[PLUTO-help] aiuto per squid
Roberto Macchetta
roby.programmer a fastwebnet.it
Sab 3 Gen 2009 16:59:59 CET
Ciao a tutti,
sto cercando di mettere su un piccolo proxy trasparente con squid, la
mia lenny box ha due schede di rete eth0 collegata ad internet ed eth1
(ip statico 192.168.0.1) collegata con cavo incrociato ad un portatile
ho messo su un DHCP server e configurato con gadmin-dhcpd, e' tutto ok,
il portatile ottiene l'ip e il gateway, ma con squid ho grosse
difficolta', nel senso che non mi funziona in modalita' trasparente devo
impostare a mano il proxy nel browser del portatile
il portatile con ifconfig mi da questa configurazione
Indirizzo IP.............................192.168.0.2
Subnet mask..............................255.255.255.0
Gateway predefiniyo..................... 192.168.0.1
copio e incollo la mia configurazione di squid
http_port 192.168.0.1:3128 transparent
acl all src 0.0.0.0/0.0.0.0
acl internal_network src 192.168.0.0/24
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow internal_network
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
imposto le regole di firewall con questo script:
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.0.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j
ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j
MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128
#($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to
$SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT
--to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
non mi funziona devo per forza impostare il proxy server nel browser
altrimenti non naviga col portatile e non capisco il perche' molto
probabilmente e' dovuto ad iptables ma purtroppo di iptables non ne
capisco molto
qualcuno a qualche suggerimento?
vi ringrazio
ciao a tutti
--
Nobuteru
Linux Registered User #368935 since 01-10-2004
Powered by Debian Lenny
GPG Key fingerprint 0061 6CE8 02EB 0CAA 16E2 7ECD 1AC4 32A2 C30B A8ED
Jabber ID nobuteru a jabber.org
More information about the pluto-help
mailing list