LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-01-2017, 07:15 PM   #1
kev717
Member
 
Registered: May 2008
Distribution: Arch, FreeBSD
Posts: 104

Rep: Reputation: 17
How to set up IPTABLES rules for a Squid proxy/gateway?


I've decided to set up Arch Linux as a network gateway providing a firewall and DHCP server to my network switch. Since I have about 20 or so Arch Linux computers, I want to set up a squid transparent proxy to (among other things) reduce the download bandwidth associated with updates. I've got squid configured, but I can't figure out how to get IPTables to forward to squid.

Currently in my persistent IPTables config, I have the following rules defined (trimmed to only what I've changed from the defaults)

Code:
*mangle
-A PREROUTING -p tcp --dport 3129 -j DROP
[...]
*nat
-A PREROUTING -i enp0s29f7u1 -p tcp --dport 80 -j ACCEPT
-A PREROUTING -i enp0s29f7u1 -p tcp --dport 80 -j REDIRECT --to-ports 3129 #Squid is set to intercept port 3129
-A POSTROUTING -o enp5s0 -j MASQUERADE
[...]
NOTE: enp5s0 is my "outside world" interface and enp0s29f7u1 is my local local network

IPTables isn't complaining about anything in the config, but for some reason none of my local HTTP traffic is being sent to squid. How do I fix this?
 
Old 12-02-2017, 06:41 PM   #2
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,185
Blog Entries: 3

Rep: Reputation: 187Reputation: 187
First you need to remove the your drop and accept from you preroute rules. Drop and Accept should only be applied to the filter rules.
Is the proxy server running on the same system as your firewall? If it is than maybe you should be doing this:
Code:
iptables -t nat -A PREROUTING -i enp0s29f7u1 -p tcp -m multiport --destination-port 80,443 -j REDIRECT --to-ports 3129
If it is not on the same system then you should be looking at DNAT.
 
Old 12-03-2017, 07:09 AM   #3
kev717
Member
 
Registered: May 2008
Distribution: Arch, FreeBSD
Posts: 104

Original Poster
Rep: Reputation: 17
I've done that, but then no http pages load (https still works, but I'm only forwarding port 80). So when I set up the redirect to 3129 none of the http requests get through.

This is running on the same system as the firewall.

Last edited by kev717; 12-03-2017 at 07:10 AM. Reason: clarification
 
Old 12-06-2017, 04:59 PM   #4
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,185
Blog Entries: 3

Rep: Reputation: 187Reputation: 187
Would it be possible to see all your firewall rules? There might be something else interfering with this.
 
Old 12-07-2017, 05:15 PM   #5
kev717
Member
 
Registered: May 2008
Distribution: Arch, FreeBSD
Posts: 104

Original Poster
Rep: Reputation: 17
It's been modified a few times as I set stuff up on the local network, so it's a bit different from the original. This is what I'm working with right now.

Code:
# Generated by iptables-save v1.6.1 on Sun Dec  3 13:03:03 2017
# Completed on Sun Dec  3 13:03:03 2017
# Generated by iptables-save v1.6.1 on Sun Dec  3 13:03:03 2017
*mangle
:PREROUTING ACCEPT [909:450265]
:INPUT ACCEPT [183:13040]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [70:8968]
:POSTROUTING ACCEPT [796:446193]
COMMIT
# Completed on Sun Dec  3 13:03:03 2017
# Generated by iptables-save v1.6.1 on Sun Dec  3 13:03:03 2017
*raw
:PREROUTING ACCEPT [909:450265]
:OUTPUT ACCEPT [70:8968]
COMMIT
# Completed on Sun Dec  3 13:03:03 2017
# Generated by iptables-save v1.6.1 on Sun Dec  3 13:03:03 2017
*nat
:PREROUTING ACCEPT [25:1639]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
#-A PREROUTING -i enp0s29f7u1 -p tcp --dport 80 -j ACCEPT
#-A PREROUTING -i enp0s29f7u1 -p tcp --dport 443 -j ACCEPT
#-A PREROUTING -i enp0s29f7u1 -p tcp --dport 8080 -j ACCEPT
###The following relates to SQUID proxy:
-A PREROUTING -i enp0s29f7u1 -p tcp --destination-port 80 -j REDIRECT --to-ports 3129
###
-A POSTROUTING -o enp5s0 -j MASQUERADE
-A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.11.0.1:3129
COMMIT
# Completed on Sun Dec  3 13:03:03 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [70:8968]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i enp0s29f7u1 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -i enp0s29f7u1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
#PORT FORWARDING
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 137 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 138 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 139 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 445 -j DROP
-A INPUT -p tcp -m tcp --dport 137 -j DROP
-A INPUT -p tcp -m tcp --dport 138 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 139 -j DROP
##
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp0s29f7u1 -j ACCEPT
-A FORWARD -o enp0s29f7u1 -j ACCEPT
-A FORWARD -i enp0s29f7u1 -o enp5s0 -j ACCEPT
-A FORWARD -i enp5s0 -o enp5s0 -p udp -m udp --dport 67:68 -j ACCEPT
-A FORWARD -i enp0s29f7u1 -o enp0s29f7u1 -p udp -m udp --dport 67:68 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp0s29f7u1 -o enp5s0 -j ACCEPT
COMMIT
 
Old 12-10-2017, 12:56 AM   #6
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,185
Blog Entries: 3

Rep: Reputation: 187Reputation: 187
OK, lets fix your rules so you are using STATEFUL and not mixed.

