Setting Up a User Defined Redirect IPtable Chain
 

Hi All,

I have setup my Ubuntu Linux 8.04.1 server to be my gateway router. This server is using public IP addresses on both the WAN and LAN interfaces. This means I AM NOT USING NAT.

Therefore, my question is, how do I redirect http (port 80) traffic from the LAN interface to pass through the Squid port, before going out to the WAN interface since I am not using the NAT IPTable? I am only using the Filter IPTable for my firewall rules.

I have read about creating a user-defined REDIRECT chain. Is that possible to do under the Filter IPTable. If so, how do I do that?

Thanks in advance.

Frank

IIUC, your gateway presumably has two NIC each with a separate public IP. Additionally, all devices on the LAN also have a separate public IP.
Well you are asking for a form of NAT. What I think you mean is that you don’t want the usual IP masquerading (i.e., stateful IP source address translation which is normally used when you have more machines than public addresses). Assuming your WAN interface is eth0 and your LAN interface is eth1, and that you are running squid listening on port 3128 on the gateway machine, all you need to do is:
You may also need to add an ACCEPT rule to your FORWARD chain in the usual filter table, depending on what policies you have in place. It might look like this:
If you need more specific help, I suggest you post your current configuration (i.e., the output of iptables-save and ip route).

Hi Osor,

Thanks for your help so far. I tried the two code statements. Right after running it, it seemed as if it worked because the squid access.log showed some lines as if squid worked for a few moments and then stopped. I noticed that after I ran the two commands, I could not see them in the iptables-save file. Do they get saved somewhere else?

Find below a copy of my iptables-save file. You were right that my eth0 is the WAN interface, and eth1 is the LAN interface and that these two interfaces are on two separate public IP subnets.

# Generated by iptables-save v1.3.8 on Thu May 7 21:53:15 2009
*nat
:PREROUTING ACCEPT [59:5528]
:POSTROUTING ACCEPT [54:5441]
:OUTPUT ACCEPT [7:925]
COMMIT
# Completed on Thu May 7 21:53:15 2009
# Generated by iptables-save v1.3.8 on Thu May 7 21:53:15 2009
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu May 7 21:53:15 2009
# Generated by iptables-save v1.3.8 on Thu May 7 21:53:15 2009
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i selected -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Allow DNS zone transfers
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
# Allow DNS queries
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
# Allow SSL connections to webserver
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Allow connections to mail server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 25,587
# Allow connections to FTP server
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
# Allow connections to POP3 server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 110,995
# Allow connections to IMAP server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 143,220,993
# Allow connections to Webmin
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
# Allow connections to Usermin
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
COMMIT
# Completed on Thu May 7 21:53:15 2009

You mean squid stopped working? Or that the output stopped because no one was accessing the web? Or perhaps it was working after the first command and stopped working after the second…
There is a difference between the “iptables-save file” and the output of the program named “iptables-save”. The first is a file used by some distributions to keep a persistent iptables configuration between boots. It is usually saved to on system shutdown and restored from on system startup. The second is the current state of the netfilter system at the moment of execution. This would be more useful since many things could happen to your iptables setup (both intentionally and unintentionally) between when you started your system and now.

Judging by the timestamp of the output you gave me (four days ago), it looks to be just the file (unless your system clock is off). The output of the command might be more accurate.

As for why your setup stopped working, there could be a few reasons. Did you properly configure squid to listen as a transparent proxy? Did you put the correct ip ranges in http_access allow? Maybe ubuntu server has a cronjob which periodically restores the startup iptables (I am unfamiliar with the specifics of ubuntu to know). Did you notice any other new log output (e.g., cache.log or store.log)? Also, judging by the output you gave me, the FORWARD chain already has an ACCEPT policy, but the INPUT chain doesn’t. So you may need to add the following so that squid can accept connections:

Osor,

Thank you. I have entered the iptables -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT line and I have noticed that when I stop Squid, there is no Internet browsing, which confirms that Squid is working.

I now want to show you the active firewall rules, I am just looking for the command.

Frank

Osor,

Thank you. I have entered the iptables -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT line and I have noticed that when I stop Squid, there is no Internet browsing, which confirms that Squid is working.

I now want to show you the active firewall rules, I am just looking for the command.

Frank

Here it is...

> iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED
ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp multiport dports smtp,submission
ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp
ACCEPT tcp -- anywhere anywhere tcp multiport dports pop3,pop3s
ACCEPT tcp -- anywhere anywhere tcp multiport dports imap2,imap3,imaps
ACCEPT tcp -- anywhere anywhere tcp dpts:webmin:10010
ACCEPT tcp -- anywhere anywhere tcp dpt:20000

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Dear All,

I've just discovered that the Linux Firewall was actually not doing anything on this server. I disabled it to see whether no routing will take place, and even uninstalled zebra, but lo and behold! The server was still routing traffic and the clients have Internet connectivity.

I also removed squid, but still the server is working. Now I'm confused, will I ever be able to use Squid? Find below the current IPtable config...

> iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Osor,

I have found out what the problem has been. It looks like using the IPTABLES command is what I am supposed to do, as opposed to using the Linux Firewall from Webmin. I disabled the Linux Firewall and started from scratch to rebuild the firewall rules using the IPTABLES command from the commandline. See below the fact that these two methods of setting up the firewall are slightly different, as reflected by the message I get when I go to the Linux Firewall from webmin, after entering some IPTABLES commands...

"Linux Firewall
Rules file /etc/iptables.up.rules

Webmin has detected 1 IPtables firewall rules currently in use, which are not recorded in the save file /etc/iptables.up.rules. These rules were probably setup from a script, which this module does not know how to read and edit.

If you want to use this module to manage your IPtables firewall, click the button below to convert the existing rules to a save file, and then disable your existing firewall script."

So when I tried your suggested commands above, Squid started working again. However, this command still enables NAT and starts sharing 1 IP address...

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

Is there any other way you can advise to try and enable Squid, without enabling IP masquerading?

I am somewhat confused as to what went wrong. If you use iptables from the commandline (as I had suggested) it will supersede any “firewall wrappers” which allow you to manipulate the iptables configuration.

Can you clarify here? Do you mean that all traffic will “start sharing one IP address”? Or just http traffic? If it’s only http traffic, that is purpose of squid (or any proxy).
Yes. Masquerading means that that the source/destinations headers of appropriate IP packets are rewritten. Squid only requires that it intercept http traffic (although it potentially can work on other ports as well).

If you have real masquerading going on (in addition to a correctly working squid setup), it means that there are other rules at work. To find all the rules (not just in the filter table) in a convenient format do this:

1. Open a terminal (not a webmin interface).
2. Type “iptables-save” and press enter.
3. Copy and paste the output to the forum.

Osor,

I think it is working fine now, thanks to your explanation that to port-redirect to squid, it will do NATing just for tcp traffic.

Regards,

Frank