On 07/08/17 10:05, Ahmed Alzaeem wrote:
the game I’m looking for may be complex a bit .
well here is the game :
i have squid ruling on IPV6 and 1 ipv4
so i have an ipv4 126.96.36.199 address which go to null 0 network which mean a
fake route .
buy that i prevent the IPV4 websites from loading .
so above is sufficient for that :
acl ip1 myip 188.8.131.52
tcp_outgoing_address 184.108.40.206 ip1
but sometimes i want to allow the IPV4 websites but for certain source of ips
but i cant match the src ip address with the acl “myip” so that some ips get
ipv6 websites only and other get both ipv4/ipv6
Ah. Maybe understanding now.
The current Squid compare the IP address type on tcp_outgoing_address
with the IP type of the server connection. So lines containing an IPv4
are never applied to IPv6 outbound traffic, and lines with a v6 are
never used for IPv4 outbound traffic.
So, to let every body reach IPv6 servers, just do not set
tcp_outgoing_address lines with IPv6 address. That includes any IPv4
clients using Squid to reach IPv6 servers.
For the clients that you want to block IPv4 outgoing connections, since
you have two criteria (X clients going to Y domains) you need two ACLs;
one to match the clients IPs and one to match the domains.
# the clients which might be allowed
acl special_clients src 220.127.116.11/32
# the domains those clients are allowed to visit over IPv4
acl special_domains dstdomain .example.com
# ... and maybe some servers only known by their IPv4
acl special_domain_ips dst 192.168.0.1
# match if both client AND domain criteria match
acl allow_ipv4 all-of special_clients special_domains
# or, match if both client and domain-IP criteria match
acl allow_ipv4 all-of special_clients special_domain_ips
# ... send other clients (non-allowed) out the nul-route IPv4
tcp_outgoing_address 18.104.22.168 !allow_ipv4
If you have a Squid lacking the 'all-of' ACL type (older than 3.4) the
below should work instead of those last three lines, though I have not
tcp_outgoing_address 0.0.0.0 special_clients special_domains
tcp_outgoing_address 0.0.0.0 special_clients special_domain_ips
# otherwise use the nul-routed outgoing IP
thats why i posted the question , I’m sure amos u will give me magical solution
next post :)
:-) maybe, I'm still not sure I understand you completely yet. But the
above certainly seems like magic.
squid-users mailing list