gabrix wrote:
I corrected the iptables , i'm not using torbuttoned clients so direct to port , squid has default configuration, "just" added 'cache_peer localhost parent 8118 7 no-query default' and 'never_direct allow all'.coderman wrote:
Uahu !I already had this but i love collaboration and thanks!contact me at skype gabx666 or visit the website i'm building at http://tor.gabrix.ath.cx ,please keep in touch ok ?On 11/18/06, gabrix <gabrix@xxxxxxxxxxxxx> wrote:
[my transparent squid proxy isn't working]
try the following:
squid: make sure these elements are in your squid.conf ---cut--- httpd_accel_port 3128 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on cache_peer localhost parent 8118 7 no-query default header_access Via deny all header_access From deny all forwarded_for off --end-cut---
privoxy: note that the cache_peer in squid config refers to SOCKS proxy in privoxy config. ---cut--- listen-address 127.0.0.1:8118 forward-socks4a / 127.0.0.1:9050 . --end-cut---
tor: note that 9050 is the SOCKS proxy port for Tor.
iptables:
INTF=eth1 # internal network interface
ONTF=eth0 # external default route / public interface
---cut---
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to 3128
---end-cut---
note that you'll want additional firewall / filter rules, and also that DNS leaks may be present. you will have to transparently proxy DNS via dns-proxy-tor or equivalent to avoid this, and the following filter rules can be used for transparent DNS proxy: ---cut--- $IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 53 -j REDIRECT --to 65533 --end-cut-- where 65533 is where dns-proxy-tor is listening.
What i'm trying to is:
I have tor+privoxy on each lan machine behind the gateway , now , i want lan http requests to go first locally "torbuttoned" and than ,before togo in internet,beeing proxied again by the gateway squid-tor-privoxy ... am i crazy ?It's fun!
I have this iptables:
TOR=9001,9030,9031,9050,9090,9091 SQUID_PORT=3128
#$IPT -t nat -I PREROUTING -i $IF1 -p tcp -s 192.168.1.0/24 -m owner --uid-owner debian-tor --dport 80 -j DNAT --to 192.16$
$IPT -t nat -I PREROUTING -i $IF1 -p tcp -s 192.168.1.0/24 -m multiport --dports $TOR -j REDIRECT --to $SQUID_PORT
Http requests once they leave my lan machines they don't go to port 80 but a tor-socks port so i was trying to get them to go through my squid gateway port one way ( --uid-owner ) or the other.
GGG!
$IPT -t nat -I PREROUTING -i $IF1 -p tcp -s 192.168.1.0/24 --dport 80 -j REDIRECT --to 3128
Squid is doing my head in.
Is squid httpd accellerator for filtering incoming http requeststo inside lan's httpd servers ? Might be useless to consider it for clients
outgoing to the internet ?
SquidLogs:
1163999313.198 1 0.0.0.0TCP_DENIED/400 1827 GET /safebrowsing/update?client=navclient-auto-ffox2.0&mozver=1.8.1-2006101022&version=goog-white-domain:1:17,goog-white-url:1:371,goog-black-url:1:7093,goog-black-enchash:1:13461 - NONE/- text/html
It looks to me an ACL decision.I have clients netmask to 0.0.0.0 but it's just stdout for log files ... i will keep on trying different solutions ...
http_access allow all ... as start !
ciao !