iptables question (was Re: Squid question)

[Tim Wunder]

On Thursday 01 January 2004 3:20 pm, someone claiming to be Matthew Carpenter 
wrote:
> Two things:
>
> 1) Why are you all spinning your wheels on getting the firewall to work as
> a client when there doesn't seem much value forcing the firewall through
> its own proxy?  Test from another machine that goes THROUGH the firewall. 
> If you want to test from the firewall, make another system the proxy...
> that doesn't sound like a bad idea anyway...
>

My unique (I guess) situation is that my client and my firewall are on the 
same machine and I don't, as of now, have any other connected machines going 
thru the proxy.

> 2) Does this work yet?  I haven't seen anything on this topic since
> Christmas a week ago.  I do remember going through this painful
> troubleshooting a year ago and it had to do with a setting in Squid.  There
> is a Port setting which either was 80 and needed to be 0 or was 0 and
> needed to be 80.  I believe it needed to be 80.  I'll look into it if this
> is still being worked on.
>

It's working now, yes. 
To use squid, squidguard and dansguardian all transparently, the following 
iptables rules are required in addition to configuring squid for transparent 
proxy:
# iptables -t nat -I OUTPUT -o lo -m owner --gid-owner $GID -p tcp --dport 
3128 -j REDIRECT --to-ports 3129
# iptables -t nat -I OUTPUT -o eth0 -m owner --gid-owner $GID -p tcp --dport 
80 -j REDIRECT --to-ports 3129

Where $GID is the group ID of the users for which transparent proxying is 
enabled, squid is configured to  listen on 3128 and dansguardian is 
configured to listen on 3129.
<snip>

Tim

-- 
Fedora Core 1, Kernel 2.4.22-1.2129.nptl,  KDE 3.1.4, Xfree86 4.3.0
 07:20:00  up 24 days, 10:03,  0 users,  load average: 0.00, 0.00, 0.00
It's what you learn after you know it all that counts