LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 10-26-2007, 05:36 AM   #1
kool_kid
Member
 
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350

Rep: Reputation: 30
IPTABLES for squid (Transparent proxy)


i have a linux machine which has internet failover + load balance along with squid now the client machine have 2 options to access internet either directly (w/o squid) and indirectly (with squid). When using indirectly i.e with squid the client machine needs to configure there browsers to access squid, i know that i can automate this task with iptables but I WANT TO ONLY ALLOW FEW IPS TO PASS THROUGH SQUID AND THE REST SHOULD HAVE DIRECT INTERNET CONNECTION. Can this be done using iptables?
 
Old 10-26-2007, 07:26 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Sure, just specify the IPs you want the rule to apply to. Example:
Code:
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-m iprange --src-range 192.168.1.112-192.168.1.156 \
-j REDIRECT --to-ports 3128
In this example, only the IPs in the 192.168.1.112-192.168.1.156 range would be transparently proxied.
 
Old 10-26-2007, 07:39 AM   #3
kool_kid
Member
 
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350

Original Poster
Rep: Reputation: 30
Thank you very much will try it
 
Old 10-26-2007, 07:41 AM   #4
kool_kid
Member
 
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350

Original Poster
Rep: Reputation: 30
okay 1 question i have 3 NICs(say eth0 eth1 eth2) in my system 2 of them (i.e eth0 eth1)have direct ISP access and on third NIC(i.e eth2) is used by my internal lan to access internet also squid is configured on this 3 NIC so i have change that eth1 to eth2 ?
 
Old 10-26-2007, 09:55 AM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Yeah, the interface you'd specify in this rule would be the LAN interface where Squid is listening.
 
Old 10-26-2007, 10:59 AM   #6
kool_kid
Member
 
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350

Original Poster
Rep: Reputation: 30
k Thank you
 
Old 10-26-2007, 12:52 PM   #7
kool_kid
Member
 
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350

Original Poster
Rep: Reputation: 30
That worked very fine thanks again
 
Old 10-29-2007, 08:09 AM   #8
kool_kid
Member
 
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350

Original Poster
Rep: Reputation: 30
If i want to use some ips and some ranges how do i issue the command? for example i want to only pass these ips through squid 192.168.1.55 192.168.1.57 192.168.1.59 and the range 192.168.1.60-192.168.10.70 and another range 192.168.1.110-192.168.1.115 and give the rest ips a direct access to internet.

would the commands be
for range of ip
Quote:
iptables -t nat -A PREROUTING -p TCP -i eth1 \
-m iprange --src-range 192.168.1.60-192.168.1.70 192.168.1.110-192.168.1.115 \
-j REDIRECT --to-ports 3128
for individual ips
Quote:
iptables -t nat -A PREROUTING -p TCP -i eth1 \
-s 192.168.1.55 192.168.1.57 192.168.1.59 \
-j REDIRECT --to-ports 3128
is it correct?
 
Old 10-29-2007, 08:16 AM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by kool_kid View Post
If i want to use some ips and some ranges how do i issue the command? for example i want to only pass these ips through squid 192.168.1.55 192.168.1.57 192.168.1.59 and the range 192.168.1.60-192.168.10.70 and another range 192.168.1.110-192.168.1.115 and give the rest ips a direct access to internet.
I would do it like this:
Code:
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-m iprange --src-range 192.168.1.60-192.168.10.70 \
-j REDIRECT --to-ports 3128

iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-m iprange --src-range 192.168.1.110-192.168.1.115 \
-j REDIRECT --to-ports 3128

iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-s 192.168.1.55 -j REDIRECT --to-ports 3128

iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-s 192.168.1.57 -j REDIRECT --to-ports 3128

iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-s 192.168.1.59 -j REDIRECT --to-ports 3128

Last edited by win32sux; 10-29-2007 at 08:18 AM.
 
Old 10-29-2007, 08:18 AM   #10
kool_kid
Member
 
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350

Original Poster
Rep: Reputation: 30
okay thanks i wil try it out the same way as u did
 
Old 10-29-2007, 08:19 AM   #11
kool_kid
Member
 
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350

Original Poster
Rep: Reputation: 30
If i dont mention that dport 80 will it redirect all the ports to my linux machine ?
 
Old 10-29-2007, 08:54 AM   #12
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by kool_kid View Post
If i dont mention that dport 80 will it redirect all the ports to my linux machine ?
Yes (TCP ports).
 
Old 10-29-2007, 09:01 AM   #13
kool_kid
Member
 
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350

Original Poster
Rep: Reputation: 30
so if i also want to redirect the udp ports what should be the command?
 
Old 10-29-2007, 09:59 AM   #14
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by kool_kid View Post
so if i also want to redirect the udp ports what should be the command?
You could eliminate the "-p TCP" match - that would catch all protocols (you'll need to have removed the --dport match for that to work). Or you could just add a set of almost-identical rules with the only difference being that they use "-p UDP" instead. Keep in mind that a great deal of non-HTTP traffic won't be able to be transparently proxied by Squid, so sending all packets to REDIRECT is just wishful thinking. If your goal is to get a tight grip on all the outgoing connections from these IPs, you need to step in with your firewall rules.

Last edited by win32sux; 10-29-2007 at 10:07 AM.
 
Old 10-29-2007, 10:45 AM   #15
kool_kid
Member
 
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350

Original Poster
Rep: Reputation: 30
okay i got it thank you very much for all your help
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES, SQUID, DANSGUARDIAN and Transparent Proxy metallica1973 Linux - Networking 18 09-03-2007 07:17 PM
Squid as a transparent proxy kemplej Linux - Software 2 12-08-2004 05:00 PM
Squid Transparent Proxy 1jamie Linux - Security 7 09-26-2003 06:09 AM
Squid with Transparent Proxy MarleyGPN Linux - Networking 1 08-28-2003 02:51 PM
squid transparent proxy...... hitesh_linux Linux - Networking 1 06-13-2003 03:24 AM


All times are GMT -5. The time now is 02:25 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration