[ previous ] [ next ] [ threads ]
 
 From:  "Ryan Wagoner" <Ryan at wgnrs dot dynu dot com>
 To:  "Ivan Blanco" <ivanwhite at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Settings For Squid Transparent Proxy
 Date:  Mon, 6 Feb 2006 22:45:45 -0500
Well I'm a lot closer than I was. Heres the correct rdr rule. Only thing
is I can't get the transparent proxy to work right yet, but if I exec
the rdr rule no traffic is accepted unless I tell the browser to use the
proxy. Guess you could say I'm halfway there. 

To run the rule goto http://monowall/exec.php and put in the following.

echo 'rdr xl0 ! from 10.10.1.6/32 to 0.0.0.0/0 port = 80 -> 10.10.1.6
port 3128 tcp' | ipnat -f-

To remove the rule just add a -r

echo 'rdr xl0 ! from 10.10.1.6/32 to 0.0.0.0/0 port = 80 -> 10.10.1.6
port 3128 tcp' | ipnat -r -f-

The rule basically says on LAN interface (xl0) not from squid
(10.10.1.6) to any address of port 80 redirect it to squid (10.10.1.6)
on port 3128.

I think I will be able to hack this into the m0n0wall config.xml. I was
looking at what Edward Mzj did with 1.2b9 and his custom pages. 

http://m0n0.ch/wall/list/showmsg.php?id=194/53
http://m0n0.ch/wall/list/showmsg.php?id=186/63

If the hack config.xml doesn't work then I might try and get his pages
to work with the 1.21 version as they add a lot of functionality. I'm
actualy surprised they weren't included with m0n0wall.

Ryan Wagoner


-----Original Message-----
From: Ivan Blanco [mailto:ivanwhite at gmail dot com] 
Sent: Monday, February 06, 2006 9:25 PM
To: Ryan Wagoner
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Settings For Squid Transparent Proxy

well men i keep reading it, i would like to know if it work for you, i
how finally you did it?

2006/2/6, Ryan Wagoner <Ryan at wgnrs dot dynu dot com>:
> Alright so I can't figure out to add the rdr rule manually. You
normally have to add it to the ipnat file and then reload the ipnat
config which flushes everything out.
>
> The following will give me this rdr rule, but now squid is being
looped back to itself.
>
> rdr xl0 0.0.0.0/0 port 80 -> 10.10.1.6 port 3128 tcp
>
>  <rule>
>   <protocol>tcp</protocol>
>   <external-port>3128</external-port>
>   <target>10.10.1.6</target>
>   <local-port>80</local-port>
>   <interface>lan</interface>
>   <descr>HTTP to Squid</descr>
>  </rule>
>
> m0n0wall looks to take whatever interface you specify and throw the
adapter name and 0.0.0.0/0 in for the rdr rule. So there looks to be no
way to make the 2nd rdr rule.
>
> rdr xl0 10.10.1.6/32 port 80 -> 127.0.0.1 port 80 tcp
>
> -----Original Message-----
> From: Ryan Wagoner [mailto:Ryan at wgnrs dot dynu dot com]
> Sent: Mon 2/6/2006 12:50 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Settings For Squid Transparent Proxy
>
> Okay so I figured out the rdr rules. I found an example on a website
and it seems to make sense. They should be the following.
>
> rdr xl0 10.10.1.6/32 port 80 -> 127.0.0.1 port 80 tcp rdr xl0 
> 0.0.0.0/0 port 80 -> 10.10.1.6 port 3128 tcp
>
> So this would do what I want and allow squid traffic out through the
localhost and the rest gets directed through squid. Now I doubt theres
any way to retrofit this into a nat rule for the config.xml file. When I
get home I should be able to use exec.php and run the commands. If so is
there a way I can execute these commands at each reboot? Or am I looking
at having to make a custom image for the router.
>
> Thanks,
> Ryan Wagoner
>
> ________________________________
>
> From: Jason Brunk [mailto:jbrunk at wthosting dot com]
> Sent: Mon 2/6/2006 12:40 PM
> To: Ryan Wagoner; m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Settings For Squid Transparent Proxy
>
>
>
> If I remember correctly you can add a rule like
>
> no rdr
>
> And that will say do not redirect for this, however, I have not had 
> much luck with getting this to work on one of my bsd boxes.
>
> Jason
>
> -----Original Message-----
> From: Ryan Wagoner [mailto:Ryan at wgnrs dot dynu dot com]
> Sent: Monday, February 06, 2006 12:36 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Settings For Squid Transparent Proxy
>
> I've done some reading on FreeBSD and squid and it looks like I need 
> to use rdr rules to router the traffic. It seems to me that m0n0wall 
> takes the nat section of the config.xml file and generates the rdr
rules from it.
>
> It looks like the rdr rule needx to look like something below. This 
> would take all the traffic coming to m0n0wall on port 80 lan interface

> (xl0) and direct it to my squid machine.
>
>         # Redirect everything else to squid on port 3127
>         rdr xl0 0.0.0.0/0 port 80 -> 10.10.1.6 port 3127 tcp
>
> However it is going to form a continuous loop redirecting squid 
> traffic back to squid. So it looks like I need another rule added
above the rule aboe.
> This way squid traffic could go out but all other traffic would go to
squid.
>
>         # Redirect direct proxy traffic to internet.
>         rdr xl0 10.10.1.6/32 port 80 -> ????? port 80 tcp
>
> The problem lies where the ??? marks are as I don't know what to put 
> for the destination ip.
>
> From here how do I get this in the format below. I'm having problems 
> figuring out how I specify 10.10.16/32.
>
>  <nat>
>  <rule>
>   <protocol>tcp</protocol>
>   <external-port>25</external-port>
>   <target>192.168.1.5</target>
>   <local-port>25</local-port>
>   <interface>lan</interface>
>   <descr>redirect SMTP to LAN SMTP server</descr>  </rule>  </nat>
>
> Any help on this would be greatly apprecaited.
>
> ________________________________
>
> From: Lee Sharp [mailto:leesharp at hal dash pc dot org]
> Sent: Thu 2/2/2006 2:45 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Settings For Squid Transparent Proxy
>
>
>
> From: "Ryan Wagoner" <Ryan at wgnrs dot dynu dot com>
>
> > I have m0n0wall setup between my DSL modem and home network.
> > Its IP is 10.10.1.1. I have a Fedora squid server running at 
> >10.10.1.6 . What I want to do is setup a rule so that any oubound 
> >traffic on port 80  not coming from squid 10.10.1.6 gets redirected 
> >to squid. That why I  can have a transparent proxy for port 80. How
do I go about doing this?
> > I know I need the rule on the LAN side, but can the rules page 
> >redirect  traffic?? I thought this was only possible from NAT. I just

> >don't want to  put in some random rules and upset the network.
>
> Chris posted this a while back...
>
>                             Lee
>
> I recall something in the archives about somebody doing something 
> similar using a hacked NAT rule.
>
> Like manually put something like this in your config.xml backup and 
> restore it.
>
>  <nat>
>  <rule>
>   <protocol>tcp</protocol>
>   <external-port>25</external-port>
>   <target>192.168.1.5</target>
>   <local-port>25</local-port>
>   <interface>lan</interface>
>   <descr>redirect SMTP to LAN SMTP server</descr>  </rule>  </nat>
>
> where 192.168.1.5 is your SMTP server.
>
> That might really screw stuff up though, so test it thoroughly first 
> to make sure it has no unintended consequences (if it works at all).
>
> If someone tries it, please let me know if it works.
>
> -Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>