[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(FWD) Re: [seul-edu] (FWD) IP chains / transparent proxy

----- Forwarded message from owner-seul-edu@seul.org -----

Date: Wed, 21 Jun 2000 00:39:38 -0700
From: "Daniel P. Kionka" <dan@kionka.org>
To: seul-edu@seul.org
Subject: Re: [seul-edu] (FWD) IP chains / transparent proxy

I tried the ipchains command below (to force all web traffic through
squid), but it did not work!  I finally got it going, so I thought I
should share what I found out.  (The goal is to configure the browser as
having a direct connection, but have everything go through squid so you
can add filtering.)

Configuring ipchains is not enough.  squid does not automatically take
these redirected packets.  You have to add a few lines to

	httpd_accel_host virtual
	httpd_accel_port 80
	httpd_accel_with_proxy  on
	httpd_accel_uses_host_header on

I got this directly from http://www.squid-cache.org/Doc/FAQ/FAQ-17.html

That FAQ page does not have the right info for ipchains, though.

Speaking of setting up ipchains, I think I discovered the "right" way to
do it on RedHat 6.2.  It comes with a startup script:


To configure it, you manually run the ipchains commands you need
(interactively), and then run:

	/etc/rc.d/init.d/ipchains save

That creates the file /etc/sysconfig/ipchains which is used when you

I have given up using linuxconf to configure ipchains -- it always
brings down the network.


Roger Dingledine wrote:
> ----- Forwarded message from Andy Hall <ahall@mail.lexington.k12.mo.us> -----
> Date: Tue, 13 Jun 2000 08:45:42 -0500
> To: arma@MIT.EDU
> From: Andy Hall <ahall@mail.lexington.k12.mo.us>
> Subject: IP chains / transparent proxy
> The previous post basically said how we do it as well.  The ipchains
> command in our /etc/rc.d/rc.local file is:
> /sbin/ipchains -A input -p tcp -s -d 0/0 80 -j REDIRECT 3128
> This redirects everything from the internal network that goes out port 80
> to port 3128....
> We run our web server outside of our firewall for now, so I'm not sure I
> know the answer to your question.  If it is just an intranet and everyone
> is on the same subnet, then there is a setting to allow internal requests
> to bypass squid.
> If you're running your internet web server inside the firewall, e-mail and
> let me know how you're doing it.  We've figured it out, but it seems like a
> difficult process to me.
> Andy
> Andy Hall, Technology Director
> Lexington R-5 School District
> 100 South 13th Street                                           (660) 259-6571
> Lexington, MO  64067                                            ahall@mail.lexington.k12.mo.us
> ----- End forwarded message -----

----- End forwarded message -----