On 1/01/2012 12:00 a.m., Markus Thüs wrote:
> Some Facts:
> - Using Squid 2.7 on Debian Linux
> - Dell Machine with one internal ETH (eth0) => disabled, 2x D-Link DFE-530TX
> ETH Cards (Eth1, Eth2)
> - Squid Proxying only
>
> ----------------------------------------------------------------------------
> -----------------------------------------------------
>
> Question:
>
>
> Hi there,
>
> regarding the following scenario:
>
> Internal Network via ETH1 (192.168.0.0/24) => Squid Server (eth0 down /
> eth1: 192.168.0.6 / eth2: 10.0.0.7) => Routing Network (10.0.0.0/28) via
> ETH2 => Router (10.0.0.1) => Internet
>
> How can I force squid to exactly use this kind of scenario. That means
> accept Open a Port& Proxying requests from the internal network; No Port /
> Deny Requests from the external AND Keep this direction that traffic from or
> to the internet is exclusively routed thru the external interface.
>
>
> Any Ideas ?
Firstly; forget the interfaces. They are part of the systems down at
layer 1-3 (the hardware levels). Squid operates only at level 4-7 and
the closest it gets to interfaces is knowing what an IP address is.
In squid.conf http_access directive determines what requests are
permitted to happen and what are rejected up front. The default
configuration contains an ACL called "localnet" or "our_networks"
depending on your squid version. The network LAN subnet(s) which you
configure in there are permitted to make requests through Squid, others
are not.
Preventing LAN clients visiting LAN servers through Squid is a different
prospect. You need to add a "dst" type ACL with the LAN range and a
http_access deny line before the "http_access allow localnet" line.
However; you may not want to actually do that. Since clients will be
passing Squid the domain names they want to contact Squid will be
checkign the DNS for those domains. Its not normal or good for the
public DNS system to contains 192.168.0.0/16 or 10.0.0.0/8 range IPs and
you would have had to create a local DNS view for them to be visible.
Both those cases seem to be ones where you are actually wanting Squid to
resolve the domains to LAN IPs and pass traffic there.
If you need Squid to not even listen on public facing port 3128 (or
whatever) configure the http_port as the hostname:port or ip:port which
it *is* allowed to listen on.
Amos
Received on Sat Dec 31 2011 - 11:36:04 MST
This archive was generated by hypermail 2.2.0 : Sat Dec 31 2011 - 12:00:02 MST