-   Linux - Networking (
-   -   Fedora Linux Transparent Proxy with Squid - pop/smtp/ftp issues (

rollymittal 12-21-2009 09:53 AM

Fedora Linux Transparent Proxy with Squid - pop/smtp/ftp issues
Hi Guys, I am a relative newbie, so I'll try my best to explain the setup and problem in detail; and am sorry if it gets a bit log to read. Any help will be highly appreciated.

My setup and problem
1. Few workstations, all connected in a LAN ( via a switch. A broadband router(, also connected to the same LAN via same switch.
So, in principle, my broadband router is my internet gateway.
I cannot change LAN cables, so I treated one workstation ( with Fedora 4 as Gateway Router and then under TCP/IP properties on all other workstations(Windows XP/Server 2003) I changed gateway address from to
And since new Gateway Router has its gateway address as, so it basically behaves as a bridge.

2. I installed squid on Fedora 4 machine and configured iptables+squid to make new Gateway Router work as a Transparent Proxy. I did this only for http traffic.

3. Everything works fine while browsing http websites, which is confirmed via access/cache log of squid. And obviously, since I didn't open/configured ports for SMTP/POP/FTP etc, so workstations are not able to access these services hosted on servers outside the network.

4. The problem is - I have enabled ip_forward, added rules to allow forward packets directed to SMTP/POP etc, but workstations are still unable to access these services. I just want my Gateway Router to forward requests for these services, originated from my network straight to the next router node i.e. Broadband Router ( - which I guess it should be doing IF my packet forward rules are coorrect.
I tried to log firewall info on Gateway Router, but log file doesn't show anything related to it. I am posting here relevant parts of my iptables file -

#squid http traffic [THIS WORKS]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80

-A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 110 -j LOG
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 110 -j LOG

Once again, any help will be highly appreciated.

GlennsPref 12-22-2009 07:18 PM

Hi, I don't use M$ products through my squid/iptables gateway, but I found this and It may help you....


From: Muthukumar <>
Date: Fri, 30 Jul 2004 16:20:22 +0530

> My configuration:
> eth0: (My Public IP)
> eth1: (My Lan IP)
> I have declared 25 and 110 as the safe ports also but still :((
> Based on therad i saw at linux solve, I tried to do
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -s -j MASQUERADE

Your iptables setting is making the problem here. If you are using MASQUERADE with POSTROUTING chains on nat table you have to
specify the --to-ports option.

Set your ip-tables as,

# POP Requests
/sbin/iptables -t nat -A POSTROUTING -o eth1 -p tcp -dport smtp -s -j MASQUERADE

# SMTP Requests
/sbin/iptables -t nat -A POSTROUTING -o eth1 -p tcp -dport 110 -s -j MASQUERADE

Check /etc/services file as,
smtp 25/tcp # Simple Mail Transfer Protocol
pop3 110/tcp pop-3 # Post Office Protocol - Version 3

See more here at, and iptables manpage (MASQUERADE part)

> But this also having no effect.
> plz guide me to make my pop3 and smtp connections as transparent.
> I am attaching my squid.conf file with the mail.

No attachment of squid.conf file with this mail :)

some other pages I have found helpful...

cheers, Glenn

rollymittal 12-29-2009 08:11 AM

None of the links help. The problem is straight - A fedora box is working as internet gateway for a LAN. Workstations on LAN need to access smtp, pop, ftp etc services hosted over servers outside the LAN (on public internet). So ports 25, 110, 21 etc on the gateway need to be forwarded. I have added FORWARD rules in iptables, but still workstation machines are unable to connect to the servers (hosted on public internet) on the mentioned ports. (http request redirection rules for squid proxy work though)

Here is my current iptables file:


# Generated by iptables-save v1.2.11 on Tue Dec 29 19:09:29 2009
:OUTPUT ACCEPT [2450:177758]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# Completed on Tue Dec 29 19:09:30 2009
# Generated by iptables-save v1.2.11 on Tue Dec 29 19:09:30 2009
:OUTPUT ACCEPT [155625:87069180]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
# Completed on Tue Dec 29 19:09:30 2009

rollymittal 01-21-2010 01:53 PM

So finally, no takers? :(

GlennsPref 01-22-2010 01:30 AM

Hi, do you have 2 nics on the GNU/Linux pc?

if so, do you have IP packet forwarding enabled in

/etc/sysctl.conf: net.ipv4.ip_forward = 1


Just a thought.

Regards Glenn

rollymittal 01-23-2010 12:34 PM

Glenn, thanks for response. To answer your questions -
1. No, there is only one network card on that machine.
2. Yes, packet forwarding is on.

For a note - when I disable RH-Firewall (Red Hat Firewall from GUI), and then manually enter my iptable rules in iptables file and start the iiptables service (but keeping RH-Firewall stopped) - then everything works fine.
Problem comes just when RH-Firewall is on. I have on my end, tried to enter proper rules to allow traffic through it, but it doesn't seem to work. Any pointers will be appreciated.

GlennsPref 01-23-2010 10:52 PM

leave it off, and make your own script

Mandriva has "shorewall"

I turn off the service shorewall firewall. It's just a gui for iptables.

I turn off the services for iptables and ipv6,

although the libs and packages are required to be installed for iptables

write your iptables rules in a text file and make a shell script
(first line ... #!/bin/sh) from it.

copy it to /etc/init.d (you need root access to do this)

make it executable, in a gui just right click and select properties, as root.

make sure you have a backup of it,

and execute it at boot-time with its name and address in the /etc/rc.d/rc.local

like this....

# Provides: rc.local
# X-Mandriva-Compat-Mode
# Default-Start: 2 3 4 5
# Short-Description: Local initialization script
# Description: This script will be executed *after* all the other init scripts.
#              You can put your own initialization stuff in here if you don't
#              want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
ifdown eth0 && ifup eth0
service squid start

The order of the rules is important, in both squid and iptables.

test it with Gibson Research's "sheilds up" on line.

Personally, I do not know enough about iptables to tell you more.

I can post my firewall script here if it helps, it was not written by me. But I modified it to do what I want. and it's secure.

hope this helps

All times are GMT -5. The time now is 09:43 AM.