[squid-users] redirect all ports to squid

James Harper james at ejbdigital.com.au
Tue Sep 30 21:49:30 UTC 2014 

> 
> It's possible to redirect all ports to squid ? thru iptables ?
> For example port 25 smtp,143 imap, etc...
> Can squid handle that. In transparent mode.

Yes. Kind of. You need:
. An appropriate rule in iptables nat table that ends with -j REDIRECT --to-ports 3129 (or whatever port you are listening on for this traffic)
. A https_port definition in squid.conf on that port with ssl-bump and a certificate (certificate doesn't get used unless you are doing actual https but the syntax requires it) and a port name
. an acl attached to the name of the listeners myportname
. an ssl_bump none that matches the traffic you are interested in (all if you aren't doing https interception)

Now that you know you can do it, consider:
. I've asked this question on the list and the response from people who really do know what they are talking about is that squid is not designed as a general tcp proxy and there are probably other solutions that work better
. squid currently doesn't allow a sensible termination of the connection if it isn't allowed, or if there is nothing listening at the other end. Your smtp/pop3/imap/etc application won't like that.
. you have to do authentication out-of-band (eg ident), but that's the same with transparent http anyway

To do this really nicely, squid would need:
. a "tcp_port" instead of "http_port" designed for exactly this sort of thing
. a way to call out to the destination before accepting the connection so that a 'connection refused' could be given if there is nothing listening
. a way to simply drop the connection if it doesn't succeed rather than the default response squid gives
. a way to redirect traffic to a helper (eg SMTP/IMAP/POP3 filter to scan for viruses, etc) (maybe this already exists already via other means?)

So in short it works, but not as well as it could, and you might be better of finding another solution. The main reason I was interested is that Squid already has a very nice acl implementation, and there are already a number of good log analysis tools for it.

James

More information about the squid-users mailing list