Re: [squid-users] squid transparent proxy

From: Wennie V. Lagmay <[email protected]>
Date: Thu, 3 Apr 2008 11:24:28 +0300 (AST)

Hi,

You are right I am using port 8080. As I mentioned I have 2 machine the 1st machine is my Firewall/NAT server wherein the iptables configuration already stated that it should redirect port 80 to 8080

iptables -t nat -A PREROUTING -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.11.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.12.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.14.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.15.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.16.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.24.0/255.255.248.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.64.0/255.255.224.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -s 192.168.96.0/255.255.224.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

for the 2nd machine which is the squid proxy I accepted everything.

# Generated by iptables-save v1.3.8 on Wed Apr 2 10:15:54 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:1152]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 8080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 778 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 778 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 778 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Apr 2 10:15:54 2008

But I still transparent proxy is not working.

----- Original Message -----
From: "Indunil Jayasooriya" <indunil75@gmail.com>
To: "Wennie V. Lagmay" <wlagmay@yanbulink.net>
Sent: Thursday, April 3, 2008 10:48:31 AM (GMT+0300) Asia/Kuwait
Subject: Re: [squid-users] squid transparent proxy

There are whole a lot of firewall settings.

I think your are running squid on port 8080 ( NOT 3128 ). Since you
have below rule

iptables -A INPUT DROP

you will have to accept port 8080 as below.

 #Redirecting traffic destined to port 80 to port 8080
 iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT
 --to-port 8080

 #For squid traffic to Accept
 iptables -A INPUT -i eth1 -d 192.168.101.254 -p tcp -m state --state
NEW -m tcp -s
 192.168.101.0/24 --dport 8080 -j ACCEPT

in above 2 rules, eth1 is the interface that is connected to LAN and
ip address 192.168.101.254
is the ip of the squid proxy server. It shoild be the gateway of
clinets Pcs. And I think, Clients should have Dns servers.

