morteza omidian
2018-09-15 05:23:19 UTC
Hi
I am in a dire need about using squid in my Linux iptables firewall as a transparent proxy.
In my linux iptables firewall i want to do iptables rules and controls in forward chain and after that do http filtering with squid, because of that i need to change netfilter packet flow and send packets to squid(app layer, user space) after forward chain, and then get them back to kernel space to continue their's way in forward chain and then go out, something like other firewals and utm(like Pfsense or opensense and ....) does.In my situation, i want squid to place after my forwards iptables rules,by default squid is listen on input port of machine but its not what i want and redirect packets to the input chain does not work for me.
I think NFqueue is a good solution for my problem but i don't know that is possible to change squid source code to get packets from nfqueue? or does nfqueue can keep the packet state and handle TCP connection?
I want to change My packet flow like this: client-request >>> prerouting > Nat > forward > squid-cache > post-routing >>>> HTTP(s)-server
The important part is that forward rules must check before packets forwards to squid. i don't want packets destinate to input chain of firewall.I thought maybe its possible to use DAQ ,like the way snort use or nfqueue in iptables. I need some help about that, please help me if its possible or there are any other ways to solve it.
Thanks a lot
Morteza Omidian
I am in a dire need about using squid in my Linux iptables firewall as a transparent proxy.
In my linux iptables firewall i want to do iptables rules and controls in forward chain and after that do http filtering with squid, because of that i need to change netfilter packet flow and send packets to squid(app layer, user space) after forward chain, and then get them back to kernel space to continue their's way in forward chain and then go out, something like other firewals and utm(like Pfsense or opensense and ....) does.In my situation, i want squid to place after my forwards iptables rules,by default squid is listen on input port of machine but its not what i want and redirect packets to the input chain does not work for me.
I think NFqueue is a good solution for my problem but i don't know that is possible to change squid source code to get packets from nfqueue? or does nfqueue can keep the packet state and handle TCP connection?
I want to change My packet flow like this: client-request >>> prerouting > Nat > forward > squid-cache > post-routing >>>> HTTP(s)-server
The important part is that forward rules must check before packets forwards to squid. i don't want packets destinate to input chain of firewall.I thought maybe its possible to use DAQ ,like the way snort use or nfqueue in iptables. I need some help about that, please help me if its possible or there are any other ways to solve it.
Thanks a lot
Morteza Omidian