Port Redirecting Problem with Transparent Proxy
Dear All,
I have to machines running as transparent proxys at 2 different cyber cafes. Same configuracion, same network layout, same ISP. They are running Red Hat and Squid 2.5.STABLE1. Yesterday i had to reinstall 1 of the machines, so I installed linux, copied all the configuration files from the other linux (list bellow), and restarted it. /etc/sysctl.conf (enabled packet forwarding) /etc/sysconfig/network-scripts/ifcfg-eth0 (dhcp internet) /etc/sysconfig/network-scripts/ifcfg-eth1 (static network) /etc/resolv.conf /etc/rc.d/rc.local /etc/squid/squid.conf But now i have a problem, the machine connects to the internet, and to the network, but the proxy is now listening on port 3160 only, and not as a transparent proxy as it should. If I configure any of the computers in the network to connect to the proxy to the port 3160 it works perfect. But i need it to work as a transparent proxy as I have another isp for online games and it won't work if i change ie configuration. I tryed to redirect port (comented line in rc.local) 3160 to 80 but it dint work. There must be something i forgot to configure but i can't find out what it is, i mean both machines should work as they have the same configuration. In case it helps here are the contents of the files in the list. I would really apreciate any help. Thanks, Ezequiel =========== /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 kernel.sysrq = 0 kernel.core_uses_pid = 1 =========== /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes USERCTL=no USERDNS=no TYPE=Ethernet =========== /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth0 DEVICE=eth1 BOOTPROTO=static BROADCAST=192.0.0.255 IPADDR=192.0.0.254 NETMASK=255.255.255.0 NETWORK=192.0.0.0 ONBOOT=yes =========== /etc/resolv.conf ; generated by /sbin/dhclient-script nameserver 200.49.156.3 nameserver 200.49.159.69 nameserver 200.49.156.4 nameserver 24.232.0.69 =========== /etc/rc.d/rc.local touch /var/lock/subsys/local /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_REDIRECT /sbin/modprobe ipt_TOS /sbin/modprobe ipt_MASQUERADE /sbin/modprobe ipt_LOG /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward #iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3160 =========== /etc/squid/squid.conf http_port 3160 icp_port 3160 acl QUERY urlpath_regex cgi-bin \? (url goes here but it wont let me post urls) no_cache deny QUERY cache_mem 32 MB cache_dir ufs /var/spool/squid 2000 8 128 cache_log /var/log/squid/cache.log cache_access_log /var/log/squid/access.log cache_store_log /var/log/squid/store.log cache_swap_log /var/log/squid/swap.log logfile_rotate 10 #redirect_rewrites_host_header off #cache_replacement_policy GDSF acl localnet src 192.0.0.0/255.255.255.0 acl localhost src 127.0.0.1/255.255.255.255 acl Safe_ports port 80 443 210 119 70 20 21 1025-65535 acl CONNECT method CONNECT acl all src 0.0.0.0/0.0.0.0 http_access allow localnet http_access allow localhost http_access deny !Safe_ports http_access deny CONNECT http_access deny all maximum_object_size 10000 KB store_avg_object_size 100 KB httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on cache_mgr nixo@nixo.com.ar cachemgr_passwd secret_password all visible_hostname xago log_icp_queries off buffered_logs on ================= |
Can you post the output from:
iptables -nL iptables -nL -t nat |
Here they are...
======== iptables -nL ======== Chain INPUT (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Lokkit-0-50-INPUT (2 references) target prot opt source destination ACCEPT udp -- 24.232.0.69 0.0.0.0/0 udp spt:53 dpts:1025:65535 ACCEPT udp -- 200.49.156.4 0.0.0.0/0 udp spt:53 dpts:1025:65535 ACCEPT udp -- 200.49.159.69 0.0.0.0/0 udp spt:53 dpts:1025:65535 ACCEPT udp -- 200.49.156.3 0.0.0.0/0 udp spt:53 dpts:1025:65535 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x16/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 flags:0x16/0x02 reject-with icmp-port-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 reject-with icmp-port-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7100 flags:0x16/0x02 reject-with icmp-port-unreachable ============= iptables -nL -t nat ============= Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination |
It looks like your redirect rule didn't work, try it again with:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3160 You may also need to allow incomming connections to port 3160. |
I added all the iptables rules in rc.local manualy, and it is working now, THANKS A LOT !
Do i allways have to add them manually or just adding them to rc.local is enought ? |
If you add them to rc.local then they will be run each time the system boots.
|
What i don't undestand is that i added them in rc.local from the begining, and rebooted several times.
Anyway , i must have done something wrong =S, much to lean yet i guess :p. Again THANK YOU very much ! |
Can you post a copy of your rc.local file again.
|
Here it is
====== touch /var/lock/subsys/local /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_REDIRECT /sbin/modprobe ipt_TOS /sbin/modprobe ipt_MASQUERADE /sbin/modprobe ipt_LOG /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3160 |
Try using the full path to iptables - ie /sbin/iptables
|
I tryed changing the path, but nothing changes, its like rc.local is not being executed. Every time i reboot iptable's rules are lost. The only thing that works is running each line in the console manually.
|
Try adding a command like this to rc.local:
date > /tmp/boottime Do you get the date recorded in that file? If not then rc.local isn't being executed. |
Added the line at /etc/rc.d/rc.local , rebooted , but boottime was not created.
How do i get rc.local to be executed at startup ? |
Ok... I finally found out what the problem was.
When i copied rc.local from the other linux , some how i managed to turn it into a regular file instead or an executable file (don't ask me how =S). Now, how do i turn it into an executable file ? > EDIT Found out how chmod a=r+w+x file_name .... right ? Problem Solved for now =) Anyway how can i copy files betwen the linux boxes ? |
read the man page of chmod to change file-dir permissions:
Code:
man chmod Code:
man scp |
All times are GMT -5. The time now is 05:21 PM. |