LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-20-2011, 12:20 PM   #1
NoTeef
LQ Newbie
 
Registered: Jun 2011
Posts: 3

Rep: Reputation: Disabled
iptables/Squid with outgoing traffic


Hi there,
I'm trying to set up a squid proxy to filter outgoing traffic. I want to set up squid on the local machine and have outgoing http requests go through the proxy (which I can eventually set up rules for).

I've been reading these posts to try and get myself going:
(I'm not sure if I need to use dansguardian which is suggested in the second post, but avoided in the first)
http://forums.gentoo.org/viewtopic-p-6142685.html
http://www.linuxquestions.org/questi...tering-423139/

By turning on some of the debugging levels and sections in squid, I can see that http requests are getting passed to squid, but firefox shows an "Error : Requested URL could not be retrieved." As a test to make sure I had squid working at all, I entered the proxy information into firefox (edit->preferences->advanced->network->settings->manual proxy configuration) and connections are made fine. Normally, this would be fine, but I need to make the outgoing traffic filtering invisible using iptables (or another solution if there's something out there, the instructions posted at the squid wiki don't seem to solve the problem either).

Here are some details of what I've done :

squid.conf : (there are some default acl lines in there as well that I think are irrelevant)
debug_options ALL,2
http_access allow all #might as well open up everything for now
http_port 3128
http_port 3129 tproxy #not using currently
cache_effective_user squid
cache_effective_group squid

terminal commands :
groupadd -r squid
useradd -g squid -d /var/spool/squid -s /bin/false -r squid

iptables rules :
#accept localhost
iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.1 -j ACCEPT

#for now, simply route everything through squid with no filtering
#until the basic case works
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128

Any suggestions would be much much appreciated! Or if more information would be helpful too.
Thanks in advance.
 
Old 06-27-2011, 07:04 AM   #2
NoTeef
LQ Newbie
 
Registered: Jun 2011
Posts: 3

Original Poster
Rep: Reputation: Disabled
Stupid stupid stupid!

Everything was fine except for

http_port 3128

needs to be enabled as

http_port 3128 intercept

since intercept is replacing (has replaced?) transparent to set up an intercept port.
 
Old 06-27-2011, 07:09 AM   #3
Lexus45
Member
 
Registered: Jan 2010
Distribution: Debian, Centos, Ubuntu, Slackware
Posts: 361
Blog Entries: 3

Rep: Reputation: 48
Filter with Squid ACLs.

What Squid version do you run?
I'm not sure if "tproxy" option can be used. Maybe "transparent" will do?

Oh. Delete my post please.

Last edited by Lexus45; 06-27-2011 at 07:13 AM.
 
Old 06-27-2011, 07:29 AM   #4
NoTeef
LQ Newbie
 
Registered: Jun 2011
Posts: 3

Original Poster
Rep: Reputation: Disabled
Hey there,
Thanks for the reply. I'm using squid 3.1.12. Like I said above-must have posted at nearly simultaneous times - it is working now. I was going to use ACL rules to filter, but I'm planning on making some modifications to squid in the future that wouldn't really work with this approach.

I think in past version transparent will do (and maybe in the current version) but I think future versions of squid are going to remove "transparent" in favor of "intercept" completely.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPtables: Route outgoing traffic from internal host to only go a internet interface predatorz Linux - Networking 4 11-24-2010 09:05 AM
IPTables How to make outgoing traffic show from a different IP address codenjanod Linux - Networking 4 11-05-2009 01:10 PM
forward outgoing smtp traffic from linux mail server to window machine using iptables r.bhange Linux - Networking 2 06-04-2009 12:39 AM
Iptables - Redirecting Outgoing Traffic Frankablu Linux - Networking 1 06-12-2005 01:18 PM
I need to inhibit outgoing web traffic on the firewall, and leave only Squid, How? mfeoli Linux - Networking 2 02-06-2004 09:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:16 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration