[SOLVED] How to set up IPTABLES rules for a Squid proxy/gateway?

anon112 · 12-01-2017, 06:15 PM

I've decided to set up Arch Linux as a network gateway providing a firewall and DHCP server to my network switch. Since I have about 20 or so Arch Linux computers, I want to set up a squid transparent proxy to (among other things) reduce the download bandwidth associated with updates. I've got squid configured, but I can't figure out how to get IPTables to forward to squid.

Currently in my persistent IPTables config, I have the following rules defined (trimmed to only what I've changed from the defaults)

Code:

*mangle
-A PREROUTING -p tcp --dport 3129 -j DROP
[...]
*nat
-A PREROUTING -i enp0s29f7u1 -p tcp --dport 80 -j ACCEPT
-A PREROUTING -i enp0s29f7u1 -p tcp --dport 80 -j REDIRECT --to-ports 3129 #Squid is set to intercept port 3129
-A POSTROUTING -o enp5s0 -j MASQUERADE
[...]

NOTE: enp5s0 is my "outside world" interface and enp0s29f7u1 is my local local network

IPTables isn't complaining about anything in the config, but for some reason none of my local HTTP traffic is being sent to squid. How do I fix this?

lazydog · 12-02-2017, 05:41 PM

First you need to remove the your drop and accept from you preroute rules. Drop and Accept should only be applied to the filter rules.
Is the proxy server running on the same system as your firewall? If it is than maybe you should be doing this:

Code:

iptables -t nat -A PREROUTING -i enp0s29f7u1 -p tcp -m multiport --destination-port 80,443 -j REDIRECT --to-ports 3129

If it is not on the same system then you should be looking at DNAT.

anon112 · 12-03-2017, 06:09 AM

I've done that, but then no http pages load (https still works, but I'm only forwarding port 80). So when I set up the redirect to 3129 none of the http requests get through.

This is running on the same system as the firewall.

lazydog · 12-06-2017, 03:59 PM

Would it be possible to see all your firewall rules? There might be something else interfering with this.

anon112 · 12-07-2017, 04:15 PM

It's been modified a few times as I set stuff up on the local network, so it's a bit different from the original. This is what I'm working with right now.

Code:

# Generated by iptables-save v1.6.1 on Sun Dec  3 13:03:03 2017
# Completed on Sun Dec  3 13:03:03 2017
# Generated by iptables-save v1.6.1 on Sun Dec  3 13:03:03 2017
*mangle
:PREROUTING ACCEPT [909:450265]
:INPUT ACCEPT [183:13040]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [70:8968]
:POSTROUTING ACCEPT [796:446193]
COMMIT
# Completed on Sun Dec  3 13:03:03 2017
# Generated by iptables-save v1.6.1 on Sun Dec  3 13:03:03 2017
*raw
:PREROUTING ACCEPT [909:450265]
:OUTPUT ACCEPT [70:8968]
COMMIT
# Completed on Sun Dec  3 13:03:03 2017
# Generated by iptables-save v1.6.1 on Sun Dec  3 13:03:03 2017
*nat
:PREROUTING ACCEPT [25:1639]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
#-A PREROUTING -i enp0s29f7u1 -p tcp --dport 80 -j ACCEPT
#-A PREROUTING -i enp0s29f7u1 -p tcp --dport 443 -j ACCEPT
#-A PREROUTING -i enp0s29f7u1 -p tcp --dport 8080 -j ACCEPT
###The following relates to SQUID proxy:
-A PREROUTING -i enp0s29f7u1 -p tcp --destination-port 80 -j REDIRECT --to-ports 3129
###
-A POSTROUTING -o enp5s0 -j MASQUERADE
-A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.11.0.1:3129
COMMIT
# Completed on Sun Dec  3 13:03:03 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [70:8968]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i enp0s29f7u1 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -i enp0s29f7u1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
#PORT FORWARDING
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 137 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 138 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 139 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 445 -j DROP
-A INPUT -p tcp -m tcp --dport 137 -j DROP
-A INPUT -p tcp -m tcp --dport 138 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 139 -j DROP
##
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp0s29f7u1 -j ACCEPT
-A FORWARD -o enp0s29f7u1 -j ACCEPT
-A FORWARD -i enp0s29f7u1 -o enp5s0 -j ACCEPT
-A FORWARD -i enp5s0 -o enp5s0 -p udp -m udp --dport 67:68 -j ACCEPT
-A FORWARD -i enp0s29f7u1 -o enp0s29f7u1 -p udp -m udp --dport 67:68 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp0s29f7u1 -o enp5s0 -j ACCEPT
COMMIT

lazydog · 12-09-2017, 11:56 PM

OK, lets fix your rules so you are using STATEFUL and not mixed.

What is this used for?

Code:

-A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.11.0.1:3129

New Rules;

Code:

## CLEARING FIREWALL
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

## POLICY SETUP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP


## PREROUTE SETUP
iptables -A PREROUTING -i enp0s29f7u1 -p tcp --destination-port 80 -j REDIRECT --to-ports 3129

## POSTROUTE SETUP
iptables -A POSTROUTING -o enp5s0 -j MASQUERADE

## INPUT SETUP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 137 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 139 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 445 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i enp5s0 -p udp -m udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -j DROP

## OUTPUT SETUP
# Not surte about this rule and why you are using it
#iptables -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.11.0.1:3129

## FORWARD SETUP
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp0s29f7u1 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -j DROP

If you are only allowing access on the INPUT from your inside interface we can change the INPUT rules to reflect this;

Code:

## INPUT SETUP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 137 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 139 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 445 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 137 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 138 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i enp5s0 -p udp -m udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -j DROP

FORWARD rules are only used when going in one interface and leaving another. Going in and out the same interface is only going to be looked at with INPUT and OUTPUT.

Test these rules and see if they do what you are looking for. You can always reload your original rules by restarting iptables if something doesn't work. Should something not work take note of what you were doing and what you expected to happen.

anon112 · 12-11-2017, 06:10 AM

I believe that output rule was a result of me tinkering with squid. It was supposed to be commented out at some point.

I've tried running the script you posted (as well as a couple of variations to be more permissive on traffic) and it seems to block all traffic going through the gateway.

After running script:

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     udp  --  10.11.0.0/24         anywhere             udp dpt:netbios-ns
ACCEPT     udp  --  10.11.0.0/24         anywhere             udp dpt:netbios-dgm
ACCEPT     udp  --  10.11.0.0/24         anywhere             udp dpt:netbios-ssn
ACCEPT     tcp  --  10.11.0.0/24         anywhere             ctstate NEW tcp dpt:ssh
ACCEPT     tcp  --  10.11.0.0/24         anywhere             ctstate NEW tcp dpt:microsoft-ds
ACCEPT     tcp  --  10.11.0.0/24         anywhere             ctstate NEW tcp dpt:netbios-ns
ACCEPT     tcp  --  10.11.0.0/24         anywhere             ctstate NEW tcp dpt:netbios-dgm
ACCEPT     tcp  --  10.11.0.0/24         anywhere             ctstate NEW tcp dpt:netbios-ssn
ACCEPT     udp  --  anywhere             anywhere             udp dpts:bootps:bootpc
ACCEPT     udp  --  anywhere             anywhere             udp dpts:bootps:bootpc
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             ctstate NEW
DROP       all  --  anywhere             anywhere

Some variations included removing any "DROP" rule just to see if it would work and accepting traffic on all ports from any interface.

I'm wondering if squid might be dropping the connection somewhere, but the access log doesn't even show a connection as having been attempted. I tested it out by trying to load puppylinux.org (an http-based site) as well as refreshing my package cache (pacman -Syy) and they both timed out once the script was run.

lazydog · 12-13-2017, 08:49 PM

Have you checked to ensure that the proxy is running?
If it is running then tail the log file and see if anything is being writen to the log file when you try to browse to a site.

anon112 · 12-18-2017, 03:02 PM

Figured it out -- Looks like it was forwarding the port, but port 3129 wasn't being accepted from the internal IP addresses. Either that, or it could be the fact that the squid.conf didn't actually have my cache set to initialize.

Seems to be functional now. Thanks.

lazydog · 12-18-2017, 08:57 PM

Glad you got it figured out.