On 1 Jun 00, at 12:29, Stephen Shirley wrote:
> Mornin' all,
> Right. We have a linux router whihc takes care of our internet
> access. What we want to do is prevent people from accessing the web
> directly, rather redirect all http/ftp packets to the squid proxy server,
> which is another linux box. Is there anyway to do this? It looks like it
> invloves sniffing the packets or something. Not essential, but would be
> nice if it was possible.
You need the following in your squid.conf
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
and a rule something like this for ipchains:
ipchains -A input -j REDIRECT 3128 -s 192.168.x.0/24 -d any/0 80 -p tcp
(replace 192.168.x.0/24) with valid internal network.
I was having problems getting this to work for a while - my mistake was to
put this rule after the -j ACCEPT for all internal networks so it never
hit the redirect rule. Oh well, at least it's working now.
You'll also have to recompile the kernel with CONFIG_IP_TRANSPARENT_PROXY
on. This requires turning on the experimental switch.
Martin.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
