Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
simple squid + shorewall question
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
albright
Advocate
Advocate


Joined: 16 Nov 2003
Posts: 2548
Location: Near Toronto

PostPosted: Fri Mar 07, 2014 7:17 pm    Post subject: simple squid + shorewall question Reply with quote

I've got shorewall and squid (transparent) running on my desktop.

This works fine for computers on the lan. They all use the squid
proxy.

My question is: is it possible for my desktop to also
use squid proxy?

relevant rules in /etc/shorewall/rules

Code:
# for squid
REDIRECT        loc     3128    tcp     www # redirect to Squid on port 3128
ACCEPT          $FW     net     tcp     www # allow Squid to fetch the www content


Obviously, if I try to redirect fw through 3128 there is a loop.

So is there any way to configure shorewall so the computer running squid (and
shorewall) can use the squid proxy?

Sorry if this isn't very clear ...
_________________
.... there is nothing - absolutely nothing - half so much worth
doing as simply messing about with Linux ...
(apologies to Kenneth Graeme)
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w

PostPosted: Fri Mar 07, 2014 7:51 pm    Post subject: Reply with quote

can you set your browser to 127.0.0.1:3128 in proxy settings and get sites? ie use the proxy in non transparent mode.
Back to top
View user's profile Send private message
albright
Advocate
Advocate


Joined: 16 Nov 2003
Posts: 2548
Location: Near Toronto

PostPosted: Fri Mar 07, 2014 8:44 pm    Post subject: Reply with quote

thanks but no dice, if I set the proxy in a browser manually, I get

Code:

ERROR

The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: http://www.xxx/

Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is root.


Generated Fri, 07 Mar 2014 20:42:03 GMT by xxx (squid/3.4.3)

_________________
.... there is nothing - absolutely nothing - half so much worth
doing as simply messing about with Linux ...
(apologies to Kenneth Graeme)
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w

PostPosted: Fri Mar 07, 2014 9:03 pm    Post subject: Reply with quote

http://ubuntuforums.org/archive/index.php/t-1685730.html

from the output of the local box, you're clearly reaching squid. i think that post might help you. if it doesnt googling your error might help.
Back to top
View user's profile Send private message
albright
Advocate
Advocate


Joined: 16 Nov 2003
Posts: 2548
Location: Near Toronto

PostPosted: Fri Mar 07, 2014 9:36 pm    Post subject: Reply with quote

thanks again ... I have tried googling to little avail

my problem is not a general problem of access; all computers
on the lan *except* localhost access the net via squid
perfectly.

only localhost gets the error if I set the proxy manually, or,
if no proxy set, localhost retrieves directly from the net
ignoring squid's proxy

I think the problem is that shorewall cannot redirect
traffic from the net to localhost via proxy because the
proxy is running on localhost, so redirects would loop
and squid couldn't get to the net. To put it another way,
localhost has to have access to the net for squid to
get content, but I want localhost to query squid for
content which entails a redirect of localhost away
from the net (if you see what I mean :) )

This looks impossible but I suspect there is
a way to do it somehow ...????
_________________
.... there is nothing - absolutely nothing - half so much worth
doing as simply messing about with Linux ...
(apologies to Kenneth Graeme)
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w

PostPosted: Fri Mar 07, 2014 10:08 pm    Post subject: Reply with quote

in browser proxy settings try keeping port the same, but try 0.0.0.0, localhost, 127.0.0.1, and finally the boxes internal lan ip address (ie 10.0.0.2, 192.168.0.2)
Back to top
View user's profile Send private message
albright
Advocate
Advocate


Joined: 16 Nov 2003
Posts: 2548
Location: Near Toronto

PostPosted: Sat Mar 08, 2014 3:32 pm    Post subject: Reply with quote

further research into squid, shorewall and iptables suggest this answer

1. turn off shorewall's redirection rules
2. add these iptables commands after shorewall starts:

Code:

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner 31 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination mycomputerslocalIP:3128


(mycomputerslocalIP is the local address of the computer running shorewall and squid; the gid-owner is
the squid user's group id)

I now see both the lan clients and my desktop using the squid cache ...

Of course, being pretty deeply ignorant about iptables I'm a little worried about whether
I've done something Officially Bad ... any advice would be welcome
_________________
.... there is nothing - absolutely nothing - half so much worth
doing as simply messing about with Linux ...
(apologies to Kenneth Graeme)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum