[ILUG] either transparent proxy or iptables problem.
lists at digitaldarragh.com
Fri Jan 4 23:45:39 GMT 2008
On Fri, January 4, 2008 11:03 pm, Michael Watterson wrote:
> Francis Daly wrote:
>> On 04/01/2008, Darragh <lists at digitaldarragh.com> wrote:
>> On a philosophical note, I'd say trying to do transparent proxying is
>> bad, and then transparently filtering stuff is worse. Of course, the
>> network manager gets to choose what happens on the network; but I'd be
>> slow to try anything other than telling people to use the proxy server
>> if they want web access. Depending on the clients used and the rest of
>> the network environment, it might just be a config change or two on a
>> master server. And it'll remove the element of surprise when they get
>> a message from their proxy admin saying why this particular web access
>> attempt failed.
Very valid point. but the idea is to make it easier to move clients in
and out of this network with absolutely no network configuration required
while keeping a high level of control on what it's used for.
>>> I wanted to test it to make sure that there wasn't something wrong with
>>> squids logging and it was definitly not working correctly but it
>>> seems like squid just is not getting any traffic.
Yes. it doesn't look like the transparent proxy side of things is
working. I determined this using the netcat commands provided.
>> As in the earlier reply, I'd look closely at the tcpdump output to see
>> whether the traffic was even getting to the squid server.
>> If your client is 192.168.1.6, and is told that its default gateway is
>> 192.168.1.5, while the machine that is 192.168.1.5 knows that its
>> default gateway is 192.168.1.1 (all on the same subnet), then when the
>> .6 machine tries to talk to something remote via .5, .5 will forward
>> the traffic to .1 and send an icmp redirect to .6, telling it that for
>> this remote host (or possibly a bigger network), .6 should go straight
>> via .1 rather than .5. So any future requests, while .6 honours that
>> redirect, won't go near .5 and your filtering attempt breaks down.
>> I suspect that something like that might be happening.
Yes. I think I'll need to do something with that. I had planned to put
the router onto a different sub net in work howeverI thought I'd get away
with it here as my main reason for doing that at work was security.
> Your squid wants to have two network cards on different subnets. Then
> the Internet/Router is on a separate network to the clients and only
> traffic via squid works.
On this machine, I have only one network card but if needs be, I'll grab
another one. I am not really seeing why it couldn't work though.
server acts as dhcp server and gateway.
routing is set up to relay all connections to that server from port 80 to
squid takes over and forwards the allowed traffic off to the router.
Iptables block other non-http or bad connections when configured.
I appreciate that will possibly put a lot of work onto that one network
card but there's generally only two of us using the connection at any one
time so it shouldn't be unmanageable.
In the office, it's a reasonably small test network with usually around 8
PC's at maximum connected to it so in that sinario, the lower spec machine
with two network cards should do the job. Of course, I'm basing this
speculation on what I'd consider to be reasonably limited knowledge of
what's happening here so I'm certainly willing to be proven wrong.
~Thanks again for the valuable feedback. I was getting slightly stuck but
I have some more amunition to keep going now.
More information about the ILUG