LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables - forward traffic through squid when connected via openvpn (https://www.linuxquestions.org/questions/linux-security-4/iptables-forward-traffic-through-squid-when-connected-via-openvpn-4175511172/)

NotTheBoyIUsedToBe 07-15-2014 11:52 AM
iptables - forward traffic through squid when connected via openvpn
 
Hi everybody,

I recently set up a server at home that has a squid proxy and also managed to connect clients via openvpn.

Both work well for themselves, but it seems whenever I connect through the VPN, the http traffic does not get forwarded to squid (no entries in access.log, blocked sites accessible).

I do not know my way around iptables too much and was glad that I managed to redirect the non-VPN traffic through squid. But here at this combination, I am lost. Tried my best finding the solution but iptables itself is a beast already and in combination with squid and openvpn it does not get easier.

eth0 is my "normal" network interface, tun is the openvpn one. For the tests, I deactivated the general drop rules:

Code:
*nat

:PREROUTING ACCEPT [40:1842]

:INPUT ACCEPT [3:467]

:OUTPUT ACCEPT [3:191]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

-A POSTROUTING -s 192.168.178.0/24 -j MASQUERADE

COMMIT

*filter

:INPUT ACCEPT [4:507]

:FORWARD ACCEPT [33:1116]

:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A INPUT -i tun+ -j ACCEPT

-A FORWARD -i tun+ -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -j ACCEPT

COMMIT

*mangle

:PREROUTING ACCEPT [9281:9023546]

:INPUT ACCEPT [8467:8721936]

:FORWARD ACCEPT [814:301610]

:OUTPUT ACCEPT [9176:8879121]

:POSTROUTING ACCEPT [9989:9180651]

COMMIT
All those rules were created with some guides I found, so some things here might be too much but apart from the problem mentioned, it works for me.

I tried copying the PREROUTING rule with -i tun+, but it does not work.

Can anyone please help me here?

Thanks.

padeen 07-16-2014 01:05 AM
What does ifconfig show?

NotTheBoyIUsedToBe 07-16-2014 01:24 AM
Quote:
Originally Posted by padeen (Post 5204548)
What does ifconfig show?
Hi padeen,

this is the output of ifconfig:

Code:
eth0      Link encap:Ethernet  HWaddr b8:27:eb:3f:f2:db
          inet addr:192.168.178.20  Bcast:192.168.178.255  Mask:255.255.255.0          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:36004734 errors:0 dropped:0 overruns:0 frame:0
          TX packets:39207423 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:824273146 (786.0 MiB)  TX bytes:2269254070 (2.1 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:19678 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19678 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4613451 (4.3 MiB)  TX bytes:4613451 (4.3 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:236981 errors:0 dropped:0 overruns:0 frame:0
          TX packets:313612 errors:0 dropped:629 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:33536965 (31.9 MiB)  TX bytes:297336893 (283.5 MiB)

NotTheBoyIUsedToBe 07-17-2014 04:54 AM
figured that one out myself, finally :)

prerouting port 80 tun+ traffic to the ip and port of my squid (which implies eth0), masquerading:
Code:
iptables -t nat -A PREROUTING -p tcp --dport 80 -i tun+ -j DNAT --to 192.168.1.20:3128
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
squid.conf needs additional localnet:
Code:
acl localnet src 10.0.0.0/8
after reloading squid, it works as intended

padeen 07-17-2014 06:35 AM
Are you sure you want 10.0.0.0/8? Seems pretty wide, when your tun is 10.8.0.0. I'd be interested if it works ok with 'acl localnet src 10.8.0.0/16' or even 10.8.0.0/24.


All times are GMT -5. The time now is 01:28 PM.