Hi! I want to redirect all http and https traffic from my LAN to squid in DMZ - transparent proxy. How do I do that? Regards, Sasa
sasa wrote on 12/05/2005 14:20:16:> Hi! > > I want to redirect all http and https traffic from my LAN to squid inDMZ -> transparent proxy. > How do I do that? > > Regards, > Sasaoh man, let me be the first to say: read the FAQ! read the documentation! cheers, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
In rules, you should be able to do something similar to the following, provided your "zones" and "interfaces" are setup correctly: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST DNAT loc dmz:<ip of proxy> tcp http,https Change loc to your LAN zone, and dmz to your DMZ zone. Provide the IP address of the proxy server. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Sasa Stupar Sent: Thursday, May 12, 2005 12:20 PM To: Shorewall ML Subject: [Shorewall-users] Redirect question Hi! I want to redirect all http and https traffic from my LAN to squid in DMZ - transparent proxy. How do I do that? Regards, Sasa
Sasa Stupar wrote:> Hi! > > I want to redirect all http and https traffic from my LAN to squid in > DMZ - transparent proxy. > How do I do that?1) Go to http://shorewall.net 2) In the left frame, you will see an index. Please click on the link labeled "Documentation" 3) You will now be looking at a page that contains lots of links. Before the days of Web Search Engines, anyone in grammar school could recognize this page as an example of an _Alphabetical Index_. Alphabetical Indexes are very useful for finding things because the entries in the index are in a logical (alphabetical) order. 4) In your case, you are trying find out information about "Squid" so you need to go down to the "S" entries. There you will find a link labeled "Squid with Shorewall". 5) Click on that link. 6) You may want to pause and read the paragraph marked "Important" under Squid as a Transparent Proxy". There you will learn that HTTPS cannot be transparently proxied. You are also invited to think about why if HTTPS could be transparently proxied then it would be absolutely useless as a security mechanism (Squid is effectively a "man in the middle"). The remainder of this section is also important because it describes how you must configure Squid properly if transparent proxy is to work. 7) Once you have digested that information, please click on "Squid (transparent) Running in the DMZ" at the top of the page. There you will find the instructions you are looking for. If you are hopelessly addicted to Google, then you can also try entering "Squid" or "Transparent Proxy" in the search form at the top of the page at http://shorewall.net". The first hit will take you to the same page as does step 5 above. I hope this tutorial has been useful to you and that you will be able to find information in the Shorewall documentation more easily in the future. Sincerely, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>Sasa Stupar wrote: >> Hi! >> >> I want to redirect all http and https traffic from my LAN to squid in >> DMZ - transparent proxy. >> How do I do that? > >1) Go to http://shorewall.net >2) In the left frame, you will see an index. Please click on the link >labeled "Documentation"<< snip >>>Sincerely, >-Tom >Ha ha ha! I absolutely love you Tom! I always enjoy reading my Shorewall threads at times before logging off. You can be furious at times, but after some time on this mailing list I think we can all taste the subtleties that have grown into your reactions, although not apparent to the first time subscriber. Still a great laugh at times, though. BTW, I am upgrading my workstation within the couple of weeks - any hardware you might need? I think I will be handing out some hardware from the Athlon XP+ 2400+ era anyway and if you''re interested I''ll ship them to you from Holland on my account as soon as they''re obsolete for my new system. Just send me an email if you''re interested. Best wishes, Sander Bontje
Sander Bontje wrote:> > I absolutely love you Tom! I always enjoy reading my Shorewall threads at > times before logging off. You can be furious at times, but after some time > on this mailing list I think we can all taste the subtleties that have grown > into your reactions, although not apparent to the first time subscriber. > Still a great laugh at times, though.At least a couple of days away from the list has restored me to form :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key