Jonathan Gazeley wrote:
> Hi,
>
> I'm new to Squid. I've successfully set up a transparent cache on a
> server which is also the gateway/firewall/NAT for a small LAN. All the
> clients on my LAN use the cache properly. However, the server running
> the cache doesn't use its own cache. I've inserted what I thought were
> the correct rules into my iptables config:
>
> -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
> -A PREROUTING -s 127.0.0.1/32 -p tcp --dport 80 -j REDIRECT --to-port 3128
> -A PREROUTING -s 192.168.0.1/32 -p tcp --dport 80 -j REDIRECT --to-port
> 3128
> -A PREROUTING -s x.x.x.x/32 -p tcp --dport 80 -j REDIRECT --to-port 3128
> (external public IP)
>
> where eth0 is the LAN-facing interface.
>
> My Squid config allows proxying from localhost and localnet:
>
> http_access allow localhost
> http_access allow localnet
> http_access deny all
>
> Therefore I think I have not set up my iptables quite right. Can anyone
> confirm if this is the right way to go about catching HTTP requests from
> localhost?
localhost is a special IP. It's processed on interface 'lo' and does not
pass through NAT. Never passes data to the internet either on working
NIC cards.
The full correct iptables config for basic interception is listed here:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
If you mean yo want to catch secondary data from the same machine as
Squid, and divert it into Squid again. It's not easy to do right and you
had best ask the experts over at netfilter for correct details.
It's likely to involve L7 filters to detect Squid in the exemption, or
adding tcp_outgong_tos and policy routing to have Squid mark its traffic
differently for exemption and catching the marks in in a local interface
loop.
Amos
-- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2Received on Thu Nov 20 2008 - 12:13:01 MST
This archive was generated by hypermail 2.2.0 : Thu Nov 20 2008 - 12:00:03 MST