Search squid archive

Re: squid transparent proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Wennie V. Lagmay wrote:
Hi,

You are right I am using port 8080. As I mentioned I have 2 machine the 1st machine is my Firewall/NAT server wherein the iptables configuration already stated that it should redirect port 80 to 8080

iptables -t nat -A PREROUTING -s 192.168.10.0/255.255.255.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat  -A PREROUTING -s 192.168.11.0/255.255.255.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.12.0/255.255.255.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.14.0/255.255.255.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.15.0/255.255.255.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.16.0/255.255.255.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.24.0/255.255.248.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.64.0/255.255.224.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.96.0/255.255.224.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080


REDIRECT will only work if squid is running on the router itself. You cannot change the dest IP with REDIRECT.

DNAT is needed if a second machine is involved to change the IP:Port pair.


for the 2nd machine which is the squid proxy I accepted everything.

# Generated by iptables-save v1.3.8 on Wed Apr  2 10:15:54 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:1152]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 8080 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 778 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 778 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 8 -j DROP -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 778 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
# Completed on Wed Apr  2 10:15:54 2008

But I still transparent proxy is not working.




----- Original Message -----
From: "Indunil Jayasooriya" <indunil75@xxxxxxxxx>
To: "Wennie V. Lagmay" <wlagmay@xxxxxxxxxxxxx>
Sent: Thursday, April 3, 2008 10:48:31 AM (GMT+0300) Asia/Kuwait
Subject: Re:  squid transparent proxy

There are whole a lot of firewall settings.

I think your are running squid on port 8080 ( NOT 3128 ). Since you
have below rule

iptables -A INPUT DROP

you will have to accept port 8080 as below.

 #Redirecting traffic destined to port 80 to port 8080
 iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT
 --to-port 8080

 #For squid traffic to Accept
 iptables -A INPUT -i eth1 -d 192.168.101.254 -p tcp -m state --state
NEW -m tcp  -s
 192.168.101.0/24 --dport 8080 -j ACCEPT

in above 2 rules, eth1 is the interface that is connected to LAN and
ip address 192.168.101.254
is the ip of the squid proxy server. It shoild be the gateway of
clinets Pcs. And I think, Clients should have Dns servers.

another URL

http://www.mail-archive.com/squid-users@xxxxxxxxxxxxxxx/msg52744.html

Pls try.Good luck



On Thu, Apr 3, 2008 at 12:21 PM, Wennie V. Lagmay <wlagmay@xxxxxxxxxxxxx> wrote:
Dear all,

 I am trying to activate transparent proxy on my setup but I cannot run it. with the standard setup (configuring the client PC with browser configuration) everything is working good, squid is responding and the client can browse the internet. Now we are trying to implement a setup wherein client has an option to put or not to put a configuration on the browser.

 I have separate machine 1st machine is the firewall/NAT server running Fedora Core 4 64 bit (with public IP on the interface) and the 2nd machine is the squid running Fedora Core 8 64 bit (also with a public IP address). Although all the clients uses a private IP, squid can still serve them pretty well.

 Now I have configure my squid (squid-2.6stable19) to accept transparent connection, and its seems it is working because as the cache.log says, "accepting transparently proxied http connection at 0.0.0.0, port 8080, FD 11

 But I configure the client browser without a proxy configuration I cannot browse the internet.

 I am attaching below my firewall/NAT iptables configuration. Can you please check it for me and let me know if I am missing something. Also if you can provide me a step by step configuration of a transparent proxy setup.


