On Fri, January 4, 2008 11:03 pm, Michael Watterson wrote:
> Francis Daly wrote:
>> On 04/01/2008, Darragh <lists at digitaldarragh.com> wrote:
>>>>
>> On a philosophical note, I'd say trying to do transparent proxying is
>> bad, and then transparently filtering stuff is worse. Of course, the
>> network manager gets to choose what happens on the network; but I'd be
>> slow to try anything other than telling people to use the proxy server
>> if they want web access. Depending on the clients used and the rest of
>> the network environment, it might just be a config change or two on a
>> master server. And it'll remove the element of surprise when they get
>> a message from their proxy admin saying why this particular web access
>> attempt failed.
>>>>Very valid point. but the idea is to make it easier to move clients in
and out of this network with absolutely no network configuration required
while keeping a high level of control on what it's used for.
>>> I wanted to test it to make sure that there wasn't something wrong with
>>> squids logging and it was definitly not working correctly but it
>>> definitly
>>> seems like squid just is not getting any traffic.
Yes. it doesn't look like the transparent proxy side of things is
working. I determined this using the netcat commands provided.
>> As in the earlier reply, I'd look closely at the tcpdump output to see
>> whether the traffic was even getting to the squid server.
>>>> If your client is 192.168.1.6, and is told that its default gateway is
>> 192.168.1.5, while the machine that is 192.168.1.5 knows that its
>> default gateway is 192.168.1.1 (all on the same subnet), then when the
>> .6 machine tries to talk to something remote via .5, .5 will forward
>> the traffic to .1 and send an icmp redirect to .6, telling it that for
>> this remote host (or possibly a bigger network), .6 should go straight
>> via .1 rather than .5. So any future requests, while .6 honours that
>> redirect, won't go near .5 and your filtering attempt breaks down.
>>>> I suspect that something like that might be happening.
>>>> f
>>Yes. I think I'll need to do something with that. I had planned to put
the router onto a different sub net in work howeverI thought I'd get away
with it here as my main reason for doing that at work was security.
>> Your squid wants to have two network cards on different subnets. Then
> the Internet/Router is on a separate network to the clients and only
> traffic via squid works.
On this machine, I have only one network card but if needs be, I'll grab
another one. I am not really seeing why it couldn't work though.
server acts as dhcp server and gateway.
routing is set up to relay all connections to that server from port 80 to
port 3128.
squid takes over and forwards the allowed traffic off to the router.
Iptables block other non-http or bad connections when configured.
I appreciate that will possibly put a lot of work onto that one network
card but there's generally only two of us using the connection at any one
time so it shouldn't be unmanageable.
In the office, it's a reasonably small test network with usually around 8
PC's at maximum connected to it so in that sinario, the lower spec machine
with two network cards should do the job. Of course, I'm basing this
speculation on what I'd consider to be reasonably limited knowledge of
what's happening here so I'm certainly willing to be proven wrong.
> Mike
~Thanks again for the valuable feedback. I was getting slightly stuck but
I have some more amunition to keep going now.
Darragh
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
