First of all hello to all of you out there, its been a while since my last post.
I'm here again to ask for help on a transparent proxy in Fedora Core 8,Squid 2.6 stable 17.
I have recently installed Fedora 8 and update whit yum. After it finish i begin to configure all. So lest go to the details
have a LAN network 192.168.1.0/24, a internet connection whit a public IP. The idea is to make a server for the LAN, transparent squid to serve internet to the LAN. This server have also to work as a http, mail, ftp, dns... and more service that are used today, but as a start just that
So, i got a AMD athlon 64x 3.0Ghz whit 2Gb of RAM and a HD of 120 GB. Two nicks to connect the lan an internet.
I have configured the lan, all works from the lan clients to the server, and from the server to the lan clients. set up the squid as a transparent proxy and set the rules in iptables for the redirection and the use for http, dns, etc..
The problem is that the server have correct connection to the internet, but the clients don't. Fisrt of all, the squid isn't working as a transparent proxy. So i have put manually the proxy in the firefox of hte clients. Then it works for some pages and service but not for all. Example: it opens hotmail,google,yahoo, but not gmail, messenger and others. Also from the LAN clients i can ping to the server, the ext_dev an the int_dev and the gateway of the server to the internet, but not to some page like google.com
So please, if someone can help me to make it work as transparent proxy and for all traffic (messenger, gmail..) my config so far are this:
Squid.conf File
Code:
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl Safe_ports port 53 #dns
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl INT_NET src 192.168.1.0/24
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow INT_NET
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow INT_NET
http_port 192.168.1.254:3128 transparent
hierarchy_stoplist cgi-bin ?
cache_dir ufs /var/spool/squid 800 32 512
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
error_directory /usr/share/squid/errors/Spanish
always_direct allow all
coredump_dir /var/spool/squid
iptables rules
Code:
#!/bin/bash
#### Firewall para servicios HTTP, DNS, FTP, Mail, Squid transparente. ####
#Definiciones de Entrada
EXT_DEV="eth1"
EXT_NET="172.18.3.28/30"
EXT_IP="172.18.3.30/30"
echo "eth1"
#Definiciones de LAN Interna
INT_DEV="eth0"
INT_NET="192.168.1.0/24"
INT_IP="192.168.1.254/24"
echo "eth0"
#Forward de paquetes
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
#Squid Transparent
iptables -t nat -A PREROUTING -i $INT_DEV -s $INT_NET -p tcp --dport 80 -j REDIRECT --to-port 3128
#Mascaraed of packets
iptables -t nat -A POSTROUTING -o $EXT_DEV -s $INT_NET -j SNAT --to-source 172.18.3.30
iptables -A INPUT -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 53 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 20 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 21 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 25 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 465 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 80 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 443 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 636 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 993 -j ACCEPT
Also i have done nothing yet to configure the server for apache, named, and mail. that i will do after this problem is solve
Thanks in advanced
