LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 05-25-2012, 01:49 PM   #1
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 585

Rep: Reputation: 58
IPtables for a remote transparent proxy


Hello, I have a strange setup and I'm not getting anywhere with it. I've have a DSL router, which is connected to the gateway, which manages the network, dhcp, dns and so on. Now there is in the network a squid server which should be used as a transparent proxy for http (not https).

gateway server ip's:
eth0 (10.0.10.2) internet
eth1 (192.168.10.1) intranet - dhcp server

squid server ip:
eth0 (192.168.10.253)

There are 2 networks, 192.168.10.0/24 (ethernet) and 192.168.2.0/24 (wifi), both this networks should use the squid server for http as a transparent proxy.

Here is the iptables setup on the gateway:
Code:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
-A INPUT -j DROP
COMMIT
Code:
cat /proc/sys/net/ipv4/ip_forward 
1
Can anyone tell me the iptable rules which I should add to the gateway so it would properly forward all traffic to the squid proxy server and give it properly to the clients.
 
Old 05-25-2012, 03:18 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,010

Rep: Reputation: Disabled
There's no iptables command that will do what you want it to do, at least not directly.

Let's say you entered the following command:
Code:
iptables -t nat -A PREROUTING -i eth1 -s 192.168.10.0/24 \
-p tcp --dport 80 -j DNAT --to-destination 192.168.10.253:3128
That would redirect all outbound traffic destined for TCP port 80 to port 3128 on the Squid server, but unfortunately the clients would never receive a response. Here's why:
  1. The client sends a packet to a web server (source: local PC, destination: some web server on the Internet)
  2. The gateway receives the packet and replaces the destination IP with that of the proxy (source: local PC, destination: Squid)
  3. The Squid server receives the packet, and since it's the 1st packet of a three-way TCP handshake (SYN), it generats a SYN-ACK package (source: Squid, destination: local PC)
  4. The Squid server sends the above packet directly to the PC. After all, it's on the same network, so no point in going through the router, right? (Wrong, it's bypassing the entire NAT mechanism.)
  5. The local PC receives the SYN-ACK packet from the Squid server, notices that at no time did it ask to speak to this server, and promptly discards the packet.
  6. Steps 1-5 are repeated a few times until the connection eventually times out.
You could add a second NAT entry, NATing all packets to the Squid server behind eth1 on the firewall:
Code:
iptables -t nat -A POSTROUTING -o eth1 -d 192.168.10.253/32 -j MASQUERADE
...but that qualifies as a really ugly hack that would also invalidate any logs on the Squid server (all traffic would appear to come from 192.168.10.1).

That was the long answer. The short answer: You need to either redesign your network slightly, so that the Squid server ends up on a different subnet, or you could use the Web Proxy Autodiscovery Protocol (WPAD) to serve out a PAC file and force all HTTP traffic through Squid (and then block all other TCP/80 traffic in the firewall).

I would probably go for the redesign.
 
Old 05-25-2012, 03:56 PM   #3
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 585

Original Poster
Rep: Reputation: 58
adding rule:

Code:
iptables -t nat -A PREROUTING -i eth1 -s 192.168.10.0/24 \
-p tcp --dport 80 -j DNAT --to-destination 192.168.10.253:3128
doesn't work at all, the requests don't even end-up at the squid server, but when adding the POSTROUTING one, the requests end-up in the squid server but as Access Denied (error 403)

Quote:
1337975555.501 0 192.168.10.1 TCP_MISS/403 2646 GET http://www.osnews.com/ - NONE/- text/html
1337975555.502 2 192.168.10.1 TCP_MISS/403 2798 GET http://www.osnews.com/ - DIRECT/74.86.31.159 text/html
1337975558.805 0 192.168.10.1 TCP_NEGATIVE_HIT/403 2804 GET http://www.osnews.com/ - NONE/- text/html
So basically it just doesn't do it, can't see the web page, just the squid error.

---------- Post added 05-25-12 at 09:56 PM ----------

What do you mean about re-design the network, what am I doing wrong?
 
