Hello to all!

FYI I'm running OpenSuse version 13.2

I've got squid setup as a local proxy ( local as in only one computer and not the LAN ) with which I can control internet access for different users, bandwith etc... It works great when I point my browser to localhost:3128 but my goal is to make it transparent so that no matter whether proxy settings are entered or blank port 80 and 443 will be directed to Squid. After some research supposedly there's a way to forward ports 80 & 443 to 3128 using Iptables but I can't seem to get it to work. Is there a special trick to port-forwarding with Iptables on a OpenSuse machine? In summary, How do I forward at least port 80 to 3128? Maybe there's a better way to do it than to use Iptables?

Thanks for your help in advance!

A number of questions:

• Why do you want a proxy (ie, what do you hope it will do for you)?
• You have tried something with iptables, but what exactly? And what happened (not the right thing, but what wrong thing)?

Now, it seems to me there are a couple of ways of doing this. One is iptables (directly). the slight trouble here is that yast also thinks that it is managing the iptables firewall, and it may well have overwritten your iptables rules in order to restore the 'right' set of rules, which is probably not what you want (unless you tried to modify the firewall ruleset via Yast, when this wouldn't apply, although I'm not sure that you can something this 'fiddly' via yast, although I'm no expert).

Another is that there is a squid setting called, I think, 'listen on port'; if you can set this to several ports, you can probably get around it that way.

1 members found this post helpful.

No problem!

1. Why do you want a proxy (ie, what do you hope it will do for you)?

I use it to limit internet access, some would call it a whitelist. (It works great when I point my browser to it. Users only access what they're supposed to.)

2.You have tried something with iptables, but what exactly? And what happened (not the right thing, but what wrong thing)?

I ran this in the command line as su:

iptables -A PREROUTING - t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Anymore ideas on getting squid to listen on specific ports?

I do appreciate it!

...sorry this is a hurried partial answer, but I'll get bck to you later:

OK, that part seems legitimate; had you been doing it to speed up internet access, that would have been less likely to be successful.

I had hoped (should have been explicit) that you would have listed the entire iptables rule set (iptables -L?). maybe you can do that. In the interim, I'll have to think about whether 'prerouting' is the place to put this.

1 members found this post helpful.

No problem about the hurried post.

Here's what I ran in the terminal as su or root:

iptables -A PREROUTING - t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A PREROUTING - t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A PREROUTING - t nat -i ppp0 -p tcp --dport 80 -j REDIRECT --to-port 3128

From the little I know that should redirect requests on port 80 to port 3128??? Also, Is this supposed to be run in the terminal or is there some text file I'm supposed to put these in?

Wish I knew more... :/

Except if you already have something in the pre-routing chain that accepts everything, then the instructions that you have added will do nothing. that would have been apparent from the listing of all the iptables rules, and won't be apparent from just the commands that you have typed (and, it won't make any difference if you put them in to a script).

Of course, all things iptables are documented here. This isn't a five minute read, but it is good, particularly if you are interested in learning.

I'm sure that there is some facility in Yast for adding the odd manual command, but I'm afraid that I don't remember the details. I'd hope if you have a poke around in Yast it would all suddenly become apparent, but I'm probably being over-optimistic.

1 members found this post helpful.

Thank-you salasi!!!

I will definitely check it as soon as I get the time and chance.

Thanks again for your help.

If you didn't know (and you probably did), there is a 'sort of' answer to your question here.

One defect with that answer is that no one has pointed out to you that playing with DNS resolution (eg, via Dnsmasq), while a simple thing to do, is not a high security solution to the problem. Now, there are circumstances in which this wouldn't be the biggest of problems, but there are others in which it would, and no one has tried to find out which you are in, so be careful (that said, Dnsmasq is quite an impressive piece of kit, so, if you were going that way, then Dnsmasq would be a quite good way of doing it....also note that a service like Opendns, which has, for example, family friendly options, and that might be worth considering too (but it is still, a relatively low security solution, but it dependds what threats you are trying to guard against)).

And, to answer the question about Dnsmasq, it is a combined DNS cache/client and DHCP server. It is versatile, lightweight and relatively easy to configure (you may not appreciate quite how bad that could be, unless you have tried to configure Bind - that's something that maybe ok once you know how to do it, but you don't want to do it for the first time, because that can be a struggle).

Edit

I keep forgetting stuff that I meant to comment on:

You should read this.

It is still possible that the biggest problem that you have is that you think that you are exclusively managing something that Yast also thinks that it is exclusively managing (and, if nothing else, I would have expected that to be caught on the OpenSuse website, where they really ought to be aware of that issue...but, so far, at least, it hasn't been). Anyway, the ruleset listing, when you post that (depending on when you capture it) ought to clarify that, a little.

Hummm... I actually saw that article in the OpenSuse forums.

You are right, DNS is tricky to mess with, etc... To me it seems kinda like a complicated answer to my need

Why? Because all I need to do is forward requests on port 80 and 443 to 3128. I am convinced it can be done because alot of greater things have been done with Linux before...

I'm still tinkering with it and haven't had any success yet but hopefully shortly sometime...

Thanks for your help!

To me, that's not the biggest problem; if you are prepared to use, eg, OpenDNS it is easy to set up (provided that their security settings are exactly what you want). The biggest problem though is that it only stops DNS lookups.

Imagine that there is a site 'www.badsite.com' (I'll assume that is w.x.y.z as an ipv4 address, but it doesn't matter what it is, provided that they can find out what it is and write it down on a piece of paper) that you don't want people to access. When they try to browse to www.badsite.com they won't get an answer. So that seems good, but if the person to be blocked happens to know w.x.y.z and is prepared to put that in to the browser, then they are no longer blocked. Now, that might be tolerable in some circumstances, but far from all. And if, for example, you were trying to block school-age kids, in a couple of years, their peer group will be telling them exactly how to get around this kind of thing...assuming that it is the kind of site that kids want to access, of course).

The other aspect is, of course, that some sites will be blocked that you actually feel are legitimate to access. Now, it is clear that you could feel that what is legitimate for you to access is a wider list than from others on your network, but you'll probably have to put up with the more restrictive list. And when the external provider makes a mistake and decides that, say, the web site for the county of Sussex is obviously a sex site, you'll have to put up with that, too (although they are probably prepared to fix that eventually, but that may or may not be very helpful to you, depending on how urgently you need information from Sussex).