# simple squid + shorewall question

## albright

I've got shorewall and squid (transparent) running on my desktop.

This works fine for computers on the lan. They all use the squid

proxy.

My question is: is it possible for my desktop to also

use squid proxy?

relevant rules in /etc/shorewall/rules

```
# for squid

REDIRECT        loc     3128    tcp     www # redirect to Squid on port 3128

ACCEPT          $FW     net     tcp     www # allow Squid to fetch the www content
```

Obviously, if I try to redirect fw through 3128 there is a loop.

So is there any way to configure shorewall so the computer running squid (and

shorewall) can use the squid proxy?

Sorry if this isn't very clear ...

----------

## 666threesixes666

can you set your browser to 127.0.0.1:3128 in proxy settings and get sites?  ie use the proxy in non transparent mode.

----------

## albright

thanks but no dice, if I set the proxy in a browser manually, I get

```

ERROR

The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: http://www.xxx/

Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is root.

Generated Fri, 07 Mar 2014 20:42:03 GMT by xxx (squid/3.4.3)
```

----------

## 666threesixes666

http://ubuntuforums.org/archive/index.php/t-1685730.html

from the output of the local box, you're clearly reaching squid.  i think that post might help you.  if it doesnt googling your error might help.

----------

## albright

thanks again ... I have tried googling to little avail

my problem is not a general problem of access; all computers

on the lan *except* localhost access the net via squid

perfectly.

only localhost gets the error if I set the proxy manually, or,

if no proxy set, localhost retrieves directly from the net

ignoring squid's proxy

I think the problem is that shorewall cannot redirect

traffic from the net to localhost via proxy because the

proxy is running on localhost, so redirects would loop

and squid couldn't get to the net. To put it another way,

localhost has to have access to the net for squid to

get content, but I want localhost to query squid for

content which entails a redirect of localhost away

from the net (if you see what I mean  :Smile:   )

This looks impossible but I suspect there is

a way to do it somehow ...????

----------

## 666threesixes666

in browser proxy settings try keeping port the same, but try 0.0.0.0, localhost, 127.0.0.1, and finally the boxes internal lan ip address (ie 10.0.0.2, 192.168.0.2)

----------

## albright

further research into squid, shorewall and iptables suggest this answer

1. turn off shorewall's redirection rules

2. add these iptables commands after shorewall starts:

```

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner 31 -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination mycomputerslocalIP:3128

```

(mycomputerslocalIP is the local address of the computer running shorewall and squid; the gid-owner is

the squid user's group id)

I now see both the lan clients and my desktop using the squid cache ...

Of course, being pretty deeply ignorant about iptables I'm a little worried about whether

I've done something Officially Bad ... any advice would be welcome

----------

