Squid with transparent proxy - firewall rules bypassed
-
Hi,
I read that since 2.0 firewall rules are applied before squid transparent proxy mechanism. Or I have the following problem:
- squid is setup in transparent mode
- for some reasons, I need to add some specific rules for some HTTP destinations
It worked some beta versions ago, but now when transparent proxy is activated, firewall is bypassed on port 80.
When I swith transparent proxy mode off, firewall rules are then applied again.Any help ?
BTW I use i386
-
No idea ?
Ok let me try to explain better.
I have a permanent openvpn connexion to an external ISP which is my default route. So all my traffic is sent to OPT1.
But I need to access some websites trough the WAN interface (not via the VPN).This works perfectly when I add specific rules in firewall without using squid.
But now I want to add a transparent proxy.
The problem is squid doesn't take care of firewall rules. So when transparent proxy is activated, all my http trafic is sent to OPT1.
I found a way to make it work by adding static routes, but I don't like it for 2 reasons:- I'd prefer to use firewall rules instead of static routes
- Static routes are sometimes reseted, I don't know exactly when for now, I suspect it happens when openvpn connexion is re-established. In this case, I have to reload routing configuration manually.
So is there any way to apply firewall rules before squid ?
I really hope for an answer!
Thanks by advance.
-
Just put rules on port forward for the subnets/interfaces you do not want to go to squid as NO port forward from this subnet to any.
-
Thanks for your answer.
What do you mean exactly ?
I don't want to exclude a LAN network from squid, I just want squid to reach some websites on another route than the default gateway.
I tried to add the IP addresses or networks of these websites on the "Firewall: NAT: Outbound" page, but same thing, it seems squid doesn't take care of it.And I'd like to log all http traffic, so I don't want to bypass squid for some websites, once again here is what I'd like:
- all http traffic goes transparently through squid
- based on firewall rules, squid then may have different gateway(s) for some addresses
Is it possible, and how ?
Thanks a lot!
-
It should be possible with Floating rules.
Create a rule with source address the wan address and destination the remote sites and gateway the one they should go.
-
That's the same thing, squid intercepts http traffic before the firewall, so even with floating rules, it doesn't work.
-
Ok if you say so. ;D
But the rule on the floating tab should have direction out and no interface selected.
-
Ok I just tried. The problem when I check firewall logs is my source address is the one assigned by the openvpn connexion.
If I put Wan address as source address, rule is not applied.
If I put "any" as source address, then rule seems to applied according to log, but when I check my IP address on an online website, it's still the openvpn one.So it seems squid intercepts traffic (because webpage is loaded), through default gateway, and firewall can't do anything even if it appears in logs.
Sorry for my english :)
-
Well page was loaded from squid cache. But here is the final result:
The firewall tries to send packets from openvpn wan IP to real Wan gateway. It can't work, and squid just says network timeout.
-
You have to draw a scheme/diagram on what you want to do otherwise i am blind on your request.
-
LOL you're right :)
Let's try a diagram:
Also here is the last configuration I tried:
-
Show me even the interface configuration.
-
For sure!
