LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-10-2011, 06:02 AM   #1
Capellous
LQ Newbie
 
Registered: May 2006
Posts: 4

Rep: Reputation: 0
Transparent Squid, iptables syntax and SMTP/POP3


I've set up Ubuntu 9.04 (desktop) at home in a lab environment (workgroup rather than domain) and have configured Squid. Everything works fine but, when I took it to the next level and made the proxy transparent, my problems began. I can still access sites (having pointed the XP Pro client to the squid box as the DG) and the sites are logged in /var/log/squid/access.log but I am unable to use Outlook to access my SMTP and POP3. I guess that the setup is blocking ports 25 and 110 and I'll need to configure iptables to forward packets destined for these ports directly to the "real" DG, rather than the Squid box.

Here's the set up:

A single NIC (eth0) on 172.19.0.250 / 16 (static)
ADSL router ("real" DG) on 172.19.0.1
I executed iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

My squid.conf:

Code:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl mynet src 172.19.0.0/16
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl SSL_ports port 443		# https
acl SSL_ports port 563		# snews
acl SSL_ports port 873		# rsync
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl Safe_ports port 631		# cups
acl Safe_ports port 873		# rsync
acl Safe_ports port 901		# SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow mynet 
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern (Release|Package(.gz)*)$	0	20%	2880
refresh_pattern .		0	20%	4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
I've read MANY articles which seem to guide me in the right direction, but nothing works. Some mention that I must enable IP forwarding (echo 1 > /proc/sys/net/ipv4/ip_forward) whilst others say it's not necessary. I just wonder if I need to change anything in my squid.conf file?

I'm pulling my hair out trying to get this to work ... can anyone help please?

Thank you for your time (and patience!).
 
Old 02-10-2011, 10:37 AM   #2
rafatmb
LQ Newbie
 
Registered: Feb 2011
Posts: 27

Rep: Reputation: 3
The first (and most easy) option to solve that:

Configure the gateway of your client machines (XP) pointing to your ADSL modem. Then configure the browser of your clients (XP) to SQUID on the server.

This will work if you want to only test proxy settings.

But, if you want to use the linux firewall, you'll need to do some nat configs, because everything is on the same subnet and you have only on interface on Linux Server.

Think on that, if you need to config linux firewall, print your iptables rules here.
 
1 members found this post helpful.
Old 02-10-2011, 12:29 PM   #3
Capellous
LQ Newbie
 
Registered: May 2006
Posts: 4

Original Poster
Rep: Reputation: 0
Thank you rafatmb for the prompt response. I can see the logic in your suggestion and I could do that easily in the lab that I have (one client and one Linux). However, I would like to implement this eventually in a larger organisation and would prefer to have DHCP configure the DG (as the Squid/iptables computer). I know that I could use Group Policy to enter the client proxy configuration then disallow uses from changing it but I figured it would be fairly simple to have some iptables rules to forward the relevant packets (destination ports 25 and 110) to the ADSL router. As there's only one NIC in the Squid computer, I guess that the Squid/iptables computer wouldn't have to apply NAT, otherwise the returning packets wouldn't know where to go.

The only iptables configuration that I have applied at present is:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

As I said, I've tried applying many other rules and none of them works.

I saw the post here and got excited, but that scenario has 2 NICs in the Squid/iptables computer.

I'd be grateful for help with the rule(s) that I would need to send the SMTP/POP3 packets to the ADSL router (172.19.0.1). If I understand this correctly, that should allow me to access e-mail via Outlook.

Last edited by Capellous; 02-10-2011 at 12:31 PM.
 
Old 02-11-2011, 05:59 AM   #4
rafatmb
LQ Newbie
 
Registered: Feb 2011
Posts: 27

Rep: Reputation: 3
Hi,

Because you have only one NIC, and the machines are on same subnet, you MUST use a particular kind of NAT.

Do this:

Quote:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -m state --state NEW,ESTABLISHED ACCEPT
iptables -A FORWARD -p tcp --dport 25 -m state --state NEW,ESTABLISHED ACCEPT
iptables -t nat -A POSTROUTING -p tcp --dport 110 -d 172.19.0.1 -j MASQUERADE
Good luck.

[]'s

Rafa
Linux, Linux and Linux! Suporte Linux

Last edited by rafatmb; 02-11-2011 at 10:54 AM.
 
Old 02-12-2011, 09:44 AM   #5
Capellous
LQ Newbie
 
Registered: May 2006
Posts: 4

Original Poster
Rep: Reputation: 0
I'm grateful for your further help Rafa. I'll certainly look at the rules that you've suggested. I think I see a couple of typos - I think that lines 3 and 4 should end "-j ACCEPT" and I think that there should be a final line referring to port 25 in addition to line 5 referring to port 110.

I'm sure that I would never have stumbled upon these rules ... I just hope that they work!
 
Old 05-02-2011, 01:06 AM   #6
h.haider
LQ Newbie
 
Registered: Apr 2011
Location: Pakistan
Distribution: Centos, Fedora, Redhat, ubuntu, debian
Posts: 18

Rep: Reputation: 0
Quote:
Originally Posted by Capellous View Post
I'm grateful for your further help Rafa. I'll certainly look at the rules that you've suggested. I think I see a couple of typos - I think that lines 3 and 4 should end "-j ACCEPT" and I think that there should be a final line referring to port 25 in addition to line 5 referring to port 110.

I'm sure that I would never have stumbled upon these rules ... I just hope that they work!


Dear Visit This link its works for me 100%


http://freelinuxtutorial.blogspot.co...ind-squid.html

---------- Post added 05-02-11 at 01:06 AM ----------

[/COLOR]
Quote:
Originally Posted by Capellous View Post
I'm grateful for your further help Rafa. I'll certainly look at the rules that you've suggested. I think I see a couple of typos - I think that lines 3 and 4 should end "-j ACCEPT" and I think that there should be a final line referring to port 25 in addition to line 5 referring to port 110.

I'm sure that I would never have stumbled upon these rules ... I just hope that they work!

Last edited by h.haider; 05-02-2011 at 01:08 AM.
 
Old 05-02-2011, 01:26 AM   #7
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,629

Rep: Reputation: Disabled
First things first. Its not the squid that is stopping your POP and SMTP traffic. Squid essentially is a HTTP proxy and it has nothing to do with SMTP or POP. So do not expect it to work as a proxy for other protocols.
Just making it transparent with forwarding 80 port requests will not enable pop and smtp for your clients. You will need to masquerade the outgoing requests, in short internet sharing using iptables.
I learnt this a hard way too.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SMTP/POP3 problems with squid/iptables dragonleech Linux - Security 8 09-23-2010 04:57 AM
squid proxy + pop3/smtp + iptables shahsaifi Linux - Server 10 11-16-2008 11:05 AM
SMTP AND POP3 through iptables vedang Linux - Server 5 01-30-2008 11:47 PM
pop3 and smtp ports on squid smoky_flame Linux - Networking 1 03-03-2006 07:18 AM
Does squid supports SMTP and POP3? yenonn Linux - Newbie 5 03-15-2003 01:43 AM


All times are GMT -5. The time now is 07:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration