-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I mean http://users.gurulink.com/drk/transproxy/TransparentProxy.html on "6. Transparent Proxy to a Remote Box." Thanks - -------- Original Message -------- Subject: Squid on remote Box Date: Wed, 16 Mar 2005 17:16:35 +0700 From: Royke K <royke4k@cbn.net.id> To: shorewall-users@lists.shorewall.net How do I configure port forwarding/IP forwarding on Shorewall to squid on the remote box. My problem is similar as described on : http://users.gurulink.com/drk/transproxy/TransparentProxy.html I,ve read all http://www.shorewall.net/Shorewall_Squid_Usage.html and a little http://www.shorewall.net/FAQ.htm. Please forgive me if I miss a(ny) clue here .. I,m totally newbie. Thanks. Regards - -- - - What''s your Windows version? - - 6.8.1! - - ??????? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCOAg7eHz+3aIJ/qQRAo8gAJ42jcQbjANF3kQsUuL3JtJlihr+6ACeMgkO Dcm5/l0KRU/bgili6RiaVfk=40eW -----END PGP SIGNATURE-----
On Wed, 16 Mar 2005 17:19:40 +0700, Royke K <royke4k@cbn.net.id> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I mean > > http://users.gurulink.com/drk/transproxy/TransparentProxy.html on > > "6. Transparent Proxy to a Remote Box." > > Thanks >your question is covered on http://www.shorewall.net/Shorewall_Squid_Usage.html section : Squid (transparent) Running in the local network
Royke K wrote:> I mean > > http://users.gurulink.com/drk/transproxy/TransparentProxy.html on > > "6. Transparent Proxy to a Remote Box." >The solution that is described in that article sucks -- it makes all connections to the proxy look like they came from the firewall. The documentation at http://www.shorewall.net/Shorewall_Squid_Usage.html covers everything you need to know. If your Squid Proxy is in your ''net'' zone then use the DMZ instructions replacing ''dmz'' with ''net'' (you don''t of course need a ''net''->''net'' ACCEPT rule for HTTP though). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Royke K wrote: > >>I mean >> >>http://users.gurulink.com/drk/transproxy/TransparentProxy.html on >> >>"6. Transparent Proxy to a Remote Box." >> > > > The solution that is described in that article sucks -- it makes all > connections to the proxy look like they came from the firewall. > > The documentation at http://www.shorewall.net/Shorewall_Squid_Usage.html > covers everything you need to know. If your Squid Proxy is in your ''net'' > zone then use the DMZ instructions replacing ''dmz'' with ''net'' (you don''t > of course need a ''net''->''net'' ACCEPT rule for HTTP though). >Although, if you are using masquerade/SNAT you may as well just use straight port forwarding for a proxy in the ''net'' zone since all of the traffic is going to look like it came from your firewall anyway: DNAT loc net:<proxy ip>:3128 tcp 80 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I think you could do this with policy routing - MARK packets for the squid and "route" them via the squid box... I cant think of any other solution, and this is the reason I run squid on my firewall :) Jan Tom Eastep wrote:>Royke K wrote: > > >>I mean >> >>http://users.gurulink.com/drk/transproxy/TransparentProxy.html on >> >>"6. Transparent Proxy to a Remote Box." >> >> >> > >The solution that is described in that article sucks -- it makes all >connections to the proxy look like they came from the firewall. > >The documentation at http://www.shorewall.net/Shorewall_Squid_Usage.html >covers everything you need to know. If your Squid Proxy is in your ''net'' >zone then use the DMZ instructions replacing ''dmz'' with ''net'' (you don''t >of course need a ''net''->''net'' ACCEPT rule for HTTP though). > >-Tom > >
Oh sorry, I didn''t look at the link - the thing in "Squid (transparent) Running in the DMZ" chapter is exactly it. Tom Eastep wrote:>Royke K wrote: > > >>I mean >> >>http://users.gurulink.com/drk/transproxy/TransparentProxy.html on >> >>"6. Transparent Proxy to a Remote Box." >> >> >> > >The solution that is described in that article sucks -- it makes all >connections to the proxy look like they came from the firewall. > >The documentation at http://www.shorewall.net/Shorewall_Squid_Usage.html >covers everything you need to know. If your Squid Proxy is in your ''net'' >zone then use the DMZ instructions replacing ''dmz'' with ''net'' (you don''t >of course need a ''net''->''net'' ACCEPT rule for HTTP though). > >-Tom > >