Mikrotik +Squid transparente

Tema en 'WebProxy (WebCaché)' comenzado por erdosain9, 17 de Mayo de 2016.

Tags:
  1. erdosain9

    erdosain9 New Member

    Hola
    Tengo estas redes configuradas en el mikrotik
    WAN
    PROXY (10.0.0.2------squid)
    LAN (192.168.99.0/24)

    Redireccioné el puerto 80 de la interface lan con una cadena dstnat al puerto 8080.
    Activé el webproxy de mikrotik y le puse como parente proxy mi squid (10.0.0.2) y el puerto del squid 3128...

    En realidad me gustaría tenerlo funcionando sin tener que activar el webproxy del MK.

    Saludos y gracias
     
  2. MikrotikPeru

    MikrotikPeru Well-Known Member

    Mira esta configuracion de squid estoy usando la version 3.1 /etc/squid3/squid.conf
    PHP:
    http_port 8080 transparent

    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320

    acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/

    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

    acl localnet src 10.0.0.0/8     # RFC 1918 possible internal network
    acl localnet src 172.16.0.0/12  # RFC 1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

    acl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl CONNECT method CONNECT

    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost
    http_access allow localnet
    http_access deny all

    access_log /dev/null
    cache_access_log /var/log/squid3/access.log
    cache_log /dev/null
    cache_store_log /dev/null
    Agregamos en /etc/rc.local quedaria asi:

    PHP:
    #!/bin/sh -e
    #
    # rc.local
    #
    # This script is executed at the end of each multiuser runlevel.
    # Make sure that the script will "exit 0" on success or any other
    # value on error.
    #
    # In order to enable or disable this script just change the execution
    # bits.
    #
    # By default this script does nothing.
    puerto_proxy="8080"
    WAN="eth0"
    LAN="eth0"
    BRIDGE="br0"

    /bin/echo "1" > /proc/sys/net/ipv4/ip_forward
    /sbin/iptables -t nat -F
    /sbin/iptables -t nat -X
    /sbin/iptables -t mangle -F
    /sbin/iptables -t mangle -X
    /sbin/ebtables -t broute -F
    /sbin/ebtables -t broute -X
    /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $puerto_proxy
    /sbin/iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
    exit 0
    Luego ya no usas webproxy ni Redireccionamiento NAT si no usas Mangle directamente, Ruteando puerto 80

    PHP:
    /ip firewall mangle
    add action=mark-routing chain=prerouting dst-port=80 in-interface=LAN protocol=tcp new-routing-mark=thunder_route
    PHP:
    /ip route
    add check-gateway=ping gateway=10.0.0.222 routing-mark=thunder_route
     

Comparte esta página