Hello! I repeat my exact configuration: Openwrt router (192.168.1.1) ############################################################## # permit Squid box out to the Internet iptables -t mangle -A PREROUTING -p tcp --dport 80 -s 192.168.1.20 -j ACCEPT # mark everything else on port 80 to be routed to the Squid box iptables -t mangle -A PREROUTING -i br-lan -p tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT # NP: Ensure that traffic from inside the network is allowed to loop back inside again. iptables -t filter -A FORWARD -i br-lan -o br-lan -p tcp --dport 80 -j ACCEPT # interface facing clients CLIENTIFACE= br-lan # arbitrary mark used to route packets by the firewall. May be anything from 1 to 64. FWMARK= 2 cat /etc/iproute2/rt_tables echo "201 proxy" >> /etc/iproute2/rt_tables ip rule add fwmark 2 table proxy ip route add default via 192.168.1.20 table proxy ############################################################## ubuntu - squid server ############################################################## sudo iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 sudo iptables -t nat -A POSTROUTING -j MASQUERADE sudo iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j DROP ****sysctl.conf***** # Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 0 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 ********************** ****squid.conf***** acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl squid-prime dstdomain "/etc/squid3/squid-prime.acl" acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny squid-prime http_access allow localnet http_access allow localhost http_access deny all http_port 192.168.1.20:3128 intercept coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 dns_nameservers 8.8.8.8 ********************** ############################################################## I have even reinstalled openwrt because I had a feeling that it had something to do with the version I had but nothing changed. When I do ip rule add fwmark 2 table proxy ip route add default via 192.168.1.20 table proxy no connection to any websites can be made. The squid access.log is empty. If I do an DNAT only, sending everything going to port 80 ( except from 192.168.1.20) to the squid server, the access log fills up. If I follow the steps I that I describe in the openwrt configuration above, nothing happens as I said. I am thinking of reverting back to ubuntu 12.04.. I understand the rules that I apply, they seem logical to me but for some reason they don't work as expected. Do you have any other clues? Thank you! On 20/2/2014 11:58 πμ, Amos Jeffries wrote: > On 20/02/2014 9:59 a.m., Spyros Vlachos wrote: >> Hello again! Thank you for your support. I am a little bit frustrated >> but I managed to test it again. >> Long story short, I tried every combination from the suggested links to >> no avail. >> >> For the router I did the following as suggested: >> ( I tried using lan, br-lan, eth0, eth0.1 as the nic's name because it >> is not obvious to me which one is the correct.) >> ################################################################ >> # permit Squid box out to the Internet >> iptables -t mangle -A PREROUTING -p tcp --dport 80 -s 192.168.1.20 -j ACCEPT >> >> >> # mark everything else on port 80 to be routed to the Squid box >> iptables -t mangle -A PREROUTING -i lan -p tcp --dport 80 -j MARK >> --set-mark 2 >> iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT >> >> >> # NP: Ensure that traffic from inside the network is allowed to loop >> back inside again. >> iptables -t filter -A FORWARD -i lan -o lan -p tcp --dport 80 -j ACCEPT >> >> >> echo "201 proxy" >> /etc/iproute2/rt_tables >> ip rule add fwmark 2 table proxy >> ip route add default via 192.168.1.20 table proxy >> ################################################################# >> >> For the squid server I did both of the following ( with a service >> networking restart between them ) >> >> ################################################################# >> >> # your proxy IP >> SQUIDIP=192.168.1.20 >> >> # your proxy listening port >> SQUIDPORT=3128 >> >> >> iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT >> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port >> $SQUIDPORT >> iptables -t nat -A POSTROUTING -j MASQUERADE >> iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP >> >> ################################################################# >> >> And the next trial >> >> ################################################################# >> # your proxy IP >> SQUIDIP=192.168.1.20 >> >> # your proxy listening port >> SQUIDPORT=3128 >> >> >> sudo iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT >> sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT >> --to-destination $SQUIDIP:$SQUIDPORT >> sudo iptables -t nat -A POSTROUTING -j MASQUERADE >> sudo iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP >> >> # Controls IP packet forwarding >> net.ipv4.ip_forward = 1 >> >> # Controls source route verification >> net.ipv4.conf.default.rp_filter = 0 >> >> # Do not accept source routing >> net.ipv4.conf.default.accept_source_route = 0 > > These sysctl settings should be in *both* DNAT and REDIRECT setups of Squid. > > Also if you have a recent kernel check that forwarding setting is being > applied. I found my 3.9+ kernels ignoring or somehow overriding the > sysctl config file value. > >> ################################################################# >> >> >> I kept getting connection refused ( no squid message) on the browser and >> I had nothing in the access logs. >> tcpdump on port 3128 showed nothing. > > Of course. The port 3128 is an internal mapping in the squid box NAT > system. There are no packets goign over teh network anywhere with that > port in them so tcpdump has nothing to show. > > What you should expect is to see packets destined to some > non192.168.1.20 machine the Internet on port _80_ arriving and leaving > the Squid box. > > Amos > >> >> Thank you again! >> Spyros >> >> >> >> On 18/2/2014 10:30 μμ, Niki Gorchilov wrote: >>> Second NIC is unnecessary. >>> >>> Better go the way Amos suggested - do a policy based routing on >>> OpenWRT (http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute) >>> and traffic interception on Linux >>> (http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat or >>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect). >>> >>> Best, >>> Niki >>> -- *Spyros Vlachos*