[squid-users] Transparent proxy with squid and Dansguardian
Amos Jeffries
squid3 at treenet.co.nz
Wed Oct 1 11:10:32 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Please post a new thread email to the list instead of replying to an
existing topic. This has nothing to do with YouTube access control.
On 1/10/2014 11:23 p.m., Darren B. wrote:
>
> HI
>
> I am trying to set up a router that allows a group of devices on a
> network to access the internet via Dansguardian and squid.
>
> I am setting it up as a transparent proxy and locking down the
> ports with IPtables.
>
> I am using IPtables to redirect connections on port 80 from the
> client and remap them to 8080 for dansguardian, dans is then set up
> to talk to squid on 127.0.0.1:3128
>
> the iptables rules are
>
> iptables -A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j
> REDIRECT --to-ports 8080 iptables -A POSTROUTING -j MASQUERADE
>
> if I set the rule above to REDIRECT to 3128, the cache works as
> expected. If I set it above, I can see traffic in DG and in the
> cache log of squid but the target IF address is stripped out and I
> seem to be getting a forwarding loop.
>
> I am not sure what is going on but it seems that Dansguardian is
> rewriting the target address and getting squid to loop back on
> itself.
DG is opening a regular TCP connection from itself (127.0.0.1:*) to
Squid (127.0.0.1:3128). Nothing Special.
>
> All the various versions are current to ubuntu 14.04 although the
> dansguardian is a little old in this distro.
>
> Any pointers would be greatly appreciated.
Okay, some pointers...
* REDIRECT is NAT interception.
* You have DG configured to use Squid port 3128 *without* NAT between
them.
* You configured Squid to receive NAT traffic on port 3128.
* You configured Squid to receive expicitly configured clients (like
DG) on port 3129.
* you must only send the configured type of traffic to a Squid port.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUK+EoAAoJELJo5wb/XPRjFWcH/1v6l48h2TuDydVuk9p87BMs
NZ8IrbcMtkqmNaIoWJ8KapvpFERBDyZVVQ54TX1iVPOUh4nHPskzzc7iZFXK1P5h
F+oIqecgaQ+KwbdIRn0YJF5w0XppSiH1aRX3dmbwIHI3ghH7cca7Nj6txHdhyaq0
udlEp+1mteyy+7gbGJTNVR4XCqDPwVfgBzuvMtQFI2C6yqf7OcxqibAW/J9SYp5z
XM/Ap8tw7Q2xNC9a8BI/AURb4RkcelMX/iQ1G41oMCKcKEW2BjfOe6AVe0UbT8AD
jNDkhsmLqgOHfubiMhRiZHkayy1qcJLapNuyi5XkYcASD1rTtuqKoBhumqiJFrE=
=w4j+
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list