What is this used for?
Code:
-A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.11.0.1:3129

New Rules;
Code:
## CLEARING FIREWALL
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

## POLICY SETUP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP


## PREROUTE SETUP
iptables -A PREROUTING -i enp0s29f7u1 -p tcp --destination-port 80 -j REDIRECT --to-ports 3129

## POSTROUTE SETUP
iptables -A POSTROUTING -o enp5s0 -j MASQUERADE

## INPUT SETUP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 137 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p udp -m udp --dport 139 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 445 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 10.11.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i enp5s0 -p udp -m udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -j DROP

## OUTPUT SETUP
# Not surte about this rule and why you are using it
#iptables -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.11.0.1:3129

## FORWARD SETUP
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp0s29f7u1 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -j DROP

If you are only allowing access on the INPUT from your inside interface we can change the INPUT rules to reflect this;
Code:
## INPUT SETUP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 137 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 139 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 445 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 137 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 138 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p tcp -m conntrack --ctstate NEW -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p udp -m udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i enp5s0 -p udp -m udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i enp0s29f7u1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -j DROP
FORWARD rules are only used when going in one interface and leaving another. Going in and out the same interface is only going to be looked at with INPUT and OUTPUT.

Test these rules and see if they do what you are looking for. You can always reload your original rules by restarting iptables if something doesn't work. Should something not work take note of what you were doing and what you expected to happen.

Last edited by lazydog; 12-10-2017 at 01:00 AM.
 
Old 12-11-2017, 07:10 AM   #7
kev717
Member
 
Registered: May 2008
Distribution: Arch, FreeBSD
Posts: 104

Original Poster
Rep: Reputation: 17
I believe that output rule was a result of me tinkering with squid. It was supposed to be commented out at some point.

I've tried running the script you posted (as well as a couple of variations to be more permissive on traffic) and it seems to block all traffic going through the gateway.

After running script:
Code:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     udp  --  10.11.0.0/24         anywhere             udp dpt:netbios-ns
ACCEPT     udp  --  10.11.0.0/24         anywhere             udp dpt:netbios-dgm
ACCEPT     udp  --  10.11.0.0/24         anywhere             udp dpt:netbios-ssn
ACCEPT     tcp  --  10.11.0.0/24         anywhere             ctstate NEW tcp dpt:ssh
ACCEPT     tcp  --  10.11.0.0/24         anywhere             ctstate NEW tcp dpt:microsoft-ds
ACCEPT     tcp  --  10.11.0.0/24         anywhere             ctstate NEW tcp dpt:netbios-ns
ACCEPT     tcp  --  10.11.0.0/24         anywhere             ctstate NEW tcp dpt:netbios-dgm
ACCEPT     tcp  --  10.11.0.0/24         anywhere             ctstate NEW tcp dpt:netbios-ssn
ACCEPT     udp  --  anywhere             anywhere             udp dpts:bootps:bootpc
ACCEPT     udp  --  anywhere             anywhere             udp dpts:bootps:bootpc
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             ctstate NEW
DROP       all  --  anywhere             anywhere
Some variations included removing any "DROP" rule just to see if it would work and accepting traffic on all ports from any interface.

I'm wondering if squid might be dropping the connection somewhere, but the access log doesn't even show a connection as having been attempted. I tested it out by trying to load puppylinux.org (an http-based site) as well as refreshing my package cache (pacman -Syy) and they both timed out once the script was run.

Last edited by kev717; 12-11-2017 at 07:11 AM. Reason: Fix output
 
Old 12-13-2017, 09:49 PM   #8
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,185
Blog Entries: 3

Rep: Reputation: 187Reputation: 187
Have you checked to ensure that the proxy is running?
If it is running then tail the log file and see if anything is being writen to the log file when you try to browse to a site.
 
Old 12-18-2017, 04:02 PM   #9
kev717
Member
 
Registered: May 2008
Distribution: Arch, FreeBSD
Posts: 104

Original Poster
Rep: Reputation: 17
Figured it out -- Looks like it was forwarding the port, but port 3129 wasn't being accepted from the internal IP addresses. Either that, or it could be the fact that the squid.conf didn't actually have my cache set to initialize.

Seems to be functional now. Thanks.
 
Old 12-18-2017, 09:57 PM   #10
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,185
Blog Entries: 3

Rep: Reputation: 187Reputation: 187
Glad you got it figured out.
 
  


Reply

Tags
gateway, iptables, redirect, squid


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] [iptables] Linux (not gateway) + OpenVpn, need forwarding rules. laser_xf Linux - Networking 7 10-25-2014 07:02 AM
Problem with rules in transparent squid proxy server hainguyenle89 Linux - Newbie 5 11-23-2011 02:54 AM
Controlled Squid Proxy Rules amit.naudiyal Linux - Server 6 09-10-2010 09:55 PM
iptables rules for an ubuntu gateway (filtering connections to and from Internet) Zingaro2002 Linux - Networking 4 05-06-2007 03:01 AM
iptables rules on gateway alon005 Linux - Security 7 10-05-2004 08:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration