[squid-users] change packet flow to have transparent squid proxy

Eliezer Croitoru eliezer at ngtech.co.il
Sat Sep 15 18:44:33 UTC 2018 

Hey,

What exactly are you trying to do?
HTTP proxies have their own ACL rules like in a firewall.
If you need to block specific traffic then you should enforce the ACL 
inside the proxy and not rely on the FW.
Adding an external acl helper that will do the same thing as iptables is 
only a matter of minutes of coding.
If you have one example I believe I can try to write some helper that 
will do what you need.

All The Bests,
Eliezer

On 2018-09-15 08:23, morteza omidian wrote:
> Hi
> I am in a dire need about using squid in my Linux iptables firewall as
> a transparent proxy.
> In my linux iptables firewall i want to do iptables rules and controls
> in forward chain and after that do http filtering with squid, because
> of that i need to change netfilter packet flow and send packets to
> squid(app layer, user space) after forward chain, and then get them
> back to kernel space to continue their's way in forward chain and then
> go out, SOMETHING LIKE OTHER FIREWALS AND UTM(like Pfsense or
> opensense and ....) does.
> In my situation, i want squid to place AFTER my FORWARDS iptables
> rules,by default squid is listen on input port of machine but its not
> what i want and redirect packets to the input chain does not work for
> me.
> I think NFQUEUE is a good solution for my problem but i don't know
> that is possible to change squid source code to get packets from
> nfqueue? or does nfqueue can keep the packet state and handle TCP
> connection?
> I want to change My packet flow like this: client-request >>>
> prerouting > Nat > forward > squid-cache > post-routing >>>>
> HTTP(s)-server
> The IMPORTANT part is that forward rules must check before packets
> forwards to squid. i don't want packets destinate to input chain of
> firewall. I thought maybe its possible to use DAQ ,like the way snort
> use or nfqueue in iptables. I need some help about that, please help
> me if its possible or THERE ARE ANY OTHER WAYS TO SOLVE IT.
> 
> Thanks a lot
> Morteza Omidian
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il

More information about the squid-users mailing list