 # Generated by iptables-save v1.2.8 on Thu Dec 23 08:44:33 2004
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT DROP [0:0]
 # -A INPUT -j ACCEPT
 -A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 778 -j ACCEPT
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
 -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 -A INPUT -p udp -j REJECT --reject-with icmp-net-prohibited
 #
 -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
 -A FORWARD -s 192.168.10.0/255.255.255.0 -j ACCEPT
 -A FORWARD -d 192.168.10.0/255.255.255.0 -j ACCEPT
 -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
 -A FORWARD -s 192.168.11.0/255.255.255.0 -j ACCEPT
 -A FORWARD -d 192.168.11.0/255.255.255.0 -j ACCEPT
 -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
 -A FORWARD -s 192.168.12.0/255.255.255.0 -j ACCEPT
 -A FORWARD -d 192.168.12.0/255.255.255.0 -j ACCEPT
 -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
 -A FORWARD -s 192.168.14.0/255.255.255.0 -j ACCEPT
 -A FORWARD -d 192.168.14.0/255.255.255.0 -j ACCEPT
 -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
 -A FORWARD -s 192.168.15.0/255.255.255.0 -j ACCEPT
 -A FORWARD -d 192.168.15.0/255.255.255.0 -j ACCEPT
 -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
 -A FORWARD -s 192.168.16.0/255.255.255.0 -j ACCEPT
 -A FORWARD -d 192.168.16.0/255.255.255.0 -j ACCEPT
 -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.80 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.82 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.87 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.74 -j REJECT
 -A FORWARD -s 192.168.24.0/255.255.248.0 -j ACCEPT
 -A FORWARD -d 192.168.24.0/255.255.248.0 -j ACCEPT
 #
 -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.80 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.82 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.87 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.74 -j REJECT
 -A FORWARD -s 192.168.64.0/255.255.224.0 -j ACCEPT
 -A FORWARD -d 192.168.64.0/255.255.224.0 -j ACCEPT
 #
 -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.80 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.82 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.87 -j REJECT
 -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.74 -j REJECT
 -A FORWARD -s 192.168.96.0/255.255.224.0 -j ACCEPT
 -A FORWARD -d 192.168.96.0/255.255.224.0 -j ACCEPT
 #
 -A FORWARD -s xx.xx.184.32/255.255.255.224 -j ACCEPT
 -A FORWARD -d xx.xx.184.32/255.255.255.224 -j ACCEPT
 -A FORWARD -s xx.xx.184.64/255.255.255.224 -j ACCEPT
 -A FORWARD -d xx.xx.184.64/255.255.255.224 -j ACCEPT
 -A FORWARD -s xx.xx.184.120/255.255.255.248 -j ACCEPT
 -A FORWARD -d xx.xx.184.120/255.255.255.248 -j ACCEPT
 -A FORWARD -s xx.xx.184.128/255.255.255.248 -j ACCEPT
 -A FORWARD -d xx.xx.184.128/255.255.255.248 -j ACCEPT
 -A FORWARD -s xx.xx.184.0/255.255.255.240 -j ACCEPT
 -A FORWARD -d xx.xx.184.0/255.255.255.240 -j ACCEPT
 -A FORWARD -s xx.xx.184.144/255.255.255.240 -j ACCEPT
 -A FORWARD -d xx.xx.184.144/255.255.255.240 -j ACCEPT
 #
 #  -A OUTPUT -j ACCEPT
  -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
  -A OUTPUT -p tcp -m tcp --sport 778 -j ACCEPT
  -A OUTPUT -p tcp -m tcp --dport 778 -j ACCEPT
  -A OUTPUT -p tcp -m tcp --sport 1863 -j ACCEPT
  -A OUTPUT -p tcp -m tcp --dport 1863 -j ACCEPT
  -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
  -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
  -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
  -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
  -A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
  -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
  -A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
  -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
 #
 COMMIT
 # Completed on Thu Dec 23 08:44:33 2004
 # Generated by iptables-save v1.2.8 on Thu Dec 23 08:44:33 2004
 *nat
 :PREROUTING ACCEPT [77:4447]
 :POSTROUTING ACCEPT [85:7701]
 :OUTPUT ACCEPT [85:7701]
 #
 -A PREROUTING -s 192.168.10.0/255.255.255.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
 -A PREROUTING -s 192.168.11.0/255.255.255.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
 -A PREROUTING -s 192.168.12.0/255.255.255.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
 -A PREROUTING -s 192.168.14.0/255.255.255.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
 -A PREROUTING -s 192.168.15.0/255.255.255.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
 -A PREROUTING -s 192.168.16.0/255.255.255.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
 -A PREROUTING -s 192.168.24.0/255.255.248.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
 -A PREROUTING -s 192.168.64.0/255.255.224.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
 -A PREROUTING -s 192.168.96.0/255.255.224.0   -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
 #
 -A POSTROUTING -s 192.168.10.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.65-xx.xx.184.66
 -A POSTROUTING -s 192.168.11.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.67-xx.xx.184.68
 -A POSTROUTING -s 192.168.12.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.69-xx.xx.184.70
 -A POSTROUTING -s 192.168.14.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.71-xx.xx.184.72
 -A POSTROUTING -s 192.168.15.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.73-xx.xx.184.74
 -A POSTROUTING -s 192.168.16.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.75-xx.xx.184.76
 -A POSTROUTING -s 192.168.24.0/255.255.248.0 -j SAME --nodst --to xx.xx.184.77-xx.xx.184.80
 -A POSTROUTING -s 192.168.64.0/255.255.224.0 -j SAME --nodst --to xx.xx.184.1-xx.xx.184.6
 -A POSTROUTING -s 192.168.96.0/255.255.224.0 -j SAME --nodst --to xx.xx.184.145-xx.xx.184.150
 COMMIT
 # Completed on Thu Dec 23 08:44:33 2004

 Thank you very much,

 Wennie











--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux