squid

grzechoo · 09-27-2008, 06:20 PM

hello everybody

i recently added a transparent proxy server in my local network (running on a separate box, freebsd);
all the traffic is redirected by router to this machine;
some users have the browser manually configured (pointed to the proxy), others do not;

everything works fine except for one thing;

i can see (in squid access.log) only the ip addresses of those hosts that have the browsers manuallu configured, the rest i see with the address of the router (192.168.1.1);

now i suppose that the problem is in the iptables rules (have to admit i'm not best in thi field)

here is my firewall

router - 192.168.1.1
squid - 192.168.1.245

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -F -t filter
/sbin/iptables -X -t filter
/sbin/iptables -t filter -P FORWARD DROP
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/16 -d 0/0 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -d 192.168.1.0/16 -s 0/0 -j ACCEPT
/sbin/iptables -t filter -A INPUT -j ACCEPT
##tutaj jestprzekierowanie calego ruchu na squida
/sbin/iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.1.245 -p tcp --dport 80 -j DNAT --to 192.168.1.245:3128
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/16 -d 192.168.1.245 -j SNAT --to 192.168.1.1
/sbin/iptables -A FORWARD -s 192.168.1.0/16 -d 192.168.1.245 -i eth1 -o eth1 -p tcp --dport 8080 -j ACCEPT
##
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT -s 192.168.1.0/16 -d 0/0 --to $MY_IP

access.log

Code:

1222405889.735    131 192.168.1.1 TCP_MISS/200 2614 GET http://www.kolo.com.pl/_files/polityka_jakosci_i_srodowiskowa_2006.jpg - DIRECT/217.17$
1222405889.751    132 192.168.1.1 TCP_MISS/200 1863 GET http://www.kolo.com.pl/_files/_atest_higieniczny_0497_01_1998.jpg - DIRECT/217.17.42.6$
1222405889.758   5174 192.168.1.250 TCP_REFRESH_MISS/200 8246 GET http://www.gazeta.pl/pub/rss/wiadomosci.xml - DIRECT/80.252.0.145 text/xml
1222405890.271   1336 192.168.1.1 TCP_MISS/200 1708 GET http://www.kolo.com.pl/_files/deklaracja_zgodnosci_ec_3.jpg - DIRECT/217.17.42.67 imag$
1222405890.749    486 192.168.1.1 TCP_MISS/200 8750 GET http://www.kolo.com.pl/_files/certyfikat_iso14001_1996_2004_pl.pdf - DIRECT/217.17.42.$
1222405893.198   2472 192.168.1.1 TCP_MISS/206 224342 GET http://www.kolo.com.pl/_files/certyfikat_iso14001_1996_2004_pl.pdf - DIRECT/217.17.4$
1222405909.916    274 192.168.1.1 TCP_MISS/200 3398 GET http://www.google.pl/ - DIRECT/66.249.91.103 text/html
1222405910.890    420 192.168.1.1 TCP_MISS/200 396 HEAD http://download.windowsupdate.com/v8/windowsupdate/redir/muv3wuredir.cab? - DIRECT/87.$
1222405911.532    496 192.168.1.1 TCP_MISS/200 383 HEAD http://update.microsoft.com/v8/windowsupdate/selfupdate/wuident.cab? - DIRECT/65.55.13$
1222405911.651     77 192.168.1.1 TCP_MISS/200 396 HEAD http://download.windowsupdate.com/v8/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3s$
1222405911.944    289 192.168.1.1 TCP_MISS/200 25479 GET http://download.windowsupdate.com/v8/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3$
1222405912.815      4 192.168.1.1 TCP_MEM_HIT/200 395 HEAD http://download.windowsupdate.com/v8/windowsupdate/redir/muv3wuredir.cab? - NONE/- $
1222405918.268    112 192.168.1.1 TCP_MISS/301 590 GET http://www.poczta.interia.pl/ - DIRECT/217.74.64.236 text/html
1222405918.575    303 192.168.1.1 TCP_MISS/200 11434 GET http://poczta.interia.pl/ - DIRECT/217.74.64.236 text/html
1222405919.413    493 192.168.1.1 TCP_MISS/200 7537 GET http://o.interia.pl/i/sg/sg.80326.css - DIRECT/217.74.64.230 text/css
1222405919.639    226 192.168.1.1 TCP_MISS/200 5386 GET http://o.interia.pl/i/js/sg.80812.js - DIRECT/217.74.64.230 application/x-javascript
1222405919.838    197 192.168.1.1 TCP_MISS/200 2131 GET http://o.interia.pl/i/sg/interia-przyjazny_portal.gif - DIRECT/217.74.64.230 image/gif
1222405919.866    617 192.168.1.141 TCP_MISS/200 3537 GET http://inwestycje.kolo.com.pl/katalog_toaleta_bez_barier.html - DIRECT/217.17.42.67 $
1222405920.128      0 192.168.1.1 TCP_DENIED/403 1444 GET http://hub.com.pl/_1222408254296/int.js? - NONE/- text/html

you can see:
- 192.168.1.250 and 192.168.1.141 - direct connection;
- 192.168.1.1 - others (through router);

i'd appreciate any help;

thanks

GlennsPref · 09-27-2008, 11:57 PM

It maybe a combination of both, I use squid and iptables to control my network.

I have found these pages invaluable...

http://www.linuxhomenetworking.com/

in particular, squid...

http://www.linuxhomenetworking.com/w...ess_with_Squid

and iptables...

http://www.linuxhomenetworking.com/w...Using_iptables

The only machine i have with a "browser" setting "to proxy" is the firewalled-gateway (fwgw). The others are just "connected directly to the internet"

My fwgw sys, ppp0=ext eth0=int

cheers, Glenn