Hi Antonio,
Antonio Pereira wrote:
> Hi Tek,
>
> Can you setup the same IP address range on the same linux box with squid?
>
> Example
>
> Nic1 192.168.0.2 this will connect to firewall
> Nic2 192.168.0.3 this will connect to backbone switch
>
Yes you can use the same IP address network range on the Linux Squid box.
But since you will be operating Squid in bridging mode, you don't need
to configure the network interfaces of Eth0 and Eth1.
You just need the "bridge-utils" package which contains the tools to
perform bridging.
Thanks to Ariel Molina Rueda for his tutorial at
http://freshmeat.net/articles/view/1433/
I just used the following shell script to setup the bridge:
#!/bin/sh
###Start of bridging script###
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
#Set IP 192.168.0.2 to br0 for SSH access to the squid box
#192.168.0.1 should match the IP of your Gateway (Firewall)
ifconfig br0 192.168.0.2 netmask 255.255.255.0 up
route add default gw 192.168.0.1 dev br0
#Redirect packets on port 80 to Squid's 3128 port on transparent bridge
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \
-j REDIRECT --to-port 3128
###End of Bridging script###
Run this script and add it to your boot/startup run directory.
Plug 1 cable from your backbone switch to the Squid box and another
cable to your Firewall.
If everything goes well, then you have your transparent squid bridge!!
And of course, Squid needs to be configured in transparent mode too.
Happy Proxying....
Thanking you...
>
>
>
> Antonio Pereira
> National IT Coordinator
> Coordinateur National de Technologies de l'Information
> Tél./Tel. : (514) 341-8181, ext./poste 267
> Téléc./Fax. : (514) 341-1253
> Cell: (514) 514-444-6086
> Sans Frais/Toll Free: (888) 338-6266 ext./poste 267
> Courriel / E-mail. : apereira@duocom.ca
>
> Duocom Canada Inc.
> 10000, Cavendish Blvd.
> Ville St. Laurent (Québec) H4M 2V1
> www.duocom.ca
>
>
> -----Original Message-----
> From: Tek Bahadur Limbu [mailto:teklimbu@wlink.com.np]
> Sent: Wednesday, September 19, 2007 2:21 AM
> To: Antonio Pereira
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Squid setup questions
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Antonio,
>
>
> On Tue, 18 Sep 2007 17:00:25 -0400
> "Antonio Pereira" <apereira@duocom.ca> wrote:
>
>> Ok Great.
>>
>> I have a hardware based firewall.
>>
>> What setup in the way of the squid box is best physically take the cable
>> from the firewall and put 2 nics on the squid box and plug 1 nic to the
>> firewall and the other to the backbone switch. Or just use 1 nic on the
>> squid box and put a rule in the firewall to allow only outbound http
>> traffic from the squid box.
>> Right now everyone defaults to the firewall and all http traffic goes
>> out to the internet. We also have VPN and web and ssl traffic coming is
>> from inbound http.
>
>
> I think the best layout would be to put 2 NIC cards on the Squid box. Like you said, plug the 1st cable to the firewall and the 2nd cable to your backbone switch where the 4 other sites connect.
>
> The following diagram may represent the simple layout.
>
>
>
> Internet
> |
> |
> |
> Transparent Squid Bridge Box
> |
> |
> Backbone Switch
> |
> |
> -------------------------------------------------
> | | | |
> | | | |
> Site1 Site2 Site3 Site4
>
>
> I would like the Squid box to run in transparent bridging mode. This way, you don't have to change anything on your network. Furthermore if your Squid box should go down, which is unlikely, you just reconnect the cable from your backbone switch to your firewall and everything becomes normal again!
>
> Since we won't be running any firewall except for intercepting web requests to Squid's port, your VPN and SSL traffic should not get hampered.
>
> In fact, I am using this setup on a Debian shaper box and so far it is working great.
>
> Hope it helps.
>
>
> Thanking you...
>
>
>> Thanks again
>>
>> -----Original Message-----
>> From: Tek Bahadur Limbu [mailto:teklimbu@wlink.com.np]
>> Sent: Tuesday, September 18, 2007 4:13 PM
>> To: Antonio Pereira
>> Cc: squid-users@squid-cache.org
>> Subject: Re: [squid-users] Squid setup questions
>>
>> Hi Antonio,
>>
>> Antonio Pereira wrote:
>>> Hello,
>>>
>>> I have pretty much redundant question but I would like some opinions
>>> before I venture into this possible solution.
>>>
>>> I have 4 sites on an MPLS network that access the internet via 1
>>> location, at this 1 location there is already a firewall. What I would
>>> like to do is start blocking web sites and start block web traffic.
>>>
>>> What is the best setup with squid for this type of setup? What
>> documents
>>> should I read for this type of setup?
>> Not sure about MPLS networking. However, in your case, it should be
>> simple. Just run Squid transparently on the gateway (firewall) from
>> where all 4 sites gets access to the internet.
>>
>> Adding SquidGuard or DansGuardian or even custom ACLs will provide you
>> with all the web blocking functionalities.
>>
>> Thanking you...
>>
>>
>>> Thanks in advance
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> --
>>
>> With best regards and good wishes,
>>
>> Yours sincerely,
>>
>> Tek Bahadur Limbu
>>
>> System Administrator
>>
>> (TAG/TDG Group)
>> Jwl Systems Department
>>
>> Worldlink Communications Pvt. Ltd.
>>
>> Jawalakhel, Nepal
>>
>> http://www.wlink.com.np
>>
>>
>>
>
>
> - --
>
> With best regards and good wishes,
>
> Yours sincerely,
>
> Tek Bahadur Limbu
>
> System Administrator
>
> (TAG/TDG Group)
> Jwl Systems Department
>
> Worldlink Communications Pvt. Ltd.
>
> Jawalakhel, Nepal
> http://wlink.com.np/
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (FreeBSD)
>
> iD8DBQFG8L+zfpE0pz+xqQQRAg/rAJ4sgpGJzJr+snPl3H7CAleqqWE7nwCgq+g4
> 0MkQ4qe+lfsTRoAMKwIITio=
> =Sobk
> -----END PGP SIGNATURE-----
>
>
>
>
>
-- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.npReceived on Wed Sep 19 2007 - 13:28:56 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Oct 01 2007 - 12:00:02 MDT