LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-04-2010, 06:56 AM   #1
divyashree
Senior Member
 
Registered: Apr 2007
Location: bbsr,orissa,India
Distribution: RHEL5 ,RHEL4,CENT OS5,FEDORA,UBUNTU
Posts: 1,362

Rep: Reputation: 135Reputation: 135
adding firewalls nat rules


I have a centos5.3 server. I want to configure it as transparent squid proxy server. Internet is connected to eth0(192.168.0.100) and lan is connected to eth1(192.168.200.0/24) and eth1 ip is 192.168.200.1 .


I have configured it as dhcp,squid and its working fine.

Now I want to configure it as a transparent,so that no one has to manually configure in browser.


I just added a line

Code:
http_port 3128 transparent

to make it transparent.

Now while adding nat rules,

Quote:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
Quote:
iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i eth1 -p tcp --dport 3128
Quote:
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp --dport 80
Quote:
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp --sport 80
Quote:
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -o eth1 -p tcp --sport 80











Code:
iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.200.1  -p tcp --dport 80 -j DNAT --to 192.168.200.1:3128

Code:
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.200.0/24  -d 192.168.200.1 -j SNAT --to 192.168.200.1

Code:
iptables -A FORWARD -s 192.168.200.0/24 -d 192.168.200.1 -i eth1 -o eth1 -m state  --state NEW,ESTABLISHED,RELATED  -p tcp --dport 3128 -j ACCEPT

Code:
iptables -A FORWARD -d 192.168.200.0/24 -s 192.168.200.1 -i eth1 -o eth1 -m state --state ESTABLISHED,RELATED -p tcp --sport 3128 -j ACCEPT

Internet is totally blocked on eth1.


And after stopping the firewall the internet comes.

Last edited by divyashree; 10-04-2010 at 07:22 AM.
 
Old 10-04-2010, 07:11 AM   #2
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
Hi,

Hope this helps you

# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
 
Old 10-04-2010, 07:15 AM   #3
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Add redirect rule and check.

Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Regards,
 
Old 10-04-2010, 07:44 AM   #4
divyashree
Senior Member
 
Registered: Apr 2007
Location: bbsr,orissa,India
Distribution: RHEL5 ,RHEL4,CENT OS5,FEDORA,UBUNTU
Posts: 1,362

Original Poster
Rep: Reputation: 135Reputation: 135
Now packets are coming to 192.168.0.100 but without specifying the port(3128) and IP(192.168.200.1) in Client systems , no packet is coming.
 
Old 10-04-2010, 07:45 AM   #5
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
Didn't get, what are you trying to say?
 
Old 10-04-2010, 08:10 AM   #6
divyashree
Senior Member
 
Registered: Apr 2007
Location: bbsr,orissa,India
Distribution: RHEL5 ,RHEL4,CENT OS5,FEDORA,UBUNTU
Posts: 1,362

Original Poster
Rep: Reputation: 135Reputation: 135
Quote:
Originally Posted by prayag_pjs View Post
Didn't get, what are you trying to say?
I am trying to say, I am adding port and ip in client's browser then only internet packets comes to client which can be amde without adding any rules to iptables.

I want the packets come to client machine without mentioning the port(3128) and ip(192.168.200.1) in the client's browser.
 
Old 10-04-2010, 08:16 AM   #7
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Hi divyashree,

Take look

Setup a transparent proxy with Squid in three easy steps

Regards,
 
Old 10-04-2010, 08:40 AM   #8
divyashree
Senior Member
 
Registered: Apr 2007
Location: bbsr,orissa,India
Distribution: RHEL5 ,RHEL4,CENT OS5,FEDORA,UBUNTU
Posts: 1,362

Original Poster
Rep: Reputation: 135Reputation: 135
Quote:
Originally Posted by sem007 View Post
I have already checked this and its not working at all.
 
Old 10-04-2010, 08:56 AM   #9
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
what is your client's default gateway ?

also post squid config and iptables

Code:
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
# iptables -t nat -L
Regards,

Last edited by sem007; 10-04-2010 at 08:58 AM. Reason: add command
 
Old 10-04-2010, 09:04 AM   #10
divyashree
Senior Member
 
Registered: Apr 2007
Location: bbsr,orissa,India
Distribution: RHEL5 ,RHEL4,CENT OS5,FEDORA,UBUNTU
Posts: 1,362

Original Poster
Rep: Reputation: 135Reputation: 135
Quote:
Originally Posted by sem007 View Post
what is your client's default gateway ?

also post squid config and iptables

Code:
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
# iptables -t nat -L
Regards,
1st
Code:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl viznet src 192.168.10.0/24
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow viznet
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
2nd
Code:
target     prot opt source               destination         

DNAT       tcp  --  anywhere             anywhere            tcp dpt:http to:192.168.0.100:3128 
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 3128 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Old 10-04-2010, 09:06 AM   #11
kaushalpatel1982
Member
 
Registered: Aug 2007
Location: INDIA
Distribution: CentOS, RHEL, Fedora, Debian, Ubuntu, LinuxMint, PCLinuxOS
Posts: 153

Rep: Reputation: 9
Are you able to ping any server( ping google.com) from your client?
 
Old 10-04-2010, 09:09 AM   #12
divyashree
Senior Member
 
Registered: Apr 2007
Location: bbsr,orissa,India
Distribution: RHEL5 ,RHEL4,CENT OS5,FEDORA,UBUNTU
Posts: 1,362

Original Poster
Rep: Reputation: 135Reputation: 135
Quote:
Originally Posted by kaushalpatel1982 View Post
Are you able to ping any server( ping google.com) from your client?
No ,
 
Old 10-04-2010, 09:13 AM   #13
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
where is acl rule and http_access rule for 192.168.200.0 network?

Quote:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
Why you create multiple acl with same name?

Regards,
 
Old 10-04-2010, 09:43 AM   #14
divyashree
Senior Member
 
Registered: Apr 2007
Location: bbsr,orissa,India
Distribution: RHEL5 ,RHEL4,CENT OS5,FEDORA,UBUNTU
Posts: 1,362

Original Poster
Rep: Reputation: 135Reputation: 135
Quote:
Originally Posted by sem007 View Post
where is acl rule and http_access rule for 192.168.200.0 network?


Why you create multiple acl with same name?

Regards,
Sorry that was the output of another linux box.

Quote:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines


acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager

acl mylan src 192.168.200.0/24
http_access allow mylan


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
And I am using squid version 3 in which the entries are by default.

Last edited by divyashree; 10-04-2010 at 09:45 AM.
 
Old 10-04-2010, 10:29 AM   #15
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
add both ip in acl rule in squid.conf

Code:
acl mylan src 192.168.0.100 192.168.200.0/24
enable ip forwarding.

Code:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
flush existing firewall and apply new rules.
Code:
#iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -A FORWARD -i eth1 -j ACCEPT
#iptables -A INPUT -i eth1 -j ACCEPT
#iptables -A OUTPUT -o eth1 -j ACCEPT
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.100:3128
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Regards,
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Programming iptables rules for 1:1 NAT jacques83 Linux - Security 18 09-21-2010 06:07 PM
LXer: Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT, and L7-filter LXer Syndicated Linux News 0 02-15-2007 10:46 PM
Firewall and NAT rules samplelin Linux - Security 1 06-20-2006 07:22 AM
Masquarade rules for NAT shipon_97 Linux - Networking 2 04-16-2006 06:34 PM
A program that makes firewalls/Nat scripts that arnīt so complicated jimdaworm Linux - Networking 4 12-12-2003 04:55 PM


All times are GMT -5. The time now is 10:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration