[SOLVED] How to set up IPTABLES rules for a Squid proxy/gateway?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to set up IPTABLES rules for a Squid proxy/gateway?
I've decided to set up Arch Linux as a network gateway providing a firewall and DHCP server to my network switch. Since I have about 20 or so Arch Linux computers, I want to set up a squid transparent proxy to (among other things) reduce the download bandwidth associated with updates. I've got squid configured, but I can't figure out how to get IPTables to forward to squid.
Currently in my persistent IPTables config, I have the following rules defined (trimmed to only what I've changed from the defaults)
Code:
*mangle
-A PREROUTING -p tcp --dport 3129 -j DROP
[...]
*nat
-A PREROUTING -i enp0s29f7u1 -p tcp --dport 80 -j ACCEPT
-A PREROUTING -i enp0s29f7u1 -p tcp --dport 80 -j REDIRECT --to-ports 3129 #Squid is set to intercept port 3129
-A POSTROUTING -o enp5s0 -j MASQUERADE
[...]
NOTE: enp5s0 is my "outside world" interface and enp0s29f7u1 is my local local network
IPTables isn't complaining about anything in the config, but for some reason none of my local HTTP traffic is being sent to squid. How do I fix this?
First you need to remove the your drop and accept from you preroute rules. Drop and Accept should only be applied to the filter rules.
Is the proxy server running on the same system as your firewall? If it is than maybe you should be doing this:
I've done that, but then no http pages load (https still works, but I'm only forwarding port 80). So when I set up the redirect to 3129 none of the http requests get through.
This is running on the same system as the firewall.
Last edited by anon112; 12-03-2017 at 06:10 AM.
Reason: clarification
It's been modified a few times as I set stuff up on the local network, so it's a bit different from the original. This is what I'm working with right now.
Code:
# Generated by iptables-save v1.6.1 on Sun Dec 3 13:03:03 2017
# Completed on Sun Dec 3 13:03:03 2017
# Generated by iptables-save v1.6.1 on Sun Dec 3 13:03:03 2017
*mangle
:PREROUTING ACCEPT [909:450265]
:INPUT ACCEPT [183:13040]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [70:8968]
:POSTROUTING ACCEPT [796:446193]
COMMIT
# Completed on Sun Dec 3 13:03:03 2017
# Generated by iptables-save v1.6.1 on Sun Dec 3 13:03:03 2017
*raw
:PREROUTING ACCEPT [909:450265]
:OUTPUT ACCEPT [70:8968]
COMMIT
# Completed on Sun Dec 3 13:03:03 2017
# Generated by iptables-save v1.6.1 on Sun Dec 3 13:03:03 2017
*nat
:PREROUTING ACCEPT [25:1639]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
#-A PREROUTING -i enp0s29f7u1 -p tcp --dport 80 -j ACCEPT
#-A PREROUTING -i enp0s29f7u1 -p tcp --dport 443 -j ACCEPT
#-A PREROUTING -i enp0s29f7u1 -p tcp --dport 8080 -j ACCEPT
###The following relates to SQUID proxy:
-A PREROUTING -i enp0s29f7u1 -p tcp --destination-port 80 -j REDIRECT --to-ports 3129
###
-A POSTROUTING -o enp5s0 -j MASQUERADE
-A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.11.0.1:3129
COMMIT
# Completed on Sun Dec 3 13:03:03 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [70:8968]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i enp0s29f7u1 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -i enp0s29f7u1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
#PORT FORWARDING
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 137 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 138 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 139 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 445 -j DROP
-A INPUT -p tcp -m tcp --dport 137 -j DROP
-A INPUT -p tcp -m tcp --dport 138 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 139 -j DROP
##
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp0s29f7u1 -j ACCEPT
-A FORWARD -o enp0s29f7u1 -j ACCEPT
-A FORWARD -i enp0s29f7u1 -o enp5s0 -j ACCEPT
-A FORWARD -i enp5s0 -o enp5s0 -p udp -m udp --dport 67:68 -j ACCEPT
-A FORWARD -i enp0s29f7u1 -o enp0s29f7u1 -p udp -m udp --dport 67:68 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp0s29f7u1 -o enp5s0 -j ACCEPT
COMMIT
OK, lets fix your rules so you are using STATEFUL and not mixed.
What is this used for?
Code:
-A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.11.0.1:3129
New Rules;
Code:
## CLEARING FIREWALL
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
## POLICY SETUP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
## PREROUTE SETUP
iptables -A PREROUTING -i enp0s29f7u1 -p tcp --destination-port 80 -j REDIRECT --to-ports 3129
## POSTROUTE SETUP
iptables -A POSTROUTING -o enp5s0 -j MASQUERADE
## INPUT SETUP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 137 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 139 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 445 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i enp5s0 -p udp -m udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -j DROP
## OUTPUT SETUP
# Not surte about this rule and why you are using it
#iptables -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.11.0.1:3129
## FORWARD SETUP
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp0s29f7u1 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -j DROP
If you are only allowing access on the INPUT from your inside interface we can change the INPUT rules to reflect this;
Code:
## INPUT SETUP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 137 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 139 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 445 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 137 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 138 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i enp5s0 -p udp -m udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -j DROP
FORWARD rules are only used when going in one interface and leaving another. Going in and out the same interface is only going to be looked at with INPUT and OUTPUT.
Test these rules and see if they do what you are looking for. You can always reload your original rules by restarting iptables if something doesn't work. Should something not work take note of what you were doing and what you expected to happen.
I believe that output rule was a result of me tinkering with squid. It was supposed to be commented out at some point.
I've tried running the script you posted (as well as a couple of variations to be more permissive on traffic) and it seems to block all traffic going through the gateway.
Some variations included removing any "DROP" rule just to see if it would work and accepting traffic on all ports from any interface.
I'm wondering if squid might be dropping the connection somewhere, but the access log doesn't even show a connection as having been attempted. I tested it out by trying to load puppylinux.org (an http-based site) as well as refreshing my package cache (pacman -Syy) and they both timed out once the script was run.
Last edited by anon112; 12-11-2017 at 06:11 AM.
Reason: Fix output
Have you checked to ensure that the proxy is running?
If it is running then tail the log file and see if anything is being writen to the log file when you try to browse to a site.
Figured it out -- Looks like it was forwarding the port, but port 3129 wasn't being accepted from the internal IP addresses. Either that, or it could be the fact that the squid.conf didn't actually have my cache set to initialize.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.