another URL

http://www.mail-archive.com/squid-users@squid-cache.org/msg52744.html

Pls try.Good luck

On Thu, Apr 3, 2008 at 12:21 PM, Wennie V. Lagmay <wlagmay@yanbulink.net> wrote:
> Dear all,
>
> I am trying to activate transparent proxy on my setup but I cannot run it. with the standard setup (configuring the client PC with browser configuration) everything is working good, squid is responding and the client can browse the internet. Now we are trying to implement a setup wherein client has an option to put or not to put a configuration on the browser.
>
> I have separate machine 1st machine is the firewall/NAT server running Fedora Core 4 64 bit (with public IP on the interface) and the 2nd machine is the squid running Fedora Core 8 64 bit (also with a public IP address). Although all the clients uses a private IP, squid can still serve them pretty well.
>
> Now I have configure my squid (squid-2.6stable19) to accept transparent connection, and its seems it is working because as the cache.log says, "accepting transparently proxied http connection at 0.0.0.0, port 8080, FD 11
>
> But I configure the client browser without a proxy configuration I cannot browse the internet.
>
> I am attaching below my firewall/NAT iptables configuration. Can you please check it for me and let me know if I am missing something. Also if you can provide me a step by step configuration of a transparent proxy setup.
>
>
> # Generated by iptables-save v1.2.8 on Thu Dec 23 08:44:33 2004
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> # -A INPUT -j ACCEPT
> -A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 778 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
> -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
> -A INPUT -p tcp -j REJECT --reject-with tcp-reset
> -A INPUT -p udp -j REJECT --reject-with icmp-net-prohibited
> #
> -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
> -A FORWARD -s 192.168.10.0/255.255.255.0 -j ACCEPT
> -A FORWARD -d 192.168.10.0/255.255.255.0 -j ACCEPT
> -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
> -A FORWARD -s 192.168.11.0/255.255.255.0 -j ACCEPT
> -A FORWARD -d 192.168.11.0/255.255.255.0 -j ACCEPT
> -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
> -A FORWARD -s 192.168.12.0/255.255.255.0 -j ACCEPT
> -A FORWARD -d 192.168.12.0/255.255.255.0 -j ACCEPT
> -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
> -A FORWARD -s 192.168.14.0/255.255.255.0 -j ACCEPT
> -A FORWARD -d 192.168.14.0/255.255.255.0 -j ACCEPT
> -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
> -A FORWARD -s 192.168.15.0/255.255.255.0 -j ACCEPT
> -A FORWARD -d 192.168.15.0/255.255.255.0 -j ACCEPT
> -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
> -A FORWARD -s 192.168.16.0/255.255.255.0 -j ACCEPT
> -A FORWARD -d 192.168.16.0/255.255.255.0 -j ACCEPT
> -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.80 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.82 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.87 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.74 -j REJECT
> -A FORWARD -s 192.168.24.0/255.255.248.0 -j ACCEPT
> -A FORWARD -d 192.168.24.0/255.255.248.0 -j ACCEPT
> #
> -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.80 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.82 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.87 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.74 -j REJECT
> -A FORWARD -s 192.168.64.0/255.255.224.0 -j ACCEPT
> -A FORWARD -d 192.168.64.0/255.255.224.0 -j ACCEPT
> #
> -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.80 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.82 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.87 -j REJECT
> -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.74 -j REJECT
> -A FORWARD -s 192.168.96.0/255.255.224.0 -j ACCEPT
> -A FORWARD -d 192.168.96.0/255.255.224.0 -j ACCEPT
> #
> -A FORWARD -s xx.xx.184.32/255.255.255.224 -j ACCEPT
> -A FORWARD -d xx.xx.184.32/255.255.255.224 -j ACCEPT
> -A FORWARD -s xx.xx.184.64/255.255.255.224 -j ACCEPT
> -A FORWARD -d xx.xx.184.64/255.255.255.224 -j ACCEPT
> -A FORWARD -s xx.xx.184.120/255.255.255.248 -j ACCEPT
> -A FORWARD -d xx.xx.184.120/255.255.255.248 -j ACCEPT
> -A FORWARD -s xx.xx.184.128/255.255.255.248 -j ACCEPT
> -A FORWARD -d xx.xx.184.128/255.255.255.248 -j ACCEPT
> -A FORWARD -s xx.xx.184.0/255.255.255.240 -j ACCEPT
> -A FORWARD -d xx.xx.184.0/255.255.255.240 -j ACCEPT
> -A FORWARD -s xx.xx.184.144/255.255.255.240 -j ACCEPT
> -A FORWARD -d xx.xx.184.144/255.255.255.240 -j ACCEPT
> #
> # -A OUTPUT -j ACCEPT
> -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --sport 778 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 778 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --sport 1863 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 1863 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
> -A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
> -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
> #
> COMMIT
> # Completed on Thu Dec 23 08:44:33 2004
> # Generated by iptables-save v1.2.8 on Thu Dec 23 08:44:33 2004
> *nat
> :PREROUTING ACCEPT [77:4447]
> :POSTROUTING ACCEPT [85:7701]
> :OUTPUT ACCEPT [85:7701]
> #
> -A PREROUTING -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> -A PREROUTING -s 192.168.11.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> -A PREROUTING -s 192.168.12.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> -A PREROUTING -s 192.168.14.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> -A PREROUTING -s 192.168.15.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> -A PREROUTING -s 192.168.16.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> -A PREROUTING -s 192.168.24.0/255.255.248.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> -A PREROUTING -s 192.168.64.0/255.255.224.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> -A PREROUTING -s 192.168.96.0/255.255.224.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> #
> -A POSTROUTING -s 192.168.10.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.65-xx.xx.184.66
> -A POSTROUTING -s 192.168.11.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.67-xx.xx.184.68
> -A POSTROUTING -s 192.168.12.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.69-xx.xx.184.70
> -A POSTROUTING -s 192.168.14.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.71-xx.xx.184.72
> -A POSTROUTING -s 192.168.15.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.73-xx.xx.184.74
> -A POSTROUTING -s 192.168.16.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.75-xx.xx.184.76
> -A POSTROUTING -s 192.168.24.0/255.255.248.0 -j SAME --nodst --to xx.xx.184.77-xx.xx.184.80
> -A POSTROUTING -s 192.168.64.0/255.255.224.0 -j SAME --nodst --to xx.xx.184.1-xx.xx.184.6
> -A POSTROUTING -s 192.168.96.0/255.255.224.0 -j SAME --nodst --to xx.xx.184.145-xx.xx.184.150
> COMMIT
> # Completed on Thu Dec 23 08:44:33 2004
>
> Thank you very much,
>
> Wennie
>
>
>

-- 
Thank you
Indunil Jayasooriya
Received on Thu Apr 03 2008 - 02:16:17 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT