Search squid archive

Re: Squid 3.3 Interception Proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 31/03/2013 2:27 p.m., Ethan H wrote:

Hi,

I am having trouble setting up a Squid Interception/transparent proxy
server. I am using Ubuntu Server Edition 12.10, Squid 3.3 and a DD-WRT
Router to redirect traffic to the proxy. The script I am using I got
at this link: http://www.dd-wrt.ca/wiki/index.php/Squid_Transparent_Proxy
That wiki is wrong. The NAT step *must* be done on the Squid box. The WRT device needs to be using policy-routing to send packets to the Squid box. 
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
It *seems* to work on older Squid in that they accept the connections despite the missing IP address information. But that allowed clients to send arbitrary HTTP headers to bypass any firewall security you had in place. The log information recorded by Squid was also full of lies about the connection IP addresses and ports as a result. Squid is now more secure by making use of the destination IP address as the location it will deliver the trafifc to and can only do so when the server IP:port is identifiable. 



My exact iptables script is (from that link):

#!/bin/sh
PROXY_IP=192.168.0.10
PROXY_PORT=3127
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp
--dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80
-j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
-j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
--dport $PROXY_PORT -j ACCEPT


I have also tried to use PROXY_PORT 3128 (not 3127) also. I can
successfully edit the PROXY_PORT to 80 (local Apache web server) and
it works, no problem.
Apache is a web server, it will supply whatever domains it is configured to respond for regardless of what IP addresses the client is using to contact it on. 


My error message I am getting in /var/log/squid/cache.log is:

TIME HERE kid1|  NF getsockopt(SO_ORIGINAL_DST) failed on
local=SERVER_IP:3127 remote=ROUTER_IP:62479 FD 20 flags=33: (92)
Protocol not available
This is how it shows up. The Squid box NAT table does not contain the NAT entries for this connection -> destination server IP address does not exist -> FAIL. 

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux