[SC.LUG] transparent proxy with a single box and iptables
robert
sc at mailman.lug.org.uk
Mon Jun 16 06:52:02 2003
On Thu, 12 Jun 2003, Robert Marshall wrote:
>
> I'm using squid and dansguardian which works fine when setting a proxy
> via the browser except that I can't get transparent proxy to work
>
> I think that with a single box I need something like
>
> iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080
>
> (dansguardian uses port 8080), this works fine and blocks unwanted
> sites.
>
> Unfortunately - of course - if a site isn't blocked - the request gets
> sent round the forwarding loop again and squid kills it
>
> What am I missing? do I need to do something via iptables so that it
> recognises something emerging from squid or do I need to change
> squid.conf somehow
>
To answer my own question - if anyone ever needs to know
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner <squidUID> -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080
appears to fix it for me
R
--
Robert Marshall