 15:46:58 2019
*mangle
:PREROUTING ACCEPT [10761:3310565]
:INPUT ACCEPT [3211:587384]
:FORWARD ACCEPT [6306:2611786]
:OUTPUT ACCEPT [2279:577020]
:POSTROUTING ACCEPT [5283:2937872]
-A PREROUTING -s 10.1.0.0/24 -d 10.1.0.1/32 -p tcp -m tcp --dport 3128 -j
DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
COMMIT
# Completed on Thu Sep 12 15:46:58 2019
# Generated by iptables-save v1.4.21 on Thu Sep 12 15:46:58 2019
*filter
:INPUT ACCEPT [1989:462678]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2279:577020]
-A INPUT -i eth1 -j DROP
-A INPUT -d 10.1.0.1/32 -i tun0 -p icmp -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 255.255.255.255/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 2812 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 4990 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -j DROP
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i tun0 ! -o eth0 -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o eth1 -j DROP
-A FORWARD -i eth1 -j DROP
COMMIT
# Completed on Thu Sep 12 15:46:58 2019

--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users