Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
Re: [suse-security] Transparent proxy ...
  • From: Richard Ems <r.ems.mtg@xxxxxxx>
  • Date: Mon, 05 Feb 2001 12:56:25 +0100
  • Message-id: <3A7E94E9.95AFA6B4@xxxxxxx>
Alexander Noack wrote:

> Hi Richard,
>
> I have a site where there is Squid setup as transparent proxy.
> What you will want to do is setup Squid to run as httpd_accel(erator)
> and to redirect the outgoing traffic on port 80 to Squid using ipchains.
>
> Here's part of the Squid-conf:
>
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
> http_access deny !localdomains (where you set "acl localdomains src
> your.network/requirednetmask")
> proxy_auth /etc/httpd/htpasswd (having all users in /etc/httpd/htpasswd,
> use htpasswd that comes with apache)
>
> and to redirect the traffic execute
> ipchains -A output -i external_device -p TCP -d any/0 80 -j REDIRECT
> your_squid_port
>
> make sure tu have your kernel compiled with "Transparent_Proxy yes"
>
> You should consider not to cache ssl connections.
> Ftp will only work as ftp over http (e.g. the ftp your browser uses)
> I don't know of any NNTP proxy. What you can do is to setup a local
> newsfeed like leafnode and restrict access to it.
>
> You definetly should have a look at the Transparent Proxy mini-HOWTO
> (www.linuxdoc.org)
>
> Regards,
>
> Alex
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx

Hi Alexander,

This solution is Ok, I read about it but it's not enough. My kernel is of
course compiled with "Transparent proxy yes" and so on ... Did you read the
previous messages?
The problem is that the squid server is running on another PC (I called it
on my previous emails PC2) and the packet filtering is happening on PC1 !!!

So I need to redirect to a port on another machine! This is not possible
directly with ipchains, isnt' it?
Redirecting to another port on the same machine is not the problem.

Thanks, Richard

--
Richard Ems
... e-mail: r.ems@xxxxxxx
... Fachbereich Informatik, Universit├Ąt Hamburg

Unix IS user friendly. It's just selective about who its friends are.




< Previous Next >