|
Transparent proxy squid 3.1
1 Attachment(s)
Assalam o Alaikum!
I have this configuration: PC1: eth0 192.168.1.18 eth1 192.168.2.18 PC2: eth1 192.168.2.111 PC 1: squid server: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.18:3128 Ok problem is that when I do not set proxy setting in browser of PC 2 (since transparent proxy) PC1's eth1 do not receive any packet (when browsing) I have analysed this via tcpdump and wireshark. Even do not receive any packet on PC2's eth1 when browsing webs on PC2. But when I set proxy setting in browser both interface receives packets but it is not part of transparent proxy. I have attached squid.conf. Kindly help thanks. |
Well if the issue is when you aren't setting a proxy redirect on the server and no port 80 traffic even leaves the client, then you should realize that this couldn't possibly be anything to do with with Squid at all. The main difference is that the client system would be doing the DNS resolution instead of the server, so maybe it's a DNS issue.
|
thanks for your reply. Ok if this is DNS issue at client side how should i resolve this issue?
|
It totally depends what the clients are and how your internal DNS setup works. At the most basic level, you use valid DNS servers on the clients.
|
yes, I think I am near to solution now but not resolved still. What I did, I defined gateway client as 192.168.2.18 (squid server's eth1 on internal network). My DNS is on external network having IP 192.168.1.1, so defined client's DNS IP as 192.168.1.1. On squid server side enable IP forwarding.
Now wireshark receives packets on those interfaces unlike before. But when I browsing, browser shows "server not found" on client side. |
Now problem is that DNS request reaches to internal network's gateway 192.168.2.18. but not reaches to DNS server 192.168.1.1 (DNS server is actually DSL router on external network). My web request unable to reach DNS server. When I entered googles IP (173.194.35.183) it opens google websit, but when I enters www.google.com, then server not found. kindly help Thanks
|
well you need to look at the network routes then. what is the architecture between your two endpoints? Are they both hanging off of the same upstream device? can you ping the dns server? when you say it's not reaching it, do you really mean that, or do you just know there is no *reply*. With these hokey little LANs a common issue is that there are no return routes back to the internal network, often requiring static internal routes to be added to the DSL routers routing table. This doesn't sit very well with being able to reach google itself though. unless that is due to the squid proxy getting involved and not requiring the routing to work there. Can you ping the google IP?
|
No I can't ping dns server 192.168.1.1 and google's IP via client 192.168.2.111 having gateway 192.168.2.18. Network route between these end points is like below
DSL router-----> PC1 eth0:192.168.1.18-----eth1:192.168.2.18------>PC2: 192.168.2.111 PC2 can ping both interfaces of PC1 bt can't ping DNS router. I have also tried it via adding routes on PC2: route add -net 192.168.1.0/24 gw 192.168.2.18 But still can't ping DNS server and google's IP. But PC1 can ping google's IP and DNS server. I have connected another PC on 192.168.1.0's network give it IP to 192.168.1.252 then ping from client 192.168.2.111 to 192.168.1.252 initial it was unable to ping but I added routes on both end points then I was able to receive ping reply from 192.168.1.252 to 192.168.2.111. But I have no access/permission to access DSL router. I want to use squid proxy to redirect my web request to DSL router (is it possible for my scenario?) |
I'll say it's the return route then. The DSL router is on 192.168.1.0/24 so all hosts on that network work fine. But PC2 is on a network that the DSL router has no knowledge of. So you need to either put a route in the DSL router saying that 192.168.2.0/24 is reached via 192.168.1.18 or perform natting on PC1 so that traffic looks like it is coming from PC1 in the first place.
Mind you though... this is presuming you've enabled IP forwarding (routing) on PC1 in the first place... have you?? If not, there's not going to be any traffic moving *through* PC1, only to it and from it (which is fine for proxying.) Given that your goal was transparent proxying and not routing anyway, I would probably suggest you just add a simple dns server to PC1. dnsmasq is very simple to set up, and will pick up the dns servers already used by PC1 upstream. Then PC2 can query PC1 for DNS on its local subnet and jobs done. |
I have enabled IP forwarding on PC1. Also flush all iptables rule. Again added iptables rule for NAT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT Now successful to ping www.google.com and DNS server from PC2. Web browsing also done. But http traffic does not pass through squid proxy. what should I edit/add in above iptables line so that I am unable to pass web trafic through squid proxy? |
can you show the full nat table now? As the redirect is on PREROUTING it should always get there first, and the POSTROUTING entry shouldn't matter.
|
[root@localhost demo_2]# iptables --flush
[root@localhost demo_2]# iptables --table nat --flush [root@localhost demo_2]# iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE [root@localhost demo_2]# iptables --append FORWARD --in-interface eth1 -j ACCEPT [root@localhost demo_2]# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination |
Following iptables rule works for me perfectly
[root@localhost demo_2]# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.18:3128 [root@localhost demo_2]# iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE Now I can browse webs through squid via transparent proxy. Thanks a lot acid_kewpie. |
be aware now though, that that internal machine can reach ANY external service not on port 80. E.g. a remote web proxy on port 3128 and bypass your proxy in a second.
|
| All times are GMT -5. The time now is 02:40 PM. |