On 1/04/2013 2:10 p.m., Ethan H wrote:
I now have my router setup to send packets to the proxy using the
following script:
# permit Squid box out to the Internet
iptables -t mangle -A PREROUTING -p tcp --dport 80 -s 192.168.0.10 -j ACCEPT
# mark everything else on port 80 to be routed to the Squid box
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
(used script from the link you gave me)
I setup the following script on my proxy server to redirect port 80 to
the interception port 3127:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT
--to-port 3127
(you said that I need to do the NAT setup on the proxy server and that
I needed to do policy routing on the router)
With this setup I am able to access the internet but I am not going
through the proxy. It seems as if the router isn't even sending the
packets to the proxy at all, there are no lines in the access.log or
the cache.log. I then noticed that the iptables script I got from the
wiki isn't redirecting the packets at all, just marking them. How
would I redirect them to the proxy server modifying the iptables
script (I am new to iptables)?
The kernel routing layer does the routing based on the firewall markings
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute#Routing_Setup
On Sat, Mar 30, 2013 at 7:23 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 31/03/2013 2:27 p.m., Ethan H wrote:
Hi,
I am having trouble setting up a Squid Interception/transparent proxy
server. I am using Ubuntu Server Edition 12.10, Squid 3.3 and a DD-WRT
Router to redirect traffic to the proxy. The script I am using I got
at this link: http://www.dd-wrt.ca/wiki/index.php/Squid_Transparent_Proxy
That wiki is wrong. The NAT step *must* be done on the Squid box. The WRT
device needs to be using policy-routing to send packets to the Squid box.
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
It *seems* to work on older Squid in that they accept the connections
despite the missing IP address information. But that allowed clients to send
arbitrary HTTP headers to bypass any firewall security you had in place. The
log information recorded by Squid was also full of lies about the connection
IP addresses and ports as a result. Squid is now more secure by making use
of the destination IP address as the location it will deliver the trafifc to
and can only do so when the server IP:port is identifiable.
My exact iptables script is (from that link):
#!/bin/sh
PROXY_IP=192.168.0.10
PROXY_PORT=3127
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`
iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp
--dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80
-j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
-j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
--dport $PROXY_PORT -j ACCEPT
I have also tried to use PROXY_PORT 3128 (not 3127) also. I can
successfully edit the PROXY_PORT to 80 (local Apache web server) and
it works, no problem.
Apache is a web server, it will supply whatever domains it is configured to
respond for regardless of what IP addresses the client is using to contact
it on.
My error message I am getting in /var/log/squid/cache.log is:
TIME HERE kid1| NF getsockopt(SO_ORIGINAL_DST) failed on
local=SERVER_IP:3127 remote=ROUTER_IP:62479 FD 20 flags=33: (92)
Protocol not available
This is how it shows up. The Squid box NAT table does not contain the NAT
entries for this connection -> destination server IP address does not exist
-> FAIL.
Amos
