LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
Search this Thread
Old 01-05-2008, 03:58 PM   #1
Ronin_tekorei
Member
 
Registered: May 2006
Distribution: Fedora
Posts: 57

Rep: Reputation: 15
Transparent squid works as normal proxy - help please


First of all hello to all of you out there, its been a while since my last post.

I'm here again to ask for help on a transparent proxy in Fedora Core 8,Squid 2.6 stable 17.

I have recently installed Fedora 8 and update whit yum. After it finish i begin to configure all. So lest go to the details

have a LAN network 192.168.1.0/24, a internet connection whit a public IP. The idea is to make a server for the LAN, transparent squid to serve internet to the LAN. This server have also to work as a http, mail, ftp, dns... and more service that are used today, but as a start just that

So, i got a AMD athlon 64x 3.0Ghz whit 2Gb of RAM and a HD of 120 GB. Two nicks to connect the lan an internet.

I have configured the lan, all works from the lan clients to the server, and from the server to the lan clients. set up the squid as a transparent proxy and set the rules in iptables for the redirection and the use for http, dns, etc..

The problem is that the server have correct connection to the internet, but the clients don't. Fisrt of all, the squid isn't working as a transparent proxy. So i have put manually the proxy in the firefox of hte clients. Then it works for some pages and service but not for all. Example: it opens hotmail,google,yahoo, but not gmail, messenger and others. Also from the LAN clients i can ping to the server, the ext_dev an the int_dev and the gateway of the server to the internet, but not to some page like google.com

So please, if someone can help me to make it work as transparent proxy and for all traffic (messenger, gmail..) my config so far are this:
Squid.conf File
Code:
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl Safe_ports port 53          #dns
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl INT_NET src 192.168.1.0/24
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow INT_NET
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow INT_NET
http_port 192.168.1.254:3128 transparent
hierarchy_stoplist cgi-bin ?
cache_dir ufs /var/spool/squid 800 32 512
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
error_directory /usr/share/squid/errors/Spanish
always_direct allow all
coredump_dir /var/spool/squid
iptables rules
Code:
#!/bin/bash
#### Firewall para servicios HTTP, DNS, FTP, Mail, Squid transparente. ####

#Definiciones de Entrada
EXT_DEV="eth1"
EXT_NET="172.18.3.28/30"
EXT_IP="172.18.3.30/30"
echo "eth1"
#Definiciones de LAN Interna
INT_DEV="eth0"
INT_NET="192.168.1.0/24"
INT_IP="192.168.1.254/24"
echo "eth0"
#Forward de paquetes
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
#Squid Transparent
iptables -t nat -A PREROUTING -i $INT_DEV -s $INT_NET -p tcp --dport 80 -j REDIRECT --to-port 3128
#Mascaraed of packets
iptables -t nat -A POSTROUTING -o $EXT_DEV -s $INT_NET -j SNAT --to-source 172.18.3.30
iptables -A INPUT -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 53 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 20 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 21 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 25 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 465 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 80 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 443 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 636 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 993 -j ACCEPT
Also i have done nothing yet to configure the server for apache, named, and mail. that i will do after this problem is solve

Thanks in advanced

Last edited by Ronin_tekorei; 01-05-2008 at 04:47 PM.
 
Old 01-06-2008, 09:09 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
generally looks ok there, what does wireshark or tcpdump say about the packets? you should be able to see the packet twice, once before redirection, once after (i think). I would wonder though about the fact that squid is only listening on the external ip address, not loopback too. that could be causing an issue in terms of where the redirect sends it to.
 
Old 01-07-2008, 12:12 AM   #3
Ronin_tekorei
Member
 
Registered: May 2006
Distribution: Fedora
Posts: 57

Original Poster
Rep: Reputation: 15
acid_kewpie, thanks, problem solve. the error was that i forguet to change the config of the file named.conf after the installation. In the instalation i put the ip 192.168.1.1, so the named.conf was listening on that ip, but after some consideration i change it to 192.168.1.254. sorry for my stupidity
Quote:
what does wireshark or tcpdump say about the packets?
i have no idea what programs are you talking about 0.o but i will google it immediately

Last edited by Ronin_tekorei; 01-07-2008 at 12:13 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid Transparent Proxy SBN Linux - Server 6 07-11-2007 04:54 AM
Squid as a transparent proxy kemplej Linux - Software 2 12-08-2004 06:00 PM
Squid Transparent Proxy 1jamie Linux - Security 7 09-26-2003 07:09 AM
Squid with Transparent Proxy MarleyGPN Linux - Networking 1 08-28-2003 03:51 PM
squid transparent proxy...... hitesh_linux Linux - Networking 1 06-13-2003 04:24 AM


All times are GMT -5. The time now is 07:25 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration