[ previous ] [ next ] [ threads ]
 
 From:  "Ryan Wagoner" <Ryan at wgnrs dot dynu dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Settings For Squid Transparent Proxy
 Date:  Mon, 6 Feb 2006 23:42:09 -0500
I'm at the point where I need somebody with good freebsd / m0n0wall
expirence to help me out. The rule from below isn't redirecting traffic
to the squid server correctly. I'm not sure whats wrong with it. I set
the gateway on my machine to point to the squid server and used iptables
to route port 80 to 3128 and squid works transparently as it should.
Setting it back to the m0n0wall gateway with the routing rule and
nothing happens. I have to set my browser proxy to the squid server in
order to connect to the m0n0wall gui. Seems to me m0n0wall is dropping
the packets but I can't tell where. I even went as far to setup a
firewall rule on the LAN page that allows from soure * to all
destinations thinking that might work, nope nothing. Anybody know whats
going on here??

-----Original Message-----
From: Ryan Wagoner [mailto:Ryan at wgnrs dot dynu dot com] 
Sent: Monday, February 06, 2006 10:46 PM
To: Ivan Blanco
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Settings For Squid Transparent Proxy

Well I'm a lot closer than I was. Heres the correct rdr rule. Only thing
is I can't get the transparent proxy to work right yet, but if I exec
the rdr rule no traffic is accepted unless I tell the browser to use the
proxy. Guess you could say I'm halfway there. 

To run the rule goto http://monowall/exec.php and put in the following.

echo 'rdr xl0 ! from 10.10.1.6/32 to 0.0.0.0/0 port = 80 -> 10.10.1.6
port 3128 tcp' | ipnat -f-

To remove the rule just add a -r

echo 'rdr xl0 ! from 10.10.1.6/32 to 0.0.0.0/0 port = 80 -> 10.10.1.6
port 3128 tcp' | ipnat -r -f-

The rule basically says on LAN interface (xl0) not from squid
(10.10.1.6) to any address of port 80 redirect it to squid (10.10.1.6)
on port 3128.

I think I will be able to hack this into the m0n0wall config.xml. I was
looking at what Edward Mzj did with 1.2b9 and his custom pages. 

http://m0n0.ch/wall/list/showmsg.php?id=194/53
http://m0n0.ch/wall/list/showmsg.php?id=186/63

If the hack config.xml doesn't work then I might try and get his pages
to work with the 1.21 version as they add a lot of functionality. I'm
actualy surprised they weren't included with m0n0wall.

Ryan Wagoner


-----Original Message-----
From: Ivan Blanco [mailto:ivanwhite at gmail dot com]
Sent: Monday, February 06, 2006 9:25 PM
To: Ryan Wagoner
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Settings For Squid Transparent Proxy

well men i keep reading it, i would like to know if it work for you, i
how finally you did it?

