Amos Jeffries wrote:
> Yan Seiner wrote:
>> Amos:
>>
>> Since ordinary mortals like me ;-) apparently cannot edit the wiki,
>> here's my final form of the iptables and policy route rules.
>>
>> First on the firewall:
>>
>> iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s
>> squidboxIP
>> iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
>> iptables -A FORWARD -i internalif -o internalif -p tcp --dport 80 -j
>> ACCEPT
>
> Is this FORWARDING is not exactly part of the config. I would think
> routers should allow internal routes by default anyway. But I'll add
> it as a gotcha to be wary of anyway.
Normally yes. This is my firewall doing this; I DENY by default and
then enable only what I need. Since my forward chain has a default DENY
policy, then forwarding between internal if is forbidden. Also, this is
with a 2.4 kernel; IIRC the forwarding rules changed quite a bit with
2.6 kernels so on a box with 2.6 kernel you may well be right.
>
>
>> ip rule add fwmark 3 table proxy
>> ip route add default via squidboxIP dev internalif table proxy
>>
>> Then on the squid box itself:
>>
>> iptables -t nat -A PREROUTING -s localnet/24 -i lan0 -p tcp -m tcp
>> --dport 80 -j REDIRECT --to-ports 3128
>> iptables -t nat -A OUTPUT -s squidboxIP/32 -p tcp -m owner !
>> --uid-owner squid-user -m tcp --dport 80 -j REDIRECT --to-ports 3128
>>
>> The first rule catches all of the requests that have been redirected
>> by the firewall for proxying.
>>
>> The second rule catches all of the outbound packets originating on
>> the squidbox itself. This can have some weird side effects; my squid
>> box also handles several ipcams and so all this traffic is now routed
>> through squid. Note that you have to change the uid-owner to the uid
>> of the squid process.
>
> This is avoidable if the ipcams are sending traffic to the squid box
> for handling anyway. The NAT rules on the squid box need to omit
> catching any traffic already destined to itself:
>
> iptables -t nat -A PREROUTING -s SQUIDIP -p tcp --dport 80 -j ACCEPT
Good point. I'll add that.
--Yan
Received on Mon Jun 01 2009 - 13:55:08 MDT
This archive was generated by hypermail 2.2.0 : Tue Jun 02 2009 - 12:00:01 MDT