On Fri, 11 Mar 2005, Henrik Nordstrom wrote:
> > We'd like to configure Squid (or something else) to
> > control access by certain user-agents (IE) to certain URLs (the
> > Internet...). Ideally this would work as a transparent proxy.
> > Is this possible in Squid?
>
> Yes.
> See the browser and dstdomain acls, and Squid FAQ 10 Access Controls.
Thanks, Henrik. I've also been looking at Perl HTTP::Proxy and made a
thing to redirect IE users to an internal page, but whatever
works ...
Now the next problem...
We are running a transparent bridge on an RH7.3 machine with Linux 2.4.21
using brctl. It works fine. Squid works fine in normal mode through the
admin address of the bridge. But I can't get transparency to work.
I started with the iptables recipe in
http://www.tldp.org/HOWTO/TransparentProxy.html
but the TCP replies get lost - if Squid is not running, I get "connection
refused", but if it is running, the browser (telnet for testing) hangs
and I see a TCP reset on the target host apparently coming from the
client. If I test the redirect recipe with netcat (nc -u -l -p 9000)
I can intercept outbound UDP packets OK.
I realized that this recipe is designed for a router with 2 ip addresses
not a bridge, and found a recipe on http://freshmeat.net/articles/view/1433/
which is pretty much what we have with brctl.
However, adding the ebtables rule did not make any difference.
I tried
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 9000 \
-j REDIRECT --to-port 3128
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 9000 -j redirect --redirect-target ACCEPT
Am I missing something, like a magic entry in /proc ?
Or will it only work in a 2.6 kernel ?
(ebtables build OK, and lists the rule back)
-- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) security@triumf.caReceived on Sun Mar 13 2005 - 12:34:23 MST
This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST