Re: [squid-users] squid transparent proxy

From: Amos Jeffries <[email protected]>
Date: Thu, 03 Apr 2008 21:36:59 +1300

Wennie V. Lagmay wrote:
> Hi,
>
> You are right I am using port 8080. As I mentioned I have 2 machine the 1st machine is my Firewall/NAT server wherein the iptables configuration already stated that it should redirect port 80 to 8080
>
> iptables -t nat -A PREROUTING -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> iptables -t nat -A PREROUTING -s 192.168.11.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> iptables -t nat -A PREROUTING -s 192.168.12.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> iptables -t nat -A PREROUTING -s 192.168.14.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> iptables -t nat -A PREROUTING -s 192.168.15.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> iptables -t nat -A PREROUTING -s 192.168.16.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> iptables -t nat -A PREROUTING -s 192.168.24.0/255.255.248.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> iptables -t nat -A PREROUTING -s 192.168.64.0/255.255.224.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> iptables -t nat -A PREROUTING -s 192.168.96.0/255.255.224.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
>

REDIRECT will only work if squid is running on the router itself. You
cannot change the dest IP with REDIRECT.

DNAT is needed if a second machine is involved to change the IP:Port pair.

>
> for the 2nd machine which is the squid proxy I accepted everything.
>
> # Generated by iptables-save v1.3.8 on Wed Apr 2 10:15:54 2008
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2:1152]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --sport 8080 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --sport 778 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 778 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
> -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 8 -j DROP
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 778 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Wed Apr 2 10:15:54 2008
>
> But I still transparent proxy is not working.
>
>
>
>
> ----- Original Message -----
> From: "Indunil Jayasooriya" <indunil75@gmail.com>
> To: "Wennie V. Lagmay" <wlagmay@yanbulink.net>
> Sent: Thursday, April 3, 2008 10:48:31 AM (GMT+0300) Asia/Kuwait
> Subject: Re: [squid-users] squid transparent proxy
>
> There are whole a lot of firewall settings.
>
> I think your are running squid on port 8080 ( NOT 3128 ). Since you
> have below rule
>
> iptables -A INPUT DROP
>
> you will have to accept port 8080 as below.
>
> #Redirecting traffic destined to port 80 to port 8080
> iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT
> --to-port 8080
>
> #For squid traffic to Accept
> iptables -A INPUT -i eth1 -d 192.168.101.254 -p tcp -m state --state
> NEW -m tcp -s
> 192.168.101.0/24 --dport 8080 -j ACCEPT
>
> in above 2 rules, eth1 is the interface that is connected to LAN and
> ip address 192.168.101.254
> is the ip of the squid proxy server. It shoild be the gateway of
> clinets Pcs. And I think, Clients should have Dns servers.
>
> another URL
>
> http://www.mail-archive.com/squid-users@squid-cache.org/msg52744.html
>
> Pls try.Good luck
>
>
>
> On Thu, Apr 3, 2008 at 12:21 PM, Wennie V. Lagmay <wlagmay@yanbulink.net> wrote:
>> Dear all,
>>
>> I am trying to activate transparent proxy on my setup but I cannot run it. with the standard setup (configuring the client PC with browser configuration) everything is working good, squid is responding and the client can browse the internet. Now we are trying to implement a setup wherein client has an option to put or not to put a configuration on the browser.
>>
>> I have separate machine 1st machine is the firewall/NAT server running Fedora Core 4 64 bit (with public IP on the interface) and the 2nd machine is the squid running Fedora Core 8 64 bit (also with a public IP address). Although all the clients uses a private IP, squid can still serve them pretty well.
>>
>> Now I have configure my squid (squid-2.6stable19) to accept transparent connection, and its seems it is working because as the cache.log says, "accepting transparently proxied http connection at 0.0.0.0, port 8080, FD 11
>>
>> But I configure the client browser without a proxy configuration I cannot browse the internet.
>>
>> I am attaching below my firewall/NAT iptables configuration. Can you please check it for me and let me know if I am missing something. Also if you can provide me a step by step configuration of a transparent proxy setup.
>>
>>
>> # Generated by iptables-save v1.2.8 on Thu Dec 23 08:44:33 2004
>> *filter
>> :INPUT DROP [0:0]
>> :FORWARD DROP [0:0]
>> :OUTPUT DROP [0:0]
>> # -A INPUT -j ACCEPT
>> -A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 778 -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
>> -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
>> -A INPUT -p tcp -j REJECT --reject-with tcp-reset
>> -A INPUT -p udp -j REJECT --reject-with icmp-net-prohibited
>> #
>> -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
>> -A FORWARD -s 192.168.10.0/255.255.255.0 -j ACCEPT
>> -A FORWARD -d 192.168.10.0/255.255.255.0 -j ACCEPT
>> -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
>> -A FORWARD -s 192.168.11.0/255.255.255.0 -j ACCEPT
>> -A FORWARD -d 192.168.11.0/255.255.255.0 -j ACCEPT
