Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to setup linux bridge/transparent squid proxy with iptables and ebtables, when i am adding proxy configuration in web brower i can able to access internet
But without proxy configuration in web browers, i use linux bridge ip as my gateway i unable to access internet.
my network diagram
internet<----->(eth0)linuxbridge/squid(eth1)<----->my network
to port redirect i used following chains
In iptables
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT
-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.3:3128
-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
In ebtables
ebtables -t broute -A BROUTING -p IPv4 –-ip-protocol 6 -–ip-destination-port 80 -j redirect –-redirect-target ACCEPT
I googled lot of sites but i unable to find right solution for this( i aware that i am making mistakes in this port redirecting, if it is true please correct me)
will you please give me an idea to correct my mistakes??
I am trying to setup linux bridge/transparent squid proxy with iptables and ebtables, when i am adding proxy configuration in web brower i can able to access internet
But without proxy configuration in web browers, i use linux bridge ip as my gateway i unable to access internet.
my network diagram
internet<----->(eth0)linuxbridge/squid(eth1)<----->my network
to port redirect i used following chains
In iptables
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT
-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.3:3128
-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
In ebtables
ebtables -t broute -A BROUTING -p IPv4 –-ip-protocol 6 -–ip-destination-port 80 -j redirect –-redirect-target ACCEPT
I googled lot of sites but i unable to find right solution for this( i aware that i am making mistakes in this port redirecting, if it is true please correct me)
will you please give me an idea to correct my mistakes??
Based on your post, it seems like you're a bit unclear on the concept of a 'transparent proxy'.
You say if you enable the proxy, you can "able access internet", and when you don't, you can't.
Yes, that's exactly right. If you have a proxy server in place, and don't use it, you SHOULDN'T be able to get to the internet.
i think you misunderstood my post(i dont know whether my post is unclear), if we want to access internet through proxy we should add (ip address,portno)in the web browser. But when we setup transparent proxy we can access internet without clinet side configuration(i mean no need to add ip address, portno in web browser).
i think you misunderstood my post(i dont know whether my post is unclear), if we want to access internet through proxy we should add (ip address,portno)in the web browser. But when we setup transparent proxy we can access internet without clinet side configuration(i mean no need to add ip address, portno in web browser).
You have to do SOMETHING to tell clients to use a proxy server. You can set things up to push the proxy variables down when users log into the network, but "transparent proxy" means that the users don't have to log in or do anything to get access.
Hi;
I want to make my question clear one more time.
The problem.
I setup the transparent proxy/Linux bridge, iptable & ebtable in the server i could not get the internet access without setting up the proxy configuration in my client pc web browser.
The solution i need.
i dont want to setup web browser proxy configuration every user. and instead of that i want to set the iptable & ebtable of the server which suppose to redirect all the client side request come from port 80 to port 3128 since server is listening through port 3128
The method i used
to redirect the port i used the following chain
In ip table
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT
-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.3:3128
-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
In ebtables
ebtables -t broute -A BROUTING -p IPv4 –-ip-protocol 6 -–ip-destination-port 80 -j redirect –-redirect-target ACCEPT
but still i could not access the internet without setting up the proxy configuration in my client pc web browser
please advice me and give me the right solution to do it.
Thank you.
Hi;
I want to make my question clear one more time.
The problem.
I setup the transparent proxy/Linux bridge, iptable & ebtable in the server i could not get the internet access without setting up the proxy configuration in my client pc web browser.
The solution i need.
i dont want to setup web browser proxy configuration every user. and instead of that i want to set the iptable & ebtable of the server which suppose to redirect all the client side request come from port 80 to port 3128 since server is listening through port 3128
The method i used
to redirect the port i used the following chain
In ip table
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT
-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.3:3128
-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
In ebtables
ebtables -t broute -A BROUTING -p IPv4 –-ip-protocol 6 -–ip-destination-port 80 -j redirect –-redirect-target ACCEPT
but still i could not access the internet without setting up the proxy configuration in my client pc web browser
please advice me and give me the right solution to do it.
Thank you.
And I want to make my answer clear one more time: IF YOU HAVE A PROXY SERVER, YOU WILL HAVE TO SET UP YOUR CLIENTS SOMEHOW.
Either you will have to use a zeroconf type thing to push the proxy configuration to your clients, or you will have to have a system login script set the things up for you. You have to do SOMETHING to get the proxy configuration to the client. Doing a simple redirect with iptables won't work, unless you want to setup so many ports, and be ready to set up more for any non-standard websites/connections, you'll spend all day doing nothing but that, and still have flaky problems.
Also, do not issue demands, such as "give me the right solution to do it". You're not paying attention to the answer...if you don't like the answer you get here, hire someone to do it for you.
Have a look at the Squid FAQ for some information on interception caching (transparent proxying) that may be useful.
If you only need to proxy http (not gopher, ssl, ftp etc.) then you can set up iptables rules and compile Squid to allow this. You won't have to configure clients if this is all you require. I have the following in my iptables rules on one of my boxes:
However, there are limitations (see the link above). As TB0ne pointed out, you will need to manually configure proxy details for the non-supported protocols and you can't use proxy authentication.
Gilead cant be more clear. What you are trying to do is achievable (unlike what TBone is saying) Just sort out your iptables rules properly.
In your case, since your proxy server is also the bridge to the internet, there is nothing more needed. No configs on the clients needed anyhow(true) But however, this setup will not work when accessing HTTPS and FTP sites. Otherwise if you don't really care about these, then go ahead and tweak you iptables (check http://wiki.squid-cache.org/SquidFaq/InterceptionProxy)
Good luck
Last edited by chitambira; 02-13-2009 at 04:13 AM.
Gilead cant be more clear. What you are trying to do is achievable (unlike what TBone is saying) Just sort out your iptables rules properly.
Good luck
No, what I'm saying is if they want to use a PROXY server, you've got to tell the clients to use it, somehow. What am I saying that's NOT achievable?? And Gilead hits it on the head...to use this as a full proxy for all protocols, you have to configure the clients.
First of all i would like to thank all who gave idea about transparent proxy. please execuse me if i had mislead you in this regarding.
Actually my expectation is that i have to have a middle man(transparent server) who is handling all the traffic through him but without users knowledge (I think i didnt give clear idea about my scenario earlier) anyhow i solved my problem by using transparent squid proxy & iptables. Now all protocols (net traffic) going through my transparent server.
I agree that if i setup transparnet proxy it can handle only http traffic so what i did was that i bypass all other protocols which are not hanlded by transparent proxy.
I used the following iptable rules
Redirct all http traffic to proxy
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
To handle https
iptables -t nat -A POSTROUTING -p tcp --dport 443 -j SNAT --to xx.xx.xx.xx (tranparent server ip address)
please advise me if there is any security vulnerabilities or performances issuses cause to this setup
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.