LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-27-2008, 07:20 PM   #1
grzechoo
LQ Newbie
 
Registered: Sep 2008
Location: poland
Distribution: slackware, ubuntu, freebsd
Posts: 2

Rep: Reputation: Disabled
squid - hosts addresses


hello everybody

i recently added a transparent proxy server in my local network (running on a separate box, freebsd);
all the traffic is redirected by router to this machine;
some users have the browser manually configured (pointed to the proxy), others do not;

everything works fine except for one thing;

i can see (in squid access.log) only the ip addresses of those hosts that have the browsers manuallu configured, the rest i see with the address of the router (192.168.1.1);

now i suppose that the problem is in the iptables rules (have to admit i'm not best in thi field)

here is my firewall

router - 192.168.1.1
squid - 192.168.1.245

Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -F -t filter
/sbin/iptables -X -t filter
/sbin/iptables -t filter -P FORWARD DROP
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/16 -d 0/0 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -d 192.168.1.0/16 -s 0/0 -j ACCEPT
/sbin/iptables -t filter -A INPUT -j ACCEPT
##tutaj jestprzekierowanie calego ruchu na squida
/sbin/iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.1.245 -p tcp --dport 80 -j DNAT --to 192.168.1.245:3128
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/16 -d 192.168.1.245 -j SNAT --to 192.168.1.1
/sbin/iptables -A FORWARD -s 192.168.1.0/16 -d 192.168.1.245 -i eth1 -o eth1 -p tcp --dport 8080 -j ACCEPT
##
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT -s 192.168.1.0/16 -d 0/0 --to $MY_IP
access.log

Code:
1222405889.735    131 192.168.1.1 TCP_MISS/200 2614 GET http://www.kolo.com.pl/_files/polityka_jakosci_i_srodowiskowa_2006.jpg - DIRECT/217.17$
1222405889.751    132 192.168.1.1 TCP_MISS/200 1863 GET http://www.kolo.com.pl/_files/_atest_higieniczny_0497_01_1998.jpg - DIRECT/217.17.42.6$
1222405889.758   5174 192.168.1.250 TCP_REFRESH_MISS/200 8246 GET http://www.gazeta.pl/pub/rss/wiadomosci.xml - DIRECT/80.252.0.145 text/xml
1222405890.271   1336 192.168.1.1 TCP_MISS/200 1708 GET http://www.kolo.com.pl/_files/deklaracja_zgodnosci_ec_3.jpg - DIRECT/217.17.42.67 imag$
1222405890.749    486 192.168.1.1 TCP_MISS/200 8750 GET http://www.kolo.com.pl/_files/certyfikat_iso14001_1996_2004_pl.pdf - DIRECT/217.17.42.$
1222405893.198   2472 192.168.1.1 TCP_MISS/206 224342 GET http://www.kolo.com.pl/_files/certyfikat_iso14001_1996_2004_pl.pdf - DIRECT/217.17.4$
1222405909.916    274 192.168.1.1 TCP_MISS/200 3398 GET http://www.google.pl/ - DIRECT/66.249.91.103 text/html
1222405910.890    420 192.168.1.1 TCP_MISS/200 396 HEAD http://download.windowsupdate.com/v8/windowsupdate/redir/muv3wuredir.cab? - DIRECT/87.$
1222405911.532    496 192.168.1.1 TCP_MISS/200 383 HEAD http://update.microsoft.com/v8/windowsupdate/selfupdate/wuident.cab? - DIRECT/65.55.13$
1222405911.651     77 192.168.1.1 TCP_MISS/200 396 HEAD http://download.windowsupdate.com/v8/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3s$
1222405911.944    289 192.168.1.1 TCP_MISS/200 25479 GET http://download.windowsupdate.com/v8/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3$
1222405912.815      4 192.168.1.1 TCP_MEM_HIT/200 395 HEAD http://download.windowsupdate.com/v8/windowsupdate/redir/muv3wuredir.cab? - NONE/- $
1222405918.268    112 192.168.1.1 TCP_MISS/301 590 GET http://www.poczta.interia.pl/ - DIRECT/217.74.64.236 text/html
1222405918.575    303 192.168.1.1 TCP_MISS/200 11434 GET http://poczta.interia.pl/ - DIRECT/217.74.64.236 text/html
1222405919.413    493 192.168.1.1 TCP_MISS/200 7537 GET http://o.interia.pl/i/sg/sg.80326.css - DIRECT/217.74.64.230 text/css
1222405919.639    226 192.168.1.1 TCP_MISS/200 5386 GET http://o.interia.pl/i/js/sg.80812.js - DIRECT/217.74.64.230 application/x-javascript
1222405919.838    197 192.168.1.1 TCP_MISS/200 2131 GET http://o.interia.pl/i/sg/interia-przyjazny_portal.gif - DIRECT/217.74.64.230 image/gif
1222405919.866    617 192.168.1.141 TCP_MISS/200 3537 GET http://inwestycje.kolo.com.pl/katalog_toaleta_bez_barier.html - DIRECT/217.17.42.67 $
1222405920.128      0 192.168.1.1 TCP_DENIED/403 1444 GET http://hub.com.pl/_1222408254296/int.js? - NONE/- text/html
you can see:
- 192.168.1.250 and 192.168.1.141 - direct connection;
- 192.168.1.1 - others (through router);

i'd appreciate any help;

thanks
 
Old 09-28-2008, 12:57 AM   #2
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: pclinuxos slackware64 tails kali
Posts: 3,376
Blog Entries: 33

Rep: Reputation: 217Reputation: 217Reputation: 217
It maybe a combination of both, I use squid and iptables to control my network.

I have found these pages invaluable...

http://www.linuxhomenetworking.com/

in particular, squid...

http://www.linuxhomenetworking.com/w...ess_with_Squid

and iptables...

http://www.linuxhomenetworking.com/w...Using_iptables

The only machine i have with a "browser" setting "to proxy" is the firewalled-gateway (fwgw). The others are just "connected directly to the internet"

My fwgw sys, ppp0=ext eth0=int

cheers, Glenn
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Block source names/IP addresses for Squid kginige Linux - Server 1 09-27-2008 08:12 PM
LXer: How To Whitelist Hosts/IP Addresses In Postfix LXer Syndicated Linux News 0 06-11-2008 06:20 PM
Squid Proxy Server Leaking Private IP Addresses jreige Linux - Software 1 08-09-2007 04:53 AM
windows hosts file, not working anymore with squid :( spatieman Linux - Software 4 02-16-2005 04:39 PM
Squid and resolving local addresses on network lumpyhed Linux - Networking 1 03-12-2004 09:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration