Fedora Linux Transparent Proxy with Squid - pop/smtp/ftp issues
Hi Guys, I am a relative newbie, so I'll try my best to explain the setup and problem in detail; and am sorry if it gets a bit log to read. Any help will be highly appreciated.
My setup and problem
1. Few workstations, all connected in a LAN (192.168.1.0/24) via a switch. A broadband router(192.168.1.1), also connected to the same LAN via same switch.
So, in principle, my broadband router is my internet gateway.
I cannot change LAN cables, so I treated one workstation (192.168.1.100) with Fedora 4 as Gateway Router and then under TCP/IP properties on all other workstations(Windows XP/Server 2003) I changed gateway address from 192.168.1.1 to 192.168.1.104.
And since new Gateway Router has its gateway address as 192.168.1.1, so it basically behaves as a bridge.
2. I installed squid on Fedora 4 machine and configured iptables+squid to make new Gateway Router work as a Transparent Proxy. I did this only for http traffic.
3. Everything works fine while browsing http websites, which is confirmed via access/cache log of squid. And obviously, since I didn't open/configured ports for SMTP/POP/FTP etc, so workstations are not able to access these services hosted on servers outside the network.
4. The problem is - I have enabled ip_forward, added rules to allow forward packets directed to SMTP/POP etc, but workstations are still unable to access these services. I just want my Gateway Router to forward requests for these services, originated from my network straight to the next router node i.e. Broadband Router (192.168.1.1) - which I guess it should be doing IF my packet forward rules are coorrect.
I tried to log firewall info on Gateway Router, but log file doesn't show anything related to it. I am posting here relevant parts of my iptables file -
#squid http traffic [THIS WORKS]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80
#SMTP/POP [THIS DOES NOT WORK - NEED HELP HERE]
-A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 110 -j LOG
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 110 -j LOG
Once again, any help will be highly appreciated.
Hi, I don't use M$ products through my squid/iptables gateway, but I found this and It may help you....
None of the links help. The problem is straight - A fedora box is working as internet gateway for a LAN. Workstations on LAN need to access smtp, pop, ftp etc services hosted over servers outside the LAN (on public internet). So ports 25, 110, 21 etc on the gateway need to be forwarded. I have added FORWARD rules in iptables, but still workstation machines are unable to connect to the servers (hosted on public internet) on the mentioned ports. (http request redirection rules for squid proxy work though)
Here is my current iptables file:
So finally, no takers? :(
Hi, do you have 2 nics on the GNU/Linux pc?
if so, do you have IP packet forwarding enabled in
/etc/sysctl.conf: net.ipv4.ip_forward = 1
Just a thought.
Glenn, thanks for response. To answer your questions -
1. No, there is only one network card on that machine.
2. Yes, packet forwarding is on.
For a note - when I disable RH-Firewall (Red Hat Firewall from GUI), and then manually enter my iptable rules in iptables file and start the iiptables service (but keeping RH-Firewall stopped) - then everything works fine.
Problem comes just when RH-Firewall is on. I have on my end, tried to enter proper rules to allow traffic through it, but it doesn't seem to work. Any pointers will be appreciated.
leave it off, and make your own script
Mandriva has "shorewall"
I turn off the service shorewall firewall. It's just a gui for iptables.
I turn off the services for iptables and ipv6,
although the libs and packages are required to be installed for iptables
write your iptables rules in a text file and make a shell script
(first line ... #!/bin/sh) from it.
copy it to /etc/init.d (you need root access to do this)
make it executable, in a gui just right click and select properties, as root.
make sure you have a backup of it,
and execute it at boot-time with its name and address in the /etc/rc.d/rc.local
The order of the rules is important, in both squid and iptables.
test it with Gibson Research's "sheilds up" on line.
Personally, I do not know enough about iptables to tell you more.
I can post my firewall script here if it helps, it was not written by me. But I modified it to do what I want. and it's secure.
hope this helps
|All times are GMT -5. The time now is 05:11 AM.|