Amos Jeffries wrote:
> Yan Seiner wrote:
>> Amos Jeffries wrote:
>>> Yan Seiner wrote:
>>>> I have a question about setting up squid in my environment.
>>>>
>>>> My network is fairly generic:
>>>>
>>>> a firewall running openwrt, 4 mb flash and 8 mb ram, providing NAT
>>>> a server providing DNS and DHCP services; this machine is also used
>>>> for terminal services so users are logged in to this machine directly
>>>> assorted clients
>>>>
>>>> I've had squid set up on a 'opt-in' basis. Now I have a request to
>>>> make it transparent for all users with the intent of disabling web
>>>> access during specified hours.
>>>>
>>>> The problem I have is that my firewall is not able to run squid,
>>>> and all the examples assume that the squid box is either the
>>>> firewall or provides NAT.
>>>>
>>>> Is it possible, without a huge amount of complications, to run
>>>> squid on this sort of setup?
>>>>
>>>> If so, does anyone have a recipe for doing so?
>>>>
>>>
>>> Squid box had best be the one doing NAT because all source info is
>>> lost during NAT interception and Squid needs to look it up. Note I
>>> wrote "NAT interception", thats a more correct name for "transparent".
>>>
>>> Squid does not have to be on the firewall or router to do NAT though:
>>> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>>>
>>> the tutorial ironically was written for people using OpenWRT :)
>>>
>>> Amos
>> Hi Amos:
>>
>> Obvously I got something just half right:
>>
>>
>> The requested URL could not be retrieved
>>
>> ------------------------------------------------------------------------
>>
>> While trying to retrieve the URL:
>> http://arstechnica.com/tech-policy/news/2009/05/landmark-study-drm-truly-does-make-pirates-out-of-us-all.ars
>>
>>
>> The following error was encountered:
>>
>> Unable to determine IP address from host name for /arstechnica.com/
>> The dnsserver returned:
>>
>> Server Failure: The name server was unable to process this query.
>> This means that:
>>
>
> Is it actually using the '/' there?
> It looks a lot like the 'transparent' option to http_port is missing
> still.
>
>
>>
>> I've configured this as best as I can following
>>
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>> on the firewall/router
>> and
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect on
>> the squid box.
>>
>> As soon as I enable the iptablesPolicyRoute on the fw my DNS fails....
>>
>> I can't figure out why.... Those rules should only affect tcp packets
>> to port 80.
>>
>> Does anyone have this setup working? Could they please send me some
>> instructions for morons?
>
> That was them ;).
>
> Does the Squid box have normal DNS if its used as a regular proxy
> without the PolicyRouting?
>
> Amos
DUH! OK, my turn to feel stupid....
Turns out my firewall rules were blocking forwarding from internal_if to
internal_if - so the firewall "loopback" to the squid box was getting
dropped.
Now everything is OK; on to the next step - time based web access -
which is why I started this whole thing!
--Yan
Received on Sat May 30 2009 - 14:34:55 MDT
This archive was generated by hypermail 2.2.0 : Sat May 30 2009 - 12:00:02 MDT