Old 05-25-2012, 04:53 PM   #4
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 585

Original Poster
Rep: Reputation: 58
I forgot to add that using both rules I get an error in squid cache.log:

Quote:
2012/05/25 22:52:01| WARNING: Forwarding loop detected for:
GET / HTTP/1.0
Host: www.osnews.com
 
Old 05-25-2012, 05:10 PM   #5
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,010

Rep: Reputation: Disabled
Quote:
Originally Posted by robertjinx View Post
I forgot to add that using both rules I get an error in squid cache.log:
Of course. You need to exclude the Squid server from being redirected to itself. Flush and repopulate the PREROUTING chain as follows:
Code:
iptables -t nat -F PREROUTING
iptables -t nat -A PREROUTING -i eth1 -s 192.168.10.253/32 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.10.0/24 \
-p tcp --dport 80 -j DNAT --to-destination 192.168.10.253:3128
...and you should have an ugly but probably working hack.
 
Old 05-25-2012, 05:15 PM   #6
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 585

Original Poster
Rep: Reputation: 58
Ok, I've set it up like this:

Code:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -d 192.168.10.253/32 -j ACCEPT
-A PREROUTING -i eth1 -s 192.168.10.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.253:3128
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
and nothing, with this setup I don't even reach the squid server.
 
Old 05-25-2012, 05:22 PM   #7
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,010

Rep: Reputation: Disabled
Quote:
Originally Posted by robertjinx View Post
Ok, I've set it up like this:

Code:
-A POSTROUTING -o eth1 -d 192.168.10.253/32 -j ACCEPT
-A PREROUTING -i eth1 -s 192.168.10.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.253:3128
The first rule is in the wrong chain.
 
Old 05-25-2012, 05:31 PM   #8
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 585

Original Poster
Rep: Reputation: 58
Should be in filter?

---------- Post added 05-25-12 at 11:32 PM ----------

But, you also wrote it in nat chain. Am I missing something?
 
Old 05-25-2012, 05:34 PM   #9
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,010

Rep: Reputation: Disabled
No, it's in the right table, but in the wrong chain (see post #5 above).

The rule is supposed to keep traffic from 192.168.10.253 from being redirected. It should read "-A PREROUTING -i eth1 -d 192.168.10.253/32 -j ACCEPT".
 
Old 05-25-2012, 05:47 PM   #10
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 585

Original Poster
Rep: Reputation: 58
Well ok, sorry about that, but still nothing, the requests don't even get to the squid server:

Quote:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -i eth1 -d 192.168.10.253/32 -j ACCEPT
-A PREROUTING -i eth1 -s 192.168.10.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.253:3128
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
 
Old 05-25-2012, 06:12 PM   #11
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,010

Rep: Reputation: Disabled
Quote:
Originally Posted by robertjinx View Post
Well ok, sorry about that, but still nothing, the requests don't even get to the squid server:
You seem to have lost the other POSTROUTING rule (iptables -t nat -A POSTROUTING -o eth1 -d 192.168.10.253/32 -j MASQUERADE).
 
Old 05-26-2012, 04:32 AM   #12
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 585

Original Poster
Rep: Reputation: 58
Added also that rules and same thing: Access Denied.

I must be missing something, but dont know what.
 
Old 05-26-2012, 02:57 PM   #13
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 585

Original Poster
Rep: Reputation: 58
Does anyone else has an idea how to setup the iptables rules for this? All the ideas from Ser_Olmy dont seem to help.

Thanks!
 
Old 05-26-2012, 03:43 PM   #14
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,010

Rep: Reputation: Disabled
Quote:
Originally Posted by robertjinx View Post
Does anyone else has an idea how to setup the iptables rules for this? All the ideas from Ser_Olmy dont seem to help.
Just for fun, I installed a squid proxy on a server and attempted to redirect traffic with iptables.

The squid server is 172.22.14.16. The local network is 172.22.14.0/24, and the gateway/firewall is 172.22.14.1 (eth0).

