On 07/08/17 10:05, Ahmed Alzaeem wrote:
the game I’m looking for may be complex a bit .


well here is the game :


i have squid ruling on IPV6 and 1 ipv4

so i have an ipv4  1.1.1.1 address which go to null 0 network  which mean a 
fake route .

buy that i prevent the IPV4 websites from loading .
so  above is sufficient for that :


acl ip1 myip 12.58.120.72
tcp_outgoing_address 1.1.1.1 ip1



but sometimes i want to allow the IPV4 websites but for certain source of ips 
but i cant match the src ip address with the acl “myip” so that some ips get 
ipv6 websites only and other get both ipv4/ipv6

Ah. Maybe understanding now.

The current Squid compare the IP address type on tcp_outgoing_address with the IP type of the server connection. So lines containing an IPv4 are never applied to IPv6 outbound traffic, and lines with a v6 are never used for IPv4 outbound traffic.

So, to let every body reach IPv6 servers, just do not set tcp_outgoing_address lines with IPv6 address. That includes any IPv4 clients using Squid to reach IPv6 servers.


For the clients that you want to block IPv4 outgoing connections, since you have two criteria (X clients going to Y domains) you need two ACLs; one to match the clients IPs and one to match the domains.

 # the clients which might be allowed
 acl special_clients src 12.58.70.10/32

 # the domains those clients are allowed to visit over IPv4
 acl special_domains dstdomain .example.com

 # ... and maybe some servers only known by their IPv4
 acl special_domain_ips dst 192.168.0.1


 # match if both client AND domain criteria match
 acl allow_ipv4 all-of special_clients special_domains

 # or, match if both client and domain-IP criteria match
 acl allow_ipv4 all-of special_clients special_domain_ips

 # ... send other clients (non-allowed) out the nul-route IPv4
 tcp_outgoing_address 1.1.1.1 !allow_ipv4


If you have a Squid lacking the 'all-of' ACL type (older than 3.4) the below should work instead of those last three lines, though I have not tried it:


  tcp_outgoing_address 0.0.0.0 special_clients special_domains
  tcp_outgoing_address 0.0.0.0 special_clients special_domain_ips

  # otherwise use the nul-routed outgoing IP
  tcp_outgoing_address 1.1.1.1






thats why i posted the question , I’m sure amos u will give me magical solution 
next post :)


:-) maybe, I'm still not sure I understand you completely yet. But the above certainly seems like magic.

Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to