Eu tenho essa configuração específica que criei para testar o squid cache intercept mode.
Eu criei uma VM linux VritualBox centos 7 SE no meu mac.
Desabilitado SE linux (definido como Permissivo) e desativado o serviço de firewall vem junto com isso e instalou iptables e docker .
uname -a
Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Eu executei o squid na porta 3129 como modo host e adicionei essa regra nat como mencionado na documentação do squid,
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 3129 -w
Era algo muito simples de fazer, obviamente.
Mas não tenho como testar isso. Eu não posso curl de dentro da VM (porque as regras de PREROUTING não honram).
Eu tenho duas interfaces de rede na minha VM.
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:c0:49:9c brd ff:ff:ff:ff:ff:ff
inet 192.168.1.7/24 brd 192.168.1.255 scope global noprefixroute dynamic enp0s3
valid_lft 75169sec preferred_lft 75169sec
inet6 fe80::a00:27ff:fec0:499c/64 scope link
valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:ee:63:05 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.3/24 brd 192.168.56.255 scope global noprefixroute dynamic enp0s8
valid_lft 1051sec preferred_lft 1051sec
inet6 fe80::26b1:aa5:894b:16a2/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Desde que eu não posso fazer curl -I --interface 192.168.1.7 http://www.bbc.com/ -v com a VM (isso me levou alguns dias para descobrir isso não está funcionando).
Estou tentando isso, na minha máquina host,
curl -I --interface 192.168.1.7 http://www.bbc.com/ -v
e é isso que estou recebendo
* Trying 151.101.24.81...
* TCP_NODELAY set
* Local Interface en9 is ip 192.168.1.2 using address family 2
* Local port: 0
* Immediate connect fail for 151.101.24.81: No route to host
* Closing connection 0
curl: (7) Couldn't connect to server
Eu também criei estas regras para aceitar o dport 80 nas interfaces.
iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
e eu sei que isso é o mesmo que regra acima, apenas joguei lá fora apenas no caso,
Estas são as minhas regras filter
Chain INPUT (policy ACCEPT 438 packets, 92242 bytes)
num pkts bytes target prot opt in out source destination
1 215 15576 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DOCKER-USER all -- any any anywhere anywhere
2 0 0 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
3 0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
4 0 0 DOCKER all -- any docker0 anywhere anywhere
5 0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
6 0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
7 0 0 ACCEPT all -- any br-wifi anywhere anywhere ctstate RELATED,ESTABLISHED
8 0 0 DOCKER all -- any br-wifi anywhere anywhere
9 0 0 ACCEPT all -- br-wifi !br-wifi anywhere anywhere
10 0 0 ACCEPT all -- br-wifi br-wifi anywhere anywhere
Chain OUTPUT (policy ACCEPT 114 packets, 14984 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:http
Chain DOCKER (2 references)
num pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
2 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-wifi !br-wifi anywhere anywhere
3 0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- any docker0 anywhere anywhere
2 0 0 DROP all -- any br-wifi anywhere anywhere
3 0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- any any anywhere anywhere
e estas são as minhas regras nat ,
Chain PREROUTING (policy ACCEPT 9 packets, 2073 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REDIRECT tcp -- any any anywhere anywhere tcp dpt:http redir ports 3129
Chain INPUT (policy ACCEPT 9 packets, 2073 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 206 bytes)
num pkts bytes target prot opt in out source destination
1 2 168 DOCKER all -- any any anywhere !loopback/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 3 packets, 206 bytes)
num pkts bytes target prot opt in out source destination
1 2 168 MASQUERADE all -- any !docker0 172.17.0.0/16 anywhere
2 0 0 MASQUERADE all -- any !br-wifi 172.18.0.0/16 anywhere
Chain DOCKER (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- docker0 any anywhere anywhere
2 0 0 RETURN all -- br-wifi any anywhere anywhere
Eu só quero colocar isso em funcionamento, então posso tentar endurecer essas regras. Eu não tenho ideia de que este teste de curvas é o caminho certo a seguir.