2006/2/6, Ryan Wagoner <Ryan at wgnrs dot dynu dot com>:
> Alright so I can't figure out to add the rdr rule manually. You
normally have to add it to the ipnat file and then reload the ipnat
config which flushes everything out.
>
> The following will give me this rdr rule, but now squid is being
looped back to itself.
>
> rdr xl0 0.0.0.0/0 port 80 -> 10.10.1.6 port 3128 tcp
>
>  <rule>
>   <protocol>tcp</protocol>
>   <external-port>3128</external-port>
>   <target>10.10.1.6</target>
>   <local-port>80</local-port>
>   <interface>lan</interface>
>   <descr>HTTP to Squid</descr>
>  </rule>
>
> m0n0wall looks to take whatever interface you specify and throw the
adapter name and 0.0.0.0/0 in for the rdr rule. So there looks to be no
way to make the 2nd rdr rule.
>
> rdr xl0 10.10.1.6/32 port 80 -> 127.0.0.1 port 80 tcp
>
> -----Original Message-----
> From: Ryan Wagoner [mailto:Ryan at wgnrs dot dynu dot com]
> Sent: Mon 2/6/2006 12:50 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Settings For Squid Transparent Proxy
>
> Okay so I figured out the rdr rules. I found an example on a website
and it seems to make sense. They should be the following.
>
> rdr xl0 10.10.1.6/32 port 80 -> 127.0.0.1 port 80 tcp rdr xl0 
> 0.0.0.0/0 port 80 -> 10.10.1.6 port 3128 tcp
>
> So this would do what I want and allow squid traffic out through the
localhost and the rest gets directed through squid. Now I doubt theres
any way to retrofit this into a nat rule for the config.xml file. When I
get home I should be able to use exec.php and run the commands. If so is
there a way I can execute these commands at each reboot? Or am I looking
at having to make a custom image for the router.
>
> Thanks,
> Ryan Wagoner
>
> ________________________________
>
> From: Jason Brunk [mailto:jbrunk at wthosting dot com]
> Sent: Mon 2/6/2006 12:40 PM
> To: Ryan Wagoner; m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Settings For Squid Transparent Proxy
>
>
>
> If I remember correctly you can add a rule like
>
> no rdr
>
> And that will say do not redirect for this, however, I have not had 
> much luck with getting this to work on one of my bsd boxes.
>
> Jason
>
> -----Original Message-----
> From: Ryan Wagoner [mailto:Ryan at wgnrs dot dynu dot com]
> Sent: Monday, February 06, 2006 12:36 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Settings For Squid Transparent Proxy
>
> I've done some reading on FreeBSD and squid and it looks like I need 
> to use rdr rules to router the traffic. It seems to me that m0n0wall 
> takes the nat section of the config.xml file and generates the rdr
rules from it.
>
> It looks like the rdr rule needx to look like something below. This 
> would take all the traffic coming to m0n0wall on port 80 lan interface

> (xl0) and direct it to my squid machine.
>
>         # Redirect everything else to squid on port 3127
>         rdr xl0 0.0.0.0/0 port 80 -> 10.10.1.6 port 3127 tcp
>
> However it is going to form a continuous loop redirecting squid 
> traffic back to squid. So it looks like I need another rule added
above the rule aboe.
> This way squid traffic could go out but all other traffic would go to
squid.
>
>         # Redirect direct proxy traffic to internet.
>         rdr xl0 10.10.1.6/32 port 80 -> ????? port 80 tcp
>
> The problem lies where the ??? marks are as I don't know what to put 
> for the destination ip.
>
> From here how do I get this in the format below. I'm having problems 
> figuring out how I specify 10.10.16/32.
>
>  <nat>
>  <rule>
>   <protocol>tcp</protocol>
>   <external-port>25</external-port>
>   <target>192.168.1.5</target>
>   <local-port>25</local-port>
>   <interface>lan</interface>
>   <descr>redirect SMTP to LAN SMTP server</descr>  </rule>  </nat>
>
> Any help on this would be greatly apprecaited.
>
> ________________________________
>
> From: Lee Sharp [mailto:leesharp at hal dash pc dot org]
> Sent: Thu 2/2/2006 2:45 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Settings For Squid Transparent Proxy
>
>
>
> From: "Ryan Wagoner" <Ryan at wgnrs dot dynu dot com>
>
> > I have m0n0wall setup between my DSL modem and home network.
> > Its IP is 10.10.1.1. I have a Fedora squid server running at
> >10.10.1.6 . What I want to do is setup a rule so that any oubound 
> >traffic on port 80  not coming from squid 10.10.1.6 gets redirected 
> >to squid. That why I  can have a transparent proxy for port 80. How
do I go about doing this?
> > I know I need the rule on the LAN side, but can the rules page 
> >redirect  traffic?? I thought this was only possible from NAT. I just

> >don't want to  put in some random rules and upset the network.
>
> Chris posted this a while back...
>
>                             Lee
>
> I recall something in the archives about somebody doing something 
> similar using a hacked NAT rule.
>
> Like manually put something like this in your config.xml backup and 
> restore it.
>
>  <nat>
>  <rule>
>   <protocol>tcp</protocol>
>   <external-port>25</external-port>
>   <target>192.168.1.5</target>
>   <local-port>25</local-port>
>   <interface>lan</interface>
>   <descr>redirect SMTP to LAN SMTP server</descr>  </rule>  </nat>
>
> where 192.168.1.5 is your SMTP server.
>
> That might really screw stuff up though, so test it thoroughly first 
> to make sure it has no unintended consequences (if it works at all).
>
> If someone tries it, please let me know if it works.
>
> -Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch