Thank you! I will try them this evening again. On 20/2/2014 11:58 πμ, Amos Jeffries wrote: > On 20/02/2014 9:59 a.m., Spyros Vlachos wrote: >> Hello again! Thank you for your support. I am a little bit frustrated >> but I managed to test it again. >> Long story short, I tried every combination from the suggested links to >> no avail. >> >> For the router I did the following as suggested: >> ( I tried using lan, br-lan, eth0, eth0.1 as the nic's name because it >> is not obvious to me which one is the correct.) >> ################################################################ >> # permit Squid box out to the Internet >> iptables -t mangle -A PREROUTING -p tcp --dport 80 -s 192.168.1.20 -j ACCEPT >> >> >> # mark everything else on port 80 to be routed to the Squid box >> iptables -t mangle -A PREROUTING -i lan -p tcp --dport 80 -j MARK >> --set-mark 2 >> iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT >> >> >> # NP: Ensure that traffic from inside the network is allowed to loop >> back inside again. >> iptables -t filter -A FORWARD -i lan -o lan -p tcp --dport 80 -j ACCEPT >> >> >> echo "201 proxy" >> /etc/iproute2/rt_tables >> ip rule add fwmark 2 table proxy >> ip route add default via 192.168.1.20 table proxy >> ################################################################# >> >> For the squid server I did both of the following ( with a service >> networking restart between them ) >> >> ################################################################# >> >> # your proxy IP >> SQUIDIP=192.168.1.20 >> >> # your proxy listening port >> SQUIDPORT=3128 >> >> >> iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT >> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port >> $SQUIDPORT >> iptables -t nat -A POSTROUTING -j MASQUERADE >> iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP >> >> ################################################################# >> >> And the next trial >> >> ################################################################# >> # your proxy IP >> SQUIDIP=192.168.1.20 >> >> # your proxy listening port >> SQUIDPORT=3128 >> >> >> sudo iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT >> sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT >> --to-destination $SQUIDIP:$SQUIDPORT >> sudo iptables -t nat -A POSTROUTING -j MASQUERADE >> sudo iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP >> >> # Controls IP packet forwarding >> net.ipv4.ip_forward = 1 >> >> # Controls source route verification >> net.ipv4.conf.default.rp_filter = 0 >> >> # Do not accept source routing >> net.ipv4.conf.default.accept_source_route = 0 > > These sysctl settings should be in *both* DNAT and REDIRECT setups of Squid. > > Also if you have a recent kernel check that forwarding setting is being > applied. I found my 3.9+ kernels ignoring or somehow overriding the > sysctl config file value. > >> ################################################################# >> >> >> I kept getting connection refused ( no squid message) on the browser and >> I had nothing in the access logs. >> tcpdump on port 3128 showed nothing. > > Of course. The port 3128 is an internal mapping in the squid box NAT > system. There are no packets goign over teh network anywhere with that > port in them so tcpdump has nothing to show. > > What you should expect is to see packets destined to some > non192.168.1.20 machine the Internet on port _80_ arriving and leaving > the Squid box. > > Amos > >> >> Thank you again! >> Spyros >> >> >> >> On 18/2/2014 10:30 μμ, Niki Gorchilov wrote: >>> Second NIC is unnecessary. >>> >>> Better go the way Amos suggested - do a policy based routing on >>> OpenWRT (http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute) >>> and traffic interception on Linux >>> (http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat or >>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect). >>> >>> Best, >>> Niki >>> -- *Spyros Vlachos*
