First you should know why you are putting squid.Not for smtp or pop3 why
start with the impossibles -:).
Any way see --------->squid-cache.org for definition of squid don't
thinc you will succeed may be if you got another way
.
Damian Mantelli (A.C.A.R.A) wrote:
>Hi my name is Damian, I am from Argentina and I am a member of mailing list
>of SQUID users.
>I want that all the traffic of my local net goes across my SQUID proxy
>server. I want to say that all the packages will be forwarded to the port
>3128 of my Squid Server.
>maybe you can help me.
>
>Here it is an example of my current Net in my office
>
>-->LocalNet 192.168.0.1/27----ETH0--> (SQUID 192.168.0.28:3128 SERVER)<--
>ETH1 -->INTERNET
>
>
192.168.0.1/27 isn't the same as 192.168.0.0/24 as seen in your firewall
can you make the necessary changes please
>I have ready set up a couple of rules with Iptables, but I can?t understand
>what I am doing wrong.
>
>I want that HTTP, HTTPS, MSN, POP3, SMTP all of these ports, and others
>without much importance will be forwarded across my Squid proxy server.
>
>Here are the rules.
>
>#|/bin/sh
>
>#Cargamos los Modulos de Kernel necesarios:
>/sbin/modprobe ip_conntrack
>/sbin/modprobe ip_conntrack_ftp
>/sbin/modprobe ip_conntrack_irc
>/sbin/modprobe ipt_REJECT
>/sbin/modprobe ipt_REDIRECT
>/sbin/modprobe ipt_TOS
>/sbin/modprobe ipt_MASQUERADE
>/sbin/modprobe ipt_LOG
>/sbin/modprobe iptable_mangle
>/sbin/modprobe iptable_nat
>/sbin/modprobe ip_nat_ftp
>/sbin/modprobe ip_nat_irc
>
>#Habilitamos el reenvio de direcciones IP
>
>#if [ -e /proc/sys/net/ipv4/ip_forward ]; then
># echo 0 > /proc/sys/net/ipv4/ip_forward
>#fi
>
>echo "1" > /proc/sys/net/ipv4/ip_forward
>
># Estableciendo politica de reenvio del enmascaramiento
>/sbin/iptables -t filter -P FORWARD DROP
>
>
># Reenvio de trafico interno-externo y externo-interno
>/sbin/iptables -t filter -A FORWARD -d 0/0 -s 192.168.0.0/255.255.255.0 -o
>eth0 -j ACCEPT
>/sbin/iptables -t filter -A FORWARD -d 192.168.0.0/255.255.255.0 -j ACCEPT
>
>
>#Enmascaramiento del todo el trafico saliente, NOTA: la salida a internet es
>por la interfaz eth1
>/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>
>
Can the above comment be on one line I think the kernel doesn't
understand this too.
>
>#No Enmascaramos trafico Externo
>/sbin/iptables -t nat -A POSTROUTING -o eth1 -d 0/0 -j ACCEPT
>
>#Permitir al trafico de la red interna ir a donde sea
>/sbin/iptables -t filter -A INPUT -s 192.168.0.0/255.255.255.0 -d 0/0 -j
>ACCEPT
>/sbin/iptables -t filter -A OUTPUT -s 192.168.0.0/255.255.255.0 -d 0/0 -j
>ACCEPT
>/sbin/iptables -t filter -A OUTPUT -p icmp -s 192.168.0.0/255.255.255.0 -d
>0/0 -j ACCEPT
>
>#Re-direccionamiento hacia el puerto 3128 (Donde escucha el SQUID las
>peticiones)
>#Para cualquier peticion originada desde la red local hacia servicios que
>utilicen protocolos
>#HTTP, HTTPS, FTP. Pueden anadirse mas re-direccionamientos a discrecion del
>administrador
>#Nota: Recordamos que la red local se accede con la interfaz eth0
>
>#HTTP
>/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
>REDIRECT --to-port 3128
>
>#POP3
>/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j
>REDIRECT --to-port 3128
>
>
Problrems here! Don think it'ds possible
>#SMTP
>/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j
>REDIRECT --to-port 3128
>
>
Same as above!
>#HTTPS
>/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j
>REDIRECT --to-port 3128
>
>
I dought too!
>#MSN
>/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1863 -j
>REDIRECT --to-port 3128
>
>
Why would you the box seems to be a router too
>#FTP
>/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20 -j
>REDIRECT --to-port 3128
>/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j
>REDIRECT --to-port 3128
>
>
I dought this too
>#END OF THE RULES
>
>
>And here it is an example of my squid.conf file
>____________________________________________________________________________
>____________________
>
>http_port 3128
>icp_port 0
>
>#no_cache deny QUERY
>cache_mem 16 MB
>cache_dir ufs /var/spool/squid 700 16 256
>redirect_rewrites_host_header off
>dns_nameservers 192.168.0.2
>icon_directory /usr/share/squid/icons
>cache_replacement_policy GDSF
>
>
>#Habilitacion de Puertos seguros
>acl SSL_ports port 443 8443 563 777
>acl Safe_ports port 25 80 110 443 563 777 1863 210 119 70 21 1025-65535
>acl CONNECT method CONNECT
>
>#Autentificacion de usuario para salida http
>auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/.password
>auth_param basic children 5
>auth_param basic realm ACARA Proxy Server - TODO ACCESO A LA RED QUEDA
>REGISTRADO
>
>
># Uncommented by GH 24/09/03 for password authentication and blocking exe
>zip gz bz2 mp3 mpg mpeg ram rpm avi plus more
>acl password proxy_auth REQUIRED
>acl download urlpath_regex -i "/etc/squid/downloadeny.txt"
>
>
># GH 24/09/03
>acl all src 0.0.0.0/0.0.0.0
>acl manager proto cache_object
>acl localhost src 127.0.0.1/255.255.255.255
>acl redlocal src "/etc/squid/redlocal"
>
>
># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>
># Example rule allowing access from your local networks. Adapt
># to list your (internal) IP networks from where browsing should
># be allowed
># acl our_networks src 192.168.1.0/24 192.168.2.0/24
># http_access allow our_networks
># Used to block downloads and allow other users - GH 07/01/03
>
>http_access allow password
>http_access allow localhost
>http_access allow redlocal
>http_access deny !Safe_ports
>http_access deny CONNECT !SSL_ports
>http_access deny download
>http_access deny all
>
>httpd_accel_host virtual
>httpd_accel_port 80
>httpd_accel_with_proxy on
>httpd_accel_uses_host_header on
>
>
>#cache control
>acl NOCACHE urlpath_regex -i \.php
>no_cache deny NOCACHE
>
>cache_mgr dmantelli@acara.org.ar
>cache_effective_user squid
>cache_effective_group squid
>log_icp_queries off
>
>buffered_logs on
>
>#END OF SQUID.CONF FILE
>____________________________________________________________________________
>________________________________________
>
>Pardon for the inconveniences.
>
>
>Thanks you very much for your help.
>
>Damian Mantelli
>ARGENTINA
>
>
>
>
>
>
>
-- *************************************************************************** / ''We can't become what we need to be by remaining what we are''\ \ ,, ,,/ ***************************************************************************Received on Thu Sep 01 2005 - 01:51:24 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:02 MDT