[squid-users] redirect all ports to squid

Oleg Motienko motienko at gmail.com
Sat Oct 4 19:26:23 UTC 2014


Hello,

AFAIK it is possible to use redocks software (
http://darkk.net.ru/redsocks/ ) with squid.

On Wed, Oct 1, 2014 at 1:49 AM, James Harper <james at ejbdigital.com.au> wrote:
>>
>> It's possible to redirect all ports to squid ? thru iptables ?
>> For example port 25 smtp,143 imap, etc...
>> Can squid handle that. In transparent mode.
>
> Yes. Kind of. You need:
> . An appropriate rule in iptables nat table that ends with -j REDIRECT --to-ports 3129 (or whatever port you are listening on for this traffic)
> . A https_port definition in squid.conf on that port with ssl-bump and a certificate (certificate doesn't get used unless you are doing actual https but the syntax requires it) and a port name
> . an acl attached to the name of the listeners myportname
> . an ssl_bump none that matches the traffic you are interested in (all if you aren't doing https interception)
>
> Now that you know you can do it, consider:
> . I've asked this question on the list and the response from people who really do know what they are talking about is that squid is not designed as a general tcp proxy and there are probably other solutions that work better
> . squid currently doesn't allow a sensible termination of the connection if it isn't allowed, or if there is nothing listening at the other end. Your smtp/pop3/imap/etc application won't like that.
> . you have to do authentication out-of-band (eg ident), but that's the same with transparent http anyway
>
> To do this really nicely, squid would need:
> . a "tcp_port" instead of "http_port" designed for exactly this sort of thing
> . a way to call out to the destination before accepting the connection so that a 'connection refused' could be given if there is nothing listening
> . a way to simply drop the connection if it doesn't succeed rather than the default response squid gives
> . a way to redirect traffic to a helper (eg SMTP/IMAP/POP3 filter to scan for viruses, etc) (maybe this already exists already via other means?)
>
> So in short it works, but not as well as it could, and you might be better of finding another solution. The main reason I was interested is that Squid already has a very nice acl implementation, and there are already a number of good log analysis tools for it.


More information about the squid-users mailing list