On 21 Jan 2010, at 18:59, Joseph wrote:
...
Yes, the squid is working OK.
But I'm not sure if it is possible to accomplish what I want.
iptable + squid are running on a single box: so I want:
INCOMING access from Internet is OPEN - I don't need or want to
block anything; as I have an external firewall.
OUTBOUND access to Internet denied (except one or two domains) - so
I think squid is perfectly suitable to it and it is working OK.
iptable I only wanted to use to forwarder to squid proxy, so doesn't
matter what Browser user will use everything will go via squid
except access to localhost (127.0.0.1).
...
maybe it is not possible with single interface eth0
I believe that running Squid in conjunction with iptables is known as
running in "interception" mode.
It may well indeed not be possible to do this with only one interface.
How do you ensure that packets reach this machine? I think usually
interception mode is run on a machine with two interfaces - you'd
route or (I guess) bridge through it. iptables can then snatch the
packets. I don't believe you can route through a machine with only one
interface (although my memory of routing is hazy, so I may be quite
mistaken) because packets going out will collide with those coming in.
So I'm not really sure how the machines on your LAN know to send web
packets to your Squid machine. Perhaps you can explain?
I manage a site at which Squid sits on a machine with only one
interface. That machine is not a router, and Squid does not run in
interception mode. I ended up writing a wpad.dat file and pointing the
DNS for wpad.domain.local to the local webserver. This is not a
properly secure method of forcing the users to use the proxy - really,
the gateway should additionally use iptables to drop any web
connections coming from any machine except the proxy - but at this
site all the users are on a Windows domain, and they're unable (and
too clueless, anyway) to configure their browsers not to use the proxy.
I don't remember why I configured the site exactly this way - there's
a little more I want to do with Squid, but I haven't got around to it.
I set up this site a while ago and forgot about it. But I do know that
Squid can be run in different ways and interception mode isn't
suitable for all purposes (I had myself, as a beginner, assumed
everyone did use interception mode).
This stuff is very well documented at the Squid site - http://wiki.squid-cache.org/SquidFaq
is a good start. My experience was excellent support - which really
answered my question and helped me see where I was going wrong - from
a Squid developer within 48 hours of posting to the Squid mailing list.
Stroller.
