Yan Seiner wrote:
> Yan Seiner wrote:
>> Amos Jeffries wrote:
>>> Yan Seiner wrote:
>>>> Amos Jeffries wrote:
>>>>> Yan Seiner wrote:
>>>>>> I have a question about setting up squid in my environment.
>>>>>>
>>>>>> My network is fairly generic:
>>>>>>
>>>>>> a firewall running openwrt, 4 mb flash and 8 mb ram, providing NAT
>>>>>> a server providing DNS and DHCP services; this machine is also
>>>>>> used for terminal services so users are logged in to this machine
>>>>>> directly
>>>>>> assorted clients
>>>>>>
>>>>>> I've had squid set up on a 'opt-in' basis. Now I have a request
>>>>>> to make it transparent for all users with the intent of disabling
>>>>>> web access during specified hours.
>>>>>>
>>>>>> The problem I have is that my firewall is not able to run squid,
>>>>>> and all the examples assume that the squid box is either the
>>>>>> firewall or provides NAT.
>>>>>>
>>>>>> Is it possible, without a huge amount of complications, to run
>>>>>> squid on this sort of setup?
>>>>>>
>>>>>> If so, does anyone have a recipe for doing so?
>>>>>>
>>>>>
>>>>> Squid box had best be the one doing NAT because all source info is
>>>>> lost during NAT interception and Squid needs to look it up. Note I
>>>>> wrote "NAT interception", thats a more correct name for "transparent".
>>>>>
>>>>> Squid does not have to be on the firewall or router to do NAT though:
>>>>> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>>>>>
>>>>> the tutorial ironically was written for people using OpenWRT :)
>>>>>
>>>>> Amos
>>>> Hi Amos:
>>>>
>>>> Obvously I got something just half right:
>>>>
>>>>
>>>> The requested URL could not be retrieved
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> While trying to retrieve the URL:
>>>> http://arstechnica.com/tech-policy/news/2009/05/landmark-study-drm-truly-does-make-pirates-out-of-us-all.ars
>>>>
>>>>
>>>> The following error was encountered:
>>>>
>>>> Unable to determine IP address from host name for /arstechnica.com/
>>>> The dnsserver returned:
>>>>
>>>> Server Failure: The name server was unable to process this query.
>>>> This means that:
>>>>
>>>
>>> Is it actually using the '/' there?
>>> It looks a lot like the 'transparent' option to http_port is missing
>>> still.
>>>
>>>
>>>>
>>>> I've configured this as best as I can following
>>>>
>>>> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>>>> on the firewall/router
>>>> and
>>>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>>>> on the squid box.
>>>>
>>>> As soon as I enable the iptablesPolicyRoute on the fw my DNS fails....
>>>>
>>>> I can't figure out why.... Those rules should only affect tcp
>>>> packets to port 80.
>>>>
>>>> Does anyone have this setup working? Could they please send me some
>>>> instructions for morons?
>>>
>>> That was them ;).
>>>
>>> Does the Squid box have normal DNS if its used as a regular proxy
>>> without the PolicyRouting?
>>>
>>> Amos
>> DUH! OK, my turn to feel stupid....
>>
>> Turns out my firewall rules were blocking forwarding from internal_if
>> to internal_if - so the firewall "loopback" to the squid box was
>> getting dropped.
>>
>> Now everything is OK; on to the next step - time based web access -
>> which is why I started this whole thing!
>>
>> --Yan
>>
>>
>> !DSPAM:4a214d26279661804284693!
>>
> Amos:
>
> Since ordinary mortals like me ;-) apparently cannot edit the wiki,
> here's my final form of the iptables and policy route rules.
>
> First on the firewall:
>
> iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s squidboxIP
> iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
> iptables -A FORWARD -i internalif -o internalif -p tcp --dport 80 -j ACCEPT
Is this FORWARDING is not exactly part of the config. I would think
routers should allow internal routes by default anyway. But I'll add it
as a gotcha to be wary of anyway.
> ip rule add fwmark 3 table proxy
> ip route add default via squidboxIP dev internalif table proxy
>
> Then on the squid box itself:
>
> iptables -t nat -A PREROUTING -s localnet/24 -i lan0 -p tcp -m tcp
> --dport 80 -j REDIRECT --to-ports 3128
> iptables -t nat -A OUTPUT -s squidboxIP/32 -p tcp -m owner ! --uid-owner
> squid-user -m tcp --dport 80 -j REDIRECT --to-ports 3128
>
> The first rule catches all of the requests that have been redirected by
> the firewall for proxying.
>
> The second rule catches all of the outbound packets originating on the
> squidbox itself. This can have some weird side effects; my squid box
> also handles several ipcams and so all this traffic is now routed
> through squid. Note that you have to change the uid-owner to the uid of
> the squid process.
This is avoidable if the ipcams are sending traffic to the squid box for
handling anyway. The NAT rules on the squid box need to omit catching
any traffic already destined to itself:
iptables -t nat -A PREROUTING -s SQUIDIP -p tcp --dport 80 -j ACCEPT
as the first rule of the squid box.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1Received on Mon Jun 01 2009 - 13:49:34 MDT
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 12:00:02 MDT