I assume (incorrectly?) you're trying to set up
"interception" ("transparent") web filtering that a)
doesn't require any proxy settings in individual
clients and b) can't be bypassed.
That's exactly what we have (and I've grown so
accustomed to it I think of it as a "no-brainer"). We
used what were the default ports at the time, which
are backward from yours: for us 8080 is DansGuardian
and 3128 is Squid. You should be able to translate
everything as necessary.
-----
In shorewall we have
REDIRECT loc 8080 tcp 80
In other words, grab all traffic where any browser is
trying to contact a web server (i.e. on 80) and
redirect it into DansGuardian instead. Note there is
only _one_ of these; we do _not_ use Shorewall to
redirect traffic on the other side of DansGuardian or
to double-redirect anything. (Of course you'll need to
tweak this slightly to accomodate your 192.168.0.3
system, which we do not have.)
-----
In DansGuardian configuration we have
proxyport = 3128
In other words, do your thing, then pass traffic
upstream to Squid who is listening on this port.
-----
In Squid configuration we have
http_port 127.0.0.1:3128
In other words listen for connection requests on this
port _only_ on the loopback port (i.e. _only_ from
this host, not from other computers on our LAN).
-----
If users try to bypass us by setting port 8080, they
just get DansGuardian anyway. If they try to bypass us
by going _through_ our firewall using port 3128, they
get to the remote website but the remote website
ignores them because it's not listening on 3128. If
they try to bypass DansGuardian by going _to_ our
firewall using port 3128, they time out because no
one's listening (Squid's listening only on the
"loopback" network, _not_ on the LAN.)
(I find the stuff you Googled and tried much much too
complicated and internally inconsistent, and suspect
it's either trying to solve a different problem or has
been mangled somehow. Shorewall is the best place to
do _some_ of this, but other parts may be better done
in app configurations. And each bit of the
configuration should be very simple: only 1 or 2
lines. More than that indicates something's wrong.)
I hope this helps.
good luck!
-Chuck Kollars
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
