LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-15-2014, 11:52 AM   #1
NotTheBoyIUsedToBe
LQ Newbie
 
Registered: Jul 2014
Posts: 3

Rep: Reputation: Disabled
Question iptables - forward traffic through squid when connected via openvpn


Hi everybody,

I recently set up a server at home that has a squid proxy and also managed to connect clients via openvpn.

Both work well for themselves, but it seems whenever I connect through the VPN, the http traffic does not get forwarded to squid (no entries in access.log, blocked sites accessible).

I do not know my way around iptables too much and was glad that I managed to redirect the non-VPN traffic through squid. But here at this combination, I am lost. Tried my best finding the solution but iptables itself is a beast already and in combination with squid and openvpn it does not get easier.

eth0 is my "normal" network interface, tun is the openvpn one. For the tests, I deactivated the general drop rules:

Code:
*nat

:PREROUTING ACCEPT [40:1842]

:INPUT ACCEPT [3:467]

:OUTPUT ACCEPT [3:191]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

-A POSTROUTING -s 192.168.178.0/24 -j MASQUERADE

COMMIT

*filter

:INPUT ACCEPT [4:507]

:FORWARD ACCEPT [33:1116]

:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A INPUT -i tun+ -j ACCEPT

-A FORWARD -i tun+ -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -j ACCEPT

COMMIT

*mangle

:PREROUTING ACCEPT [9281:9023546]

:INPUT ACCEPT [8467:8721936]

:FORWARD ACCEPT [814:301610]

:OUTPUT ACCEPT [9176:8879121]

:POSTROUTING ACCEPT [9989:9180651]

COMMIT
All those rules were created with some guides I found, so some things here might be too much but apart from the problem mentioned, it works for me.

I tried copying the PREROUTING rule with -i tun+, but it does not work.

Can anyone please help me here?

Thanks.
 
Old 07-16-2014, 01:05 AM   #2
padeen
Member
 
Registered: Sep 2009
Location: Perth, W.A.
Distribution: Slackware 14, Debian 7, FreeBSD, OpenBSD
Posts: 177

Rep: Reputation: 34
What does ifconfig show?
 
Old 07-16-2014, 01:24 AM   #3
NotTheBoyIUsedToBe
LQ Newbie
 
Registered: Jul 2014
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by padeen View Post
What does ifconfig show?
Hi padeen,

this is the output of ifconfig:

Code:
eth0      Link encap:Ethernet  HWaddr b8:27:eb:3f:f2:db
          inet addr:192.168.178.20  Bcast:192.168.178.255  Mask:255.255.255.0          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:36004734 errors:0 dropped:0 overruns:0 frame:0
          TX packets:39207423 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:824273146 (786.0 MiB)  TX bytes:2269254070 (2.1 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:19678 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19678 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4613451 (4.3 MiB)  TX bytes:4613451 (4.3 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:236981 errors:0 dropped:0 overruns:0 frame:0
          TX packets:313612 errors:0 dropped:629 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:33536965 (31.9 MiB)  TX bytes:297336893 (283.5 MiB)
 
Old 07-17-2014, 04:54 AM   #4
NotTheBoyIUsedToBe
LQ Newbie
 
Registered: Jul 2014
Posts: 3

Original Poster
Rep: Reputation: Disabled
figured that one out myself, finally

prerouting port 80 tun+ traffic to the ip and port of my squid (which implies eth0), masquerading:
Code:
iptables -t nat -A PREROUTING -p tcp --dport 80 -i tun+ -j DNAT --to 192.168.1.20:3128
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
squid.conf needs additional localnet:
Code:
acl localnet src 10.0.0.0/8
after reloading squid, it works as intended
 
Old 07-17-2014, 06:35 AM   #5
padeen
Member
 
Registered: Sep 2009
Location: Perth, W.A.
Distribution: Slackware 14, Debian 7, FreeBSD, OpenBSD
Posts: 177

Rep: Reputation: 34
Are you sure you want 10.0.0.0/8? Seems pretty wide, when your tun is 10.8.0.0. I'd be interested if it works ok with 'acl localnet src 10.8.0.0/16' or even 10.8.0.0/24.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables forward rules for OpenVPN & PPTP crspy Linux - Networking 2 04-18-2013 02:12 AM
SQUID forward particular requests to OpenVPN tunnel dr_doom Linux - Networking 0 03-28-2011 03:20 PM
OpenVPN sometimes does not forward all traffic to server depam Linux - Software 1 06-28-2008 04:13 PM
iptables forward traffic alaios Linux - Networking 1 09-28-2005 04:43 AM
iptables: if connected to localhost, forward to remote ip sl_king Linux - Networking 4 08-19-2005 06:52 PM


All times are GMT -5. The time now is 09:48 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration