[PLUTO-help] aiuto per squid

Roberto Macchetta roby.programmer a fastwebnet.it
Sab 3 Gen 2009 16:59:59 CET


Ciao a tutti,
sto cercando di mettere su un piccolo proxy trasparente con squid, la
mia lenny box ha due schede di rete eth0 collegata ad internet ed eth1
(ip statico 192.168.0.1) collegata con cavo incrociato ad un portatile

ho messo su un DHCP server e configurato con gadmin-dhcpd, e' tutto ok,
il portatile ottiene l'ip e il gateway, ma con squid ho grosse
difficolta', nel senso che non mi funziona in modalita' trasparente devo
impostare a mano il proxy nel browser del portatile

il portatile con ifconfig mi da questa configurazione

Indirizzo IP.............................192.168.0.2
Subnet mask..............................255.255.255.0
Gateway predefiniyo..................... 192.168.0.1


copio e incollo la mia configurazione di squid

http_port 192.168.0.1:3128 transparent

acl all src 0.0.0.0/0.0.0.0
acl internal_network src 192.168.0.0/24
acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT

acl purge method PURGE
acl CONNECT method CONNECT

http_access allow internal_network
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all

imposto le regole di firewall con questo script:

#!/bin/sh
# squid server IP

SQUID_SERVER="192.168.0.1"

# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"

# Squid port
SQUID_PORT="3128"

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j
ACCEPT

# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j
MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128
#($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to
$SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT
--to-port $SQUID_PORT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

non mi funziona devo per forza impostare il proxy server nel browser
altrimenti non naviga col portatile e non capisco il perche' molto
probabilmente e' dovuto ad iptables ma purtroppo di iptables non ne
capisco molto

qualcuno a qualche suggerimento?

vi ringrazio
ciao a tutti

-- 
Nobuteru
Linux Registered User #368935 since 01-10-2004
Powered by Debian Lenny
GPG Key fingerprint 0061 6CE8 02EB 0CAA 16E2 7ECD 1AC4 32A2 C30B A8ED
Jabber ID nobuteru a jabber.org




More information about the pluto-help mailing list