Squid listens on the default port (3128). I added the keyword "transparent" to the "http_port" line in squid.conf:
Code:
http_port 3128 transparent
I also added a "cache_effective_user" directive. Other than that, I made no changes to the default configuration.

I used the following iptables rules:
Code:
iptables -t nat -A PREROUTING -i eth0 -s 172.22.14.16/32 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s 172.22.14.0/24 \
  -p tcp --dport 80 -j DNAT --to-destination 172.22.14.16:3128
iptables -t nat -A POSTROUTING -o eth0 -d 172.22.14.16 \
  -p tcp --dport 80 -j MASQUERADE
# Other NAT rules follow below
Simply put, this works. I can browse web pages on the Internet. If I stop the squid process, there's no web access via HTTP. If I try to reach a valid but currently unavailable web site, I get an error page from squid.

What exactly happens when you attempt this setup? Where does the "access denied" message come from? What's in the logs?

Last edited by Ser Olmy; 05-26-2012 at 03:45 PM.
 
Old 05-26-2012, 04:02 PM   #15
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 585

Original Poster
Rep: Reputation: 58
OK, again I've setup up all rules and here is how it looks like:

Quote:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth1 -d 192.168.10.253/32 -j ACCEPT
-A PREROUTING -i eth1 -s 192.168.10.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.253:3128
-A POSTROUTING -o eth1 -d 192.168.10.253/32 -p tcp --dport 80 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
With this exact setup there is nothing happening. The requests don't go to the squid server, there is nothing in the squid logs. Note that I have an extra MASQUERADE rule "-A POSTROUTING -o eth0 -j MASQUERADE" which may screw the situation, but anyway, the above setup doesn't redirect the requests to the squid server, for whatever reason, which I don't know.

Here is the squid proxy conf:
Quote:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.10.0/24 192.168.2.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl purge method PURGE
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_reply_access allow all
dns_nameservers 192.168.10.1 10.0.10.2
cache_swap_low 85
cache_swap_high 95
maximum_object_size_in_memory 4096 KB
cache_mem 1024 MB
memory_pools off
minimum_object_size 0 KB
maximum_object_size 2048 KB
quick_abort_min 0 KB
ipcache_size 1024
ipcache_low 85
ipcache_high 95
positive_dns_ttl 15 minutes
negative_dns_ttl 1 minutes
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off
icp_access allow all
http_port 3128 transparent
#httpd_accel_host virtual
#httpd_accel_port 80
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header on
http_reply_access allow all
hierarchy_stoplist cgi-bin ?
cache_dir aufs /array/md4/squid 41960 16 256
cache_swap_log /array/md4/squid/swap.log
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
log_fqdn off
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern -i (.*jpg$|.*gif$) 0 50% 28800
refresh_pattern -i (.*html$|.*htm|.*shtml) 0 20% 1440
refresh_pattern (http://.*/$) 0 20% 1440
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
cache_mgr support@example.lan
httpd_suppress_version_string on
visible_hostname proxy.local.example.lan
icp_port 3130
acl FTP proto FTP
always_direct allow FTP
coredump_dir /array/md4/squid
no_cache deny QUERY
hosts_file /etc/hosts
dead_peer_timeout 5 seconds
client_lifetime 1 day
half_closed_clients on
pipeline_prefetch on
server_persistent_connections off
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
NOTE: with this configuration the squid proxy works if I set it up in firefox.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid transparent proxy with iptables cksoo Linux - Server 5 06-12-2008 04:53 AM
IPTABLES for squid (Transparent proxy) kool_kid Linux - Networking 14 10-29-2007 11:45 AM
IPTABLES, SQUID, DANSGUARDIAN and Transparent Proxy metallica1973 Linux - Networking 18 09-03-2007 08:17 PM
Iptables mac-match VS. transparent proxy mchanea Linux - Security 4 12-22-2004 07:42 AM
Iptables+transparent Proxy seitan Linux - Networking 11 12-13-2004 09:42 PM


All times are GMT -5. The time now is 11:45 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration