[ILUG] either transparent proxy or iptables problem.
Francis Daly
francisdaly at gmail.com
Fri Jan 4 21:34:53 GMT 2008
On 04/01/2008, Darragh <lists at digitaldarragh.com> wrote:
> I set up squid guard and after getting rid of the initial configuration
> problems, it finally gives me a status of ready to serve in it's logs.
>
> I've downloaded a reasonably decent blacklist and it's recognising it
> however when I test squid, it's still not blocking anything.
I'd say leave out squidGuard until you have plain squid working the
way you want it to. Adding squidGuard -- after you've done it a few
times with a few different squid versions -- is relatively
straightforward, once you've got file permissions correct.
On a philosophical note, I'd say trying to do transparent proxying is
bad, and then transparently filtering stuff is worse. Of course, the
network manager gets to choose what happens on the network; but I'd be
slow to try anything other than telling people to use the proxy server
if they want web access. Depending on the clients used and the rest of
the network environment, it might just be a config change or two on a
master server. And it'll remove the element of surprise when they get
a message from their proxy admin saying why this particular web access
attempt failed.
> I wanted to test it to make sure that there wasn't something wrong with
> squids logging and it was definitly not working correctly but it definitly
> seems like squid just is not getting any traffic.
As in the earlier reply, I'd look closely at the tcpdump output to see
whether the traffic was even getting to the squid server.
If your client is 192.168.1.6, and is told that its default gateway is
192.168.1.5, while the machine that is 192.168.1.5 knows that its
default gateway is 192.168.1.1 (all on the same subnet), then when the
.6 machine tries to talk to something remote via .5, .5 will forward
the traffic to .1 and send an icmp redirect to .6, telling it that for
this remote host (or possibly a bigger network), .6 should go straight
via .1 rather than .5. So any future requests, while .6 honours that
redirect, won't go near .5 and your filtering attempt breaks down.
I suspect that something like that might be happening.
f
More information about the ILUG
mailing list