Iptables help needed (Squid proxy, backend web-server)

staticN · 10-02-2014, 04:12 AM

Hello,

I'm new to networking in Linux and don't get along with iptables.

My setup is like this:

Code:

                                                             web/ftp-server
                                                            /
Modem - Gateway/Router - (eth1) Squid proxy (eth0) - Switch - Users

The modem connection has 1 static/public IP address.
I'm running Squid version 3.4.7, static IPs for eth1 and eth0. IP of eth1 is 192.168.1.7, for eth0 it is 192.168.0.9.
I have configured Squid as a non-transparent proxy, i.e. just "http_port 3128". Along with ACLs for inbound connections I have also defined a virtual host (the www server) name.domain.tld like this:

Code:

http_port 80 accel defaultsite=www.domain.tld
cache_peer IP_OF_BACKENDSERVER parent 8080 0 no-query no-digest originserver name=site_www
acl site_www_users dstdomain site1.domain.tld
cache peer_access site_www allow site_www_users
cache peer_access site_www deny all

What I am totally at a loss of understanding is this:

- How do I configure the iptables properly so that the proxy server is reachable from outside and also so that when someone enters site1.domain.tld it will reach the backend server?

- How do I configure IP tables so that I ensure that all outbound trafic leaves the correct ethernet interface?

I have read many iptable examples regarding this, but they have all included transparent proxies. I don't think I want a transparent proxy though, but maybe this would be required when reverse proxying for outbound connections is needed?

Anything/Everything unclear - don't hesitate to ask.

staticN · 10-03-2014, 04:47 AM

To add,

I have tried with this, so that the following iptable NAT rule is applied:

Code:

-A PREROUTING -i eth1 -p tcp -m tcp --dport 82 -j DNAT --to-destination 192.168.0.99:3128

Squid is running on 192.168.0.99. The reason why it is port 82 is that I do not want to overrule the current live website running at another Windows server at port 80. The gateway/router redirects port 80 trafic to this Windows server, while I have set the gateway/router to redirect port 82 trafic to eth1 of the Squid proxy server (192.168.1.4).

In the example I used the format www.domain.tld as the dstdomain and defaultsite, so when I enter www.domain.tld:82 I would reach IP_OF_BACKENDSERVER at port 8080.
But I don't.

Instead, what I get is a Squid error page:

Code:

The following error was encountered while trying to retrieve the URL: /

    Invalid URL

Some aspect of the requested URL is incorrect.

Some possible problems are:

    Missing or incorrect access protocol (should be "http://" or similar)

    Missing hostname

    Illegal double-escape in the URL-Path

    Illegal character in hostname; underscores are not allowed.

From the LAN side I can access my vhosts without problems. Any hints? Or is this a hint that Squid just can't do what I want it to?

staticN · 10-27-2014, 04:34 AM

For someone else looking for a solution, here's what I did:

1) Learn IPtables and do some more drawings of what I needed.
2) Use Squid for inbound traffic and Apache vhosts for outbound.

Basically what I did was to leave Squid alone and only listen on port 3128 on eth0, by specifying "http_port <internal_ip>:3128". This makes locally available vhosts possible to reach for inbound/LAN connections.

I installed Apached, and created a bunch of vhosts in apache listening at port 8030. I preroute trafic from eth1 at ports 80 to port 8030.
If anyone has any questions or similar setup issues, just ask in this thread, and maybe I can help.