Wennie V. Lagmay wrote:
Hi all,
I am reading the procedure for transparent proxy but I am hesitant to implement it because I am not sure what will be the impact to my system. Ok I am looking at 2 options,
Which procedure where?
option 1:
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
option 2:
* iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s squid-box
* iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
* ip rule add fwmark 3 table 2
* ip route add default via squid-box dev eth1 table 2
For squid box
* iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
As I mentioned I have a separate boxes for firewall and squid. My firewall is a Fedora core 4 and my squid-2.6-Stable19 is running on Fedora Core 8. My Firewall has 2 interfaces eth0=xxx.xxx.184.33/27 which connects to my local network and eth1=xxx.xxx.184.18/28 which connects to the internet. the firewall also act as the NAT server which actually the gateway of all traffics except 80/8080. The firewall and squid communicates via internet connection which is the eth0 for firewall
In option2 I am worried that If I implement the rule all traffic will be forwarded to squid, Also I am not sure what is line #2 and #3. Another thing how can I make sure if the following requirements are already ready to my system:
What it does is:
option 1:
line #1) does the interception. NAT traffic from local network
(exclude squid-box) to port 80 over to the squid-box
line #3) just allows packets to flow through the iptables-box from
local-network to squid-box.
line #2) some NAT magic to make squid send responses to the above
NAT'd packets requests go back through the iptables-box so that it can
un-NAT them back into the original local-network client.
NP: I think its missing a MASQUERADE to do all the magic un-NAT'ing when
it needs to. That may already be in your POSTROUTING rules. It should be
after these new ones.
option 2:
line #1) allows traffic out of the squid box to go anywhere.
line #2) sets a flag/mark '3' on the rest of the port-80 traffic as
it comes into iptables-box
line #3) updates the routing table rules so they can identify the new
'3' marked packets
line #4) route all '3' marked traffic over to squid-box for handling.
* P: advanced router
* IP: policy routing
* IP: use netfilter MARK value as routing key
* IP: Netfilter Configuration -> Packet mangling
* IP: Netfilter Configuration -> MARK target support
and iproute2 tools.
Can you please help me, which options is best for me and how can I do it smoothly. If you need more information about my setup or if you want see any of my configuration please let me know
Those requirements are met by having recent releases of the 'iptables'
and 'iproute2' binaries on your system. See their documentation on how
to lookup specific targets.
Option-2 is considered the better by most people, since its essentially
simpler and easier to debug if anything goes wrong. NAT is limited to
IPv4 traffic and will hopefully be dead in 1-4 years anyway.
The 'smoothest' approach would be to perform the integration in reverse,
starting with the squid config. Moving on to the squid-box iptables
config. Then the iptables-box.
If you have a lot of machines behind that /27 you can start by marking
only a small segment of the network machines for interception. Fix any
problems encountered. Then expanding the interception area. Repeating
until its all done.
Amos
Thank you very,
Wennie
----- Original Message -----
From: "Wennie V. Lagmay" <wlagmay@xxxxxxxxxxxxx>
To: wennielagmay@xxxxxxxxx
Sent: Thursday, April 3, 2008 2:36:42 PM (GMT+0300) Asia/Kuwait
Subject: Fwd: squid transparent proxy
----- Forwarded Message -----
From: "Indunil Jayasooriya" <indunil75@xxxxxxxxx>
To: "Wennie V. Lagmay" <wlagmay@xxxxxxxxxxxxx>
Cc: "squid-users" <squid-users@xxxxxxxxxxxxxxx>
Sent: Thursday, April 3, 2008 12:58:27 PM (GMT+0300) Asia/Kuwait
Subject: Re: squid transparent proxy
You are right I am using port 8080. As I mentioned I have 2 machine the 1st machine is my Firewall/NAT server wherein the iptables configuration already stated that it should redirect port 80 to 8080
Oh , Squid is Not running on this box. then, REDIRECT will not work.
What Your firewall can do is MARK port 80 traffic and route it via
squid box. that is Known As Transparent Proxy to a Remote Box
you need both iptables and ip route2 pkgs.
Okay, below are the rules, you need to add.
On your firewall, pls add below rules
iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s
ipaddressofsquid-box
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
ip rule add fwmark 3 table 2
ip route add default via ipaddressofsquid-box dev eth1 table 2
dev eth1 is connected to squidbox. pls change it accodingly.
On your squid Box, Pls add beow rules.
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 8080
this is where REDIRECT takes place.
In addition to that, you will have to make sure, port 8080 is open on
this squid box , since squid is running on port 8080.
I thinkeverything is open on squid box.
Now, clients gateway is the ip of the firewall/NAT box. and also check
Dns in clients.
here's another useful urls
http://www.mail-archive.com/squid-users@xxxxxxxxxxxxxxx/msg53662.html
http://tldp.org/HOWTO/TransparentProxy-6.html
Good luck
--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4
