Code:
eno1: 192.168.1.2/26 - WAN
eno2: 172.23.198.1/24 LAN
Squid block all. I can't see any website on workstation.
When I forward all on squid
Code:
iptables -t nat -A PREROUTING -s 172.23.198.0/255.255.255.0 -p tcp --dport 80 -j REDIRECT --to-port 3128
then everything work well.
but when I forward all on port 8080 ( Dansguardian) then workstation work bad.
Code:
iptables -t nat -A PREROUTING -s 172.23.198.0/255.255.255.0 -p tcp --dport 80 -j REDIRECT --to-port 8080
My firewall
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F -t nat
iptables -X -t nat
iptables -F -t filter
iptables -X -t filter
iptables -t filter -P FORWARD DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -t filter -A FORWARD -s 172.23.198.0/255.255.255.0 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.23.198.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.23.198.0/24 -d 0/0 -j MASQUERADE
iptables -A FORWARD -s 172.23.198.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -i eno2 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eno2 -p tcp --dport 3124 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eno2 -p tcp --dport 3127 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eno2 -p tcp --dport 3128 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eno2 -p tcp --dport 8080 -j REDIRECT --to-port 8080
iptables -A INPUT -i eno2 -p tcp --dport 8080 -j ACCEPT
iptables -t nat -A PREROUTING -i eno2 -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
squid.conf
Code:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl siec src 172.23.198.0/24
acl godziny_pracy time 00:01-21:30
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow siec godziny_pracy
# And finally deny all other access to this proxy
http_access deny all
http_port 172.23.198.1:3128 transparent
dansguardian.conf
Code:
filterip =172.23.198.1
filterport = 8080
proxyip = 172.23.198.1