problem in squid

[alvi]

hi all
i am running the squid transparent proxy and it is workig well
my problem is that how can i restruct user on this proxy

i created the list of user in acl and it is working well when user have proxy setting
a user who have the gateway and dns can easiy bypass this acl and interesting thing is that
i can watch its ip on the access.log
plz replu me on this address mmohsinalvi@yahoo.com

[swemic]

Hi,

if you run it as "transparent" proxy, it sounds more like you have an issue on your fw/defaul router if the user can bypass this proxy.
As a transparent proxy you should redirect all concering http/ftp traffic through the proxy without the users knowledge or configuration.

My suggestion for you is to do a typical configuration on you fw as:

[client host] -- HTTP:80 --> FW --> Squid --> [Webserver]
[client host] -- HTTP:8080 --> FW --> Squid --> [Webserver]
[client host] -- FTP:21 --> FW --> Squid --> [Webserver]
[client host] -- TCPx --> FW --> [Server]

[alvi]

i can't understand what u want to say ?
i have done these entires

echo '1' > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -A POSTROUTING -p all -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0 -j MASQUERADE
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

and at squid.conf i created the list of users (in acl ) that i don't want to use the internet
now i rejected the 192.168.0.3 user in this acl list but
192.168.0.3 bypass squid if he enter the dns and gateway
and also tell me why dns is needed at client site in case of transparent proxy

[swemic]

In transparency Proxy DNS is needed due to the fact that the client does not know anything about teh proxy. That is for the Client IP.

When you say that the user enters its gateway by it self, does that mean that your box here is not the filtering/end-firewall of yor network?
I mean does you have yet another way to get going to the Internet?
If so, then you have to re-consider your configuration yet again. Because if you really wish the user to be passed though your proxy, the firewall (i.e. this same Linux box now), have to be the end-point as for your users at your internal network. Otherwise, there will allways be users that knows how to bypass the security system

[alvi]

i have two examples


1st ==== eth0 for internal network and dial up ppp0 for internet both are on the same machine
2nd====== eth1 for internal network and eth0 for dsl router for internet . same on one machine

another related question is suppose i want to use only squid (no transparent) now i have problem that no
paltalk, yahoo voice chat and webbased sms
services available for that proxy . how can i enable these (forwarding ?)
i don't want transparent proxy because i read from some sites that transpartent proxy can the reason to slow down the internet trafic