Ciao a tutti, sto cercando di mettere su un piccolo proxy trasparente con squid, la mia lenny box ha due schede di rete eth0 collegata ad internet ed eth1 (ip statico 192.168.0.1) collegata con cavo incrociato ad un portatile
ho messo su un DHCP server e configurato con gadmin-dhcpd, e' tutto ok, il portatile ottiene l'ip e il gateway, ma con squid ho grosse difficolta', nel senso che non mi funziona in modalita' trasparente devo impostare a mano il proxy nel browser del portatile il portatile con ifconfig mi da questa configurazione Indirizzo IP.............................192.168.0.2 Subnet mask..............................255.255.255.0 Gateway predefiniyo..................... 192.168.0.1 copio e incollo la mia configurazione di squid http_port 192.168.0.1:3128 transparent acl all src 0.0.0.0/0.0.0.0 acl internal_network src 192.168.0.0/24 acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 # https, snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access allow internal_network http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all imposto le regole di firewall con questo script (trovato online su http://sourcelinux.wikidot.com/setting-up-squid-in-gateway-as-a-transparent-proxy): #!/bin/sh # squid server IP SQUID_SERVER="192.168.0.1" # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client #modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 #($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP non mi funziona!, devo per forza impostare il proxy server nel browser del portatile altrimenti non naviga e non capisco il perche' molto probabilmente e' dovuto ad iptables ma purtroppo di iptables non ne capisco molto qualcuno ha qualche suggerimento? vi ringrazio ciao a tutti -- Nobuteru Linux Registered User #368935 since 01-10-2004 Powered by Debian Lenny GPG Key fingerprint 0061 6CE8 02EB 0CAA 16E2 7ECD 1AC4 32A2 C30B A8ED Jabber ID [email protected] -- Per REVOCARE l'iscrizione alla lista, inviare un email a [email protected] con oggetto "unsubscribe". Per problemi inviare un email in INGLESE a [email protected] To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
