LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   IPTABLES for squid (Transparent proxy) (http://www.linuxquestions.org/questions/linux-networking-3/iptables-for-squid-transparent-proxy-594739/)

kool_kid 10-26-2007 05:36 AM

IPTABLES for squid (Transparent proxy)
 
i have a linux machine which has internet failover + load balance along with squid now the client machine have 2 options to access internet either directly (w/o squid) and indirectly (with squid). When using indirectly i.e with squid the client machine needs to configure there browsers to access squid, i know that i can automate this task with iptables but I WANT TO ONLY ALLOW FEW IPS TO PASS THROUGH SQUID AND THE REST SHOULD HAVE DIRECT INTERNET CONNECTION. Can this be done using iptables?

win32sux 10-26-2007 07:26 AM

Sure, just specify the IPs you want the rule to apply to. Example:
Code:

iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-m iprange --src-range 192.168.1.112-192.168.1.156 \
-j REDIRECT --to-ports 3128

In this example, only the IPs in the 192.168.1.112-192.168.1.156 range would be transparently proxied.

kool_kid 10-26-2007 07:39 AM

Thank you very much will try it

kool_kid 10-26-2007 07:41 AM

okay 1 question i have 3 NICs(say eth0 eth1 eth2) in my system 2 of them (i.e eth0 eth1)have direct ISP access and on third NIC(i.e eth2) is used by my internal lan to access internet also squid is configured on this 3 NIC so i have change that eth1 to eth2 ?

win32sux 10-26-2007 09:55 AM

Yeah, the interface you'd specify in this rule would be the LAN interface where Squid is listening.

kool_kid 10-26-2007 10:59 AM

k Thank you

kool_kid 10-26-2007 12:52 PM

That worked very fine thanks again

kool_kid 10-29-2007 08:09 AM

If i want to use some ips and some ranges how do i issue the command? for example i want to only pass these ips through squid 192.168.1.55 192.168.1.57 192.168.1.59 and the range 192.168.1.60-192.168.10.70 and another range 192.168.1.110-192.168.1.115 and give the rest ips a direct access to internet.

would the commands be
for range of ip
Quote:

iptables -t nat -A PREROUTING -p TCP -i eth1 \
-m iprange --src-range 192.168.1.60-192.168.1.70 192.168.1.110-192.168.1.115 \
-j REDIRECT --to-ports 3128
for individual ips
Quote:

iptables -t nat -A PREROUTING -p TCP -i eth1 \
-s 192.168.1.55 192.168.1.57 192.168.1.59 \
-j REDIRECT --to-ports 3128
is it correct?

win32sux 10-29-2007 08:16 AM

Quote:

Originally Posted by kool_kid (Post 2940844)
If i want to use some ips and some ranges how do i issue the command? for example i want to only pass these ips through squid 192.168.1.55 192.168.1.57 192.168.1.59 and the range 192.168.1.60-192.168.10.70 and another range 192.168.1.110-192.168.1.115 and give the rest ips a direct access to internet.

I would do it like this:
Code:

iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-m iprange --src-range 192.168.1.60-192.168.10.70 \
-j REDIRECT --to-ports 3128

iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-m iprange --src-range 192.168.1.110-192.168.1.115 \
-j REDIRECT --to-ports 3128

iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-s 192.168.1.55 -j REDIRECT --to-ports 3128

iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-s 192.168.1.57 -j REDIRECT --to-ports 3128

iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-s 192.168.1.59 -j REDIRECT --to-ports 3128


kool_kid 10-29-2007 08:18 AM

okay thanks i wil try it out the same way as u did :)

kool_kid 10-29-2007 08:19 AM

If i dont mention that dport 80 will it redirect all the ports to my linux machine ?

win32sux 10-29-2007 08:54 AM

Quote:

Originally Posted by kool_kid (Post 2940860)
If i dont mention that dport 80 will it redirect all the ports to my linux machine ?

Yes (TCP ports).

kool_kid 10-29-2007 09:01 AM

so if i also want to redirect the udp ports what should be the command?

win32sux 10-29-2007 09:59 AM

Quote:

Originally Posted by kool_kid (Post 2940921)
so if i also want to redirect the udp ports what should be the command?

You could eliminate the "-p TCP" match - that would catch all protocols (you'll need to have removed the --dport match for that to work). Or you could just add a set of almost-identical rules with the only difference being that they use "-p UDP" instead. Keep in mind that a great deal of non-HTTP traffic won't be able to be transparently proxied by Squid, so sending all packets to REDIRECT is just wishful thinking. If your goal is to get a tight grip on all the outgoing connections from these IPs, you need to step in with your firewall rules.

kool_kid 10-29-2007 10:45 AM

okay i got it thank you very much for all your help


All times are GMT -5. The time now is 07:40 AM.