| View previous topic :: View next topic |
| Author |
Message |
albright
Advocate
Joined: 16 Nov 2003
Posts: 2588
Location: Near Toronto
|
 Posted: Fri Mar 07, 2014 7:17 pm Post subject: simple squid + shorewall question |
 |
|
I've got shorewall and squid (transparent) running on my desktop.
This works fine for computers on the lan. They all use the squid
proxy.
My question is: is it possible for my desktop to also
use squid proxy?
relevant rules in /etc/shorewall/rules
| Code: | # for squid
REDIRECT loc 3128 tcp www # redirect to Squid on port 3128
ACCEPT $FW net tcp www # allow Squid to fetch the www content |
Obviously, if I try to redirect fw through 3128 there is a loop.
So is there any way to configure shorewall so the computer running squid (and
shorewall) can use the squid proxy?
Sorry if this isn't very clear ...
_________________
.... there is nothing - absolutely nothing - half so much worth
doing as simply messing about with Linux ...
(apologies to Kenneth Graeme) |
|
| Back to top |
|
 |
666threesixes666
Veteran
Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w
|
| Posted: Fri Mar 07, 2014 7:51 pm Post subject: |
|
|
| can you set your browser to 127.0.0.1:3128 in proxy settings and get sites? ie use the proxy in non transparent mode. |
|
| Back to top |
|
|
albright
Advocate
Joined: 16 Nov 2003
Posts: 2588
Location: Near Toronto
|
| Posted: Fri Mar 07, 2014 8:44 pm Post subject: |
|
|
thanks but no dice, if I set the proxy in a browser manually, I get
| Code: |
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: http://www.xxx/
Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
Your cache administrator is root.
Generated Fri, 07 Mar 2014 20:42:03 GMT by xxx (squid/3.4.3) |
_________________
.... there is nothing - absolutely nothing - half so much worth
doing as simply messing about with Linux ...
(apologies to Kenneth Graeme) |
|
| Back to top |
|
|
666threesixes666
Veteran
Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w
|
|
| Back to top |
|
|
albright
Advocate
Joined: 16 Nov 2003
Posts: 2588
Location: Near Toronto
|
| Posted: Fri Mar 07, 2014 9:36 pm Post subject: |
|
|
thanks again ... I have tried googling to little avail
my problem is not a general problem of access; all computers
on the lan *except* localhost access the net via squid
perfectly.
only localhost gets the error if I set the proxy manually, or,
if no proxy set, localhost retrieves directly from the net
ignoring squid's proxy
I think the problem is that shorewall cannot redirect
traffic from the net to localhost via proxy because the
proxy is running on localhost, so redirects would loop
and squid couldn't get to the net. To put it another way,
localhost has to have access to the net for squid to
get content, but I want localhost to query squid for
content which entails a redirect of localhost away
from the net (if you see what I mean  )
This looks impossible but I suspect there is
a way to do it somehow ...????
_________________
.... there is nothing - absolutely nothing - half so much worth
doing as simply messing about with Linux ...
(apologies to Kenneth Graeme) |
|
| Back to top |
|
|
666threesixes666
Veteran
Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w
|
| Posted: Fri Mar 07, 2014 10:08 pm Post subject: |
|
|
| in browser proxy settings try keeping port the same, but try 0.0.0.0, localhost, 127.0.0.1, and finally the boxes internal lan ip address (ie 10.0.0.2, 192.168.0.2) |
|
| Back to top |
|
|
albright
Advocate
Joined: 16 Nov 2003
Posts: 2588
Location: Near Toronto
|
| Posted: Sat Mar 08, 2014 3:32 pm Post subject: |
|
|
further research into squid, shorewall and iptables suggest this answer
1. turn off shorewall's redirection rules
2. add these iptables commands after shorewall starts:
| Code: |
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner 31 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination mycomputerslocalIP:3128
|
(mycomputerslocalIP is the local address of the computer running shorewall and squid; the gid-owner is
the squid user's group id)
I now see both the lan clients and my desktop using the squid cache ...
Of course, being pretty deeply ignorant about iptables I'm a little worried about whether
I've done something Officially Bad ... any advice would be welcome
_________________
.... there is nothing - absolutely nothing - half so much worth
doing as simply messing about with Linux ...
(apologies to Kenneth Graeme) |
|
| Back to top |
|
|
|
Networking & Security
