From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-106577-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1NYBBQ-0001rJ-0N
	for garchives@archives.gentoo.org; Fri, 22 Jan 2010 04:31:45 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id A7ACAE07F7;
	Fri, 22 Jan 2010 04:31:11 +0000 (UTC)
Received: from mail.shawcable.com (shawmail.shawcable.com [64.59.128.220])
	by pigeon.gentoo.org (Postfix) with ESMTP id 7A058E07F7
	for <gentoo-user@lists.gentoo.org>; Fri, 22 Jan 2010 04:31:11 +0000 (UTC)
Received: from bpd2mi2no-svcs.prod.shawcable.com ([10.0.184.121])
  by bpd2mo1no-ssvc.prod.shawcable.com with ESMTP; 21 Jan 2010 21:31:10 -0700
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=1 a=dRtvfB1Z5NkA:10 a=dgx804EzjhD8CRYpIFkhZA==:17 a=7mOBRU54AAAA:8
 a=z8sBgvUFuysuspVTTJ0A:9 a=IrunJZ0PD7C2EHmdquAA:7
 a=K2_lh7zx7eq6poxZlH982PKTJ64A:4 a=AJ1cqAQz82EA:10
X-IronPort-AV: E=Sophos;i="4.49,322,1262588400"; 
   d="scan'208";a="253395617"
Received: from unknown (HELO bpd2mi2no-cmts.prod.shawcable.com) ([192.168.183.121])
  by bpd2mi2no-cmts.prod.shawcable.com with ESMTP; 21 Jan 2010 21:31:10 -0700
X-reinject: true
Received: from unknown (HELO syscon4.localdomain) ([68.148.245.78])
  by bpd2mi2no-dmz.prod.shawcable.com with ESMTP; 21 Jan 2010 21:31:10 -0700
Received: by syscon4.localdomain (Postfix, from userid 1000)
	id 77A0D1CD199; Thu, 21 Jan 2010 21:30:54 -0700 (MST)
Date: Thu, 21 Jan 2010 21:30:54 -0700
From: Joseph <syscon780@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] [SOLVED] squid - allowing only one domain
Message-ID: <20100122043054.GA28268@syscon4.inet>
References: <20100120055305.GJ6352@syscon4.inet>
 <4B56D9D7.9060301@jaftan.com.au>
 <20100120134906.GK6352@syscon4.inet>
 <4B58311D.204@jaftan.com.au>
 <20100121185943.GM6352@syscon4.inet>
 <7A4DF89C-26E9-4098-A447-8D176DD59AD7@stellar.eclipse.co.uk>
 <20100121235253.GN6352@syscon4.inet>
 <D7EA46DA-5B73-4870-8324-9F1E55A3E006@stellar.eclipse.co.uk>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Disposition: inline
In-Reply-To: <D7EA46DA-5B73-4870-8324-9F1E55A3E006@stellar.eclipse.co.uk>
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Archives-Salt: f0d5ad4c-8525-474b-87eb-84b0fb112307
X-Archives-Hash: f64e4d189817e8d0aede59977465af6d

On 01/22/10 03:49, Stroller wrote:
>Thanks for posting Joseph.
>
>I would love to understand this better.
>
>
>On 21 Jan 2010, at 23:52, Joseph wrote:
>>On 01/21/10 21:51, Stroller wrote:
>>>>maybe it is not possible with single interface eth0
>>>
>>>I believe that running Squid in conjunction with iptables is 
>>>known as running in "interception" mode.
>>>
>>>It may well indeed not be possible to do this with only one 
>>>interface. How do you ensure that packets reach this machine? I 
>>>think usually ... So I'm not really sure how the machines on your 
>>>LAN know to send web packets to your Squid machine. Perhaps you 
>>>can explain?
>
>^ Could you answer these questions, please?

Simple, it is done by iptable in the kernel.
You are sending the packets to port 80 (http) to go out via eth0 that is the only way out, iptabls (your firewall) intercept the traffic and does whatever 
you instruct it to do in my case below:

Intercept everything to 127.0.0.1 (localhost) and let it go no need to forward it to squid, harmless traffic :-)
iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.1 -j ACCEPT

exempting squid, joseph, root from forwarding it to squid and allowing Internet access without filtering; simple and self explanatory
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner joseph -j ACCEPT

everything else passes through squid, which permits or allow the traffic; in my case I only allow access to two domain, everything thing else is denied (squid 
is redirecting the traffic to port 80 eth0 if permitted)
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128

It is very simple.

>
>>Yes, it is possible, it took me a day to figure it out as I'm not a 
>>pro with iptables, check my post and follow the instructions:
>>http://forums.gentoo.org/viewtopic-p-6142685.html#6142685
>
>I don't see the explanation in this link.
>
>Stroller.

I don't understand what kind of explanation you expect, just emerge squid iptable (make sure kernel has the correct entries compiled IN) and type those 
commends in at the command line; read the post above some other users clearly suggested what to type at the command line :-)

It just works! I stated my objectives and I accomplished them.

-- 
Joseph