>> -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
>> -A FORWARD -s 192.168.12.0/255.255.255.0 -j ACCEPT
>> -A FORWARD -d 192.168.12.0/255.255.255.0 -j ACCEPT
>> -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
>> -A FORWARD -s 192.168.14.0/255.255.255.0 -j ACCEPT
>> -A FORWARD -d 192.168.14.0/255.255.255.0 -j ACCEPT
>> -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
>> -A FORWARD -s 192.168.15.0/255.255.255.0 -j ACCEPT
>> -A FORWARD -d 192.168.15.0/255.255.255.0 -j ACCEPT
>> -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
>> -A FORWARD -s 192.168.16.0/255.255.255.0 -j ACCEPT
>> -A FORWARD -d 192.168.16.0/255.255.255.0 -j ACCEPT
>> -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.80 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.82 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.87 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.74 -j REJECT
>> -A FORWARD -s 192.168.24.0/255.255.248.0 -j ACCEPT
>> -A FORWARD -d 192.168.24.0/255.255.248.0 -j ACCEPT
>> #
>> -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.80 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.82 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.87 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.74 -j REJECT
>> -A FORWARD -s 192.168.64.0/255.255.224.0 -j ACCEPT
>> -A FORWARD -d 192.168.64.0/255.255.224.0 -j ACCEPT
>> #
>> -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.80 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.82 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.87 -j REJECT
>> -A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.74 -j REJECT
>> -A FORWARD -s 192.168.96.0/255.255.224.0 -j ACCEPT
>> -A FORWARD -d 192.168.96.0/255.255.224.0 -j ACCEPT
>> #
>> -A FORWARD -s xx.xx.184.32/255.255.255.224 -j ACCEPT
>> -A FORWARD -d xx.xx.184.32/255.255.255.224 -j ACCEPT
>> -A FORWARD -s xx.xx.184.64/255.255.255.224 -j ACCEPT
>> -A FORWARD -d xx.xx.184.64/255.255.255.224 -j ACCEPT
>> -A FORWARD -s xx.xx.184.120/255.255.255.248 -j ACCEPT
>> -A FORWARD -d xx.xx.184.120/255.255.255.248 -j ACCEPT
>> -A FORWARD -s xx.xx.184.128/255.255.255.248 -j ACCEPT
>> -A FORWARD -d xx.xx.184.128/255.255.255.248 -j ACCEPT
>> -A FORWARD -s xx.xx.184.0/255.255.255.240 -j ACCEPT
>> -A FORWARD -d xx.xx.184.0/255.255.255.240 -j ACCEPT
>> -A FORWARD -s xx.xx.184.144/255.255.255.240 -j ACCEPT
>> -A FORWARD -d xx.xx.184.144/255.255.255.240 -j ACCEPT
>> #
>> # -A OUTPUT -j ACCEPT
>> -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
>> -A OUTPUT -p tcp -m tcp --sport 778 -j ACCEPT
>> -A OUTPUT -p tcp -m tcp --dport 778 -j ACCEPT
>> -A OUTPUT -p tcp -m tcp --sport 1863 -j ACCEPT
>> -A OUTPUT -p tcp -m tcp --dport 1863 -j ACCEPT
>> -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
>> -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
>> -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
>> -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
>> -A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
>> -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
>> -A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
>> -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
>> #
>> COMMIT
>> # Completed on Thu Dec 23 08:44:33 2004
>> # Generated by iptables-save v1.2.8 on Thu Dec 23 08:44:33 2004
>> *nat
>> :PREROUTING ACCEPT [77:4447]
>> :POSTROUTING ACCEPT [85:7701]
>> :OUTPUT ACCEPT [85:7701]
>> #
>> -A PREROUTING -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
>> -A PREROUTING -s 192.168.11.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
>> -A PREROUTING -s 192.168.12.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
>> -A PREROUTING -s 192.168.14.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
>> -A PREROUTING -s 192.168.15.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
>> -A PREROUTING -s 192.168.16.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
>> -A PREROUTING -s 192.168.24.0/255.255.248.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
>> -A PREROUTING -s 192.168.64.0/255.255.224.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
>> -A PREROUTING -s 192.168.96.0/255.255.224.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
>> #
>> -A POSTROUTING -s 192.168.10.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.65-xx.xx.184.66
>> -A POSTROUTING -s 192.168.11.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.67-xx.xx.184.68
>> -A POSTROUTING -s 192.168.12.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.69-xx.xx.184.70
>> -A POSTROUTING -s 192.168.14.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.71-xx.xx.184.72
>> -A POSTROUTING -s 192.168.15.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.73-xx.xx.184.74
>> -A POSTROUTING -s 192.168.16.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.75-xx.xx.184.76
>> -A POSTROUTING -s 192.168.24.0/255.255.248.0 -j SAME --nodst --to xx.xx.184.77-xx.xx.184.80
>> -A POSTROUTING -s 192.168.64.0/255.255.224.0 -j SAME --nodst --to xx.xx.184.1-xx.xx.184.6
>> -A POSTROUTING -s 192.168.96.0/255.255.224.0 -j SAME --nodst --to xx.xx.184.145-xx.xx.184.150
>> COMMIT
>> # Completed on Thu Dec 23 08:44:33 2004
>>
>> Thank you very much,
>>
>> Wennie
>>
>>
>>
>
>
>
>
>
>

-- 
Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Received on Thu Apr 03 2008 - 02:36:51 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT