|
||||||||||
Well I'm a lot closer than I was. Heres the correct rdr rule. Only thing is I can't get the transparent proxy to work right yet, but if I exec the rdr rule no traffic is accepted unless I tell the browser to use the proxy. Guess you could say I'm halfway there. To run the rule goto http://monowall/exec.php and put in the following. echo 'rdr xl0 ! from 10.10.1.6/32 to 0.0.0.0/0 port = 80 -> 10.10.1.6 port 3128 tcp' | ipnat -f- To remove the rule just add a -r echo 'rdr xl0 ! from 10.10.1.6/32 to 0.0.0.0/0 port = 80 -> 10.10.1.6 port 3128 tcp' | ipnat -r -f- The rule basically says on LAN interface (xl0) not from squid (10.10.1.6) to any address of port 80 redirect it to squid (10.10.1.6) on port 3128. I think I will be able to hack this into the m0n0wall config.xml. I was looking at what Edward Mzj did with 1.2b9 and his custom pages. http://m0n0.ch/wall/list/showmsg.php?id=194/53 http://m0n0.ch/wall/list/showmsg.php?id=186/63 If the hack config.xml doesn't work then I might try and get his pages to work with the 1.21 version as they add a lot of functionality. I'm actualy surprised they weren't included with m0n0wall. Ryan Wagoner -----Original Message----- From: Ivan Blanco [mailto:ivanwhite at gmail dot com] Sent: Monday, February 06, 2006 9:25 PM To: Ryan Wagoner Cc: m0n0wall at lists dot m0n0 dot ch Subject: Re: [m0n0wall] Settings For Squid Transparent Proxy well men i keep reading it, i would like to know if it work for you, i how finally you did it? 2006/2/6, Ryan Wagoner <Ryan at wgnrs dot dynu dot com>: > Alright so I can't figure out to add the rdr rule manually. You normally have to add it to the ipnat file and then reload the ipnat config which flushes everything out. > > The following will give me this rdr rule, but now squid is being looped back to itself. > > rdr xl0 0.0.0.0/0 port 80 -> 10.10.1.6 port 3128 tcp > > <rule> > <protocol>tcp</protocol> > <external-port>3128</external-port> > <target>10.10.1.6</target> > <local-port>80</local-port> > <interface>lan</interface> > <descr>HTTP to Squid</descr> > </rule> > > m0n0wall looks to take whatever interface you specify and throw the adapter name and 0.0.0.0/0 in for the rdr rule. So there looks to be no way to make the 2nd rdr rule. > > rdr xl0 10.10.1.6/32 port 80 -> 127.0.0.1 port 80 tcp > > -----Original Message----- > From: Ryan Wagoner [mailto:Ryan at wgnrs dot dynu dot com] > Sent: Mon 2/6/2006 12:50 PM > To: m0n0wall at lists dot m0n0 dot ch > Subject: RE: [m0n0wall] Settings For Squid Transparent Proxy > > Okay so I figured out the rdr rules. I found an example on a website and it seems to make sense. They should be the following. > > rdr xl0 10.10.1.6/32 port 80 -> 127.0.0.1 port 80 tcp rdr xl0 > 0.0.0.0/0 port 80 -> 10.10.1.6 port 3128 tcp > > So this would do what I want and allow squid traffic out through the localhost and the rest gets directed through squid. Now I doubt theres any way to retrofit this into a nat rule for the config.xml file. When I get home I should be able to use exec.php and run the commands. If so is there a way I can execute these commands at each reboot? Or am I looking at having to make a custom image for the router. > > Thanks, > Ryan Wagoner > > ________________________________ > > From: Jason Brunk [mailto:jbrunk at wthosting dot com] > Sent: Mon 2/6/2006 12:40 PM > To: Ryan Wagoner; m0n0wall at lists dot m0n0 dot ch > Subject: RE: [m0n0wall] Settings For Squid Transparent Proxy > > > > If I remember correctly you can add a rule like > > no rdr > > And that will say do not redirect for this, however, I have not had > much luck with getting this to work on one of my bsd boxes. > > Jason > > -----Original Message----- > From: Ryan Wagoner [mailto:Ryan at wgnrs dot dynu dot com] > Sent: Monday, February 06, 2006 12:36 PM > To: m0n0wall at lists dot m0n0 dot ch > Subject: RE: [m0n0wall] Settings For Squid Transparent Proxy > > I've done some reading on FreeBSD and squid and it looks like I need > to use rdr rules to router the traffic. It seems to me that m0n0wall > takes the nat section of the config.xml file and generates the rdr rules from it. > > It looks like the rdr rule needx to look like something below. This > would take all the traffic coming to m0n0wall on port 80 lan interface > (xl0) and direct it to my squid machine. > > # Redirect everything else to squid on port 3127 > rdr xl0 0.0.0.0/0 port 80 -> 10.10.1.6 port 3127 tcp > > However it is going to form a continuous loop redirecting squid > traffic back to squid. So it looks like I need another rule added above the rule aboe. > This way squid traffic could go out but all other traffic would go to squid. > > # Redirect direct proxy traffic to internet. > rdr xl0 10.10.1.6/32 port 80 -> ????? port 80 tcp > > The problem lies where the ??? marks are as I don't know what to put > for the destination ip. > > From here how do I get this in the format below. I'm having problems > figuring out how I specify 10.10.16/32. > > <nat> > <rule> > <protocol>tcp</protocol> > <external-port>25</external-port> > <target>192.168.1.5</target> > <local-port>25</local-port> > <interface>lan</interface> > <descr>redirect SMTP to LAN SMTP server</descr> </rule> </nat> > > Any help on this would be greatly apprecaited. > > ________________________________ > > From: Lee Sharp [mailto:leesharp at hal dash pc dot org] > Sent: Thu 2/2/2006 2:45 PM > To: m0n0wall at lists dot m0n0 dot ch > Subject: Re: [m0n0wall] Settings For Squid Transparent Proxy > > > > From: "Ryan Wagoner" <Ryan at wgnrs dot dynu dot com> > > > I have m0n0wall setup between my DSL modem and home network. > > Its IP is 10.10.1.1. I have a Fedora squid server running at > >10.10.1.6 . What I want to do is setup a rule so that any oubound > >traffic on port 80 not coming from squid 10.10.1.6 gets redirected > >to squid. That why I can have a transparent proxy for port 80. How do I go about doing this? > > I know I need the rule on the LAN side, but can the rules page > >redirect traffic?? I thought this was only possible from NAT. I just > >don't want to put in some random rules and upset the network. > > Chris posted this a while back... > > Lee > > I recall something in the archives about somebody doing something > similar using a hacked NAT rule. > > Like manually put something like this in your config.xml backup and > restore it. > > <nat> > <rule> > <protocol>tcp</protocol> > <external-port>25</external-port> > <target>192.168.1.5</target> > <local-port>25</local-port> > <interface>lan</interface> > <descr>redirect SMTP to LAN SMTP server</descr> </rule> </nat> > > where 192.168.1.5 is your SMTP server. > > That might really screw stuff up though, so test it thoroughly first > to make sure it has no unintended consequences (if it works at all). > > If someone tries it, please let me know if it works. > > -Chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > |