problem in nat table + squid

alvi2 · 03-03-2005, 11:40 PM

i have problems in squid as well as using netfilter nat table

actually i am trying to understand the procedure of netfilter with squid

i am using the tranparent proxy and in my rc.local ( /etc/rc.d/rc.local ) i used these parameters

1) echo '1' > /proc/sys/net/ipv4/ip_forward
2) /sbin/iptables -P FORWARD ACCEPT
3) /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
4) /sbin/iptables -t nat -A POSTROUTING -p all -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0 -j MASQUERADE
at first line i am enabling the forwarding

what is the meaning of sencond line i cant understand (may be accepting all packets from forwarding chain)

at third line i am entering a rule in nat table as = if the packets come from interface eth0 that have protocol tcp with port 80 then send these packets to 3128. ( i am using here dnat)
now what is happening here at this line . all packets come from eth0 r going to squid port ? (am i true or not)
at fourth line i am changing the source address of outgoing packets . if all is done here then what is happening in squid. what is doing squid with these packets.
( important )
another problem i am facing is that i created a file in squid that reject all machines that i dont wnat to use internet
when i was not using the squid as proxy it (a file that contains deny ips) is working well but now after changing squid to transparent any one who has the dns and gateway can access the internet mean i can't avoid peoples to use internet.

what can i do now to avoid those people who know the dns and gateway and why my file in squid is not working that is avoiding macines to use net
actually i have confusion in both mixing nat and squid
tell me in detail or refer me some usefull sites (except netfilter.org) through which i can under stand the complete procedure

reply me on this addrees
m_alvi82@hotmail.com

zsoltrenyi · 03-04-2005, 07:46 AM

hi

practically the 4th line changes the source address to your external address and squid thinks that the requests are coming from your external interface
change the 4th line to look like this:
/sbin/iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0 --dport !80 -j MASQUERADE
then put another line to masquerade for udp and icmp
/sbin/iptables -t nat -A POSTROUTING -p udp -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0 -j MASQUERADE
and
/sbin/iptables -t nat -A POSTROUTING -p icmp -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0 -j MASQUERADE

or try to block your external address in squid
i'm not 100% sure if this stuff but you can try

alvi2 · 03-04-2005, 12:17 PM

dear actually i can't understand what u want to say
the line 4 is
/sbin/iptables -t nat -A POSTROUTING -p all -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0 -j MASQUERADE
here
- p all mean all protocol

the main part of my question was how can i block users/machines if i use transparent proxy.
i created a file in squid in which i wrote all ip address that i dont want to use. now it is working well under simple proxy squid
but problem is that when i use the squid as a transparent then
the user/machines that know the gateway and dns can easily cross my squid deny file and can use the internet . how can i block them these machines
please reply me on this address m_alvi82@hotmail.com

zsoltrenyi · 03-05-2005, 05:18 AM

when you are using transparent proxy everything is redurected from dest port 80 to port 3128 but i think that the ip packets still traverse the POSTROUTING chain and they appear to the squid to be originating from the MASQUERADE-d ip
so my suggestion was to masquerade everything but tcp port 80
but as i mentioned before, i'm not 100% sure but you could try to put those 3 lines in your firewall script and find out if it works or not