LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-23-2004, 03:57 PM   #1
azfar
LQ Newbie
 
Registered: Nov 2004
Posts: 16

Rep: Reputation: 0
Squid with NAT


I am getting strange problem in squid with NAT.
Squid running on 8080

I have a port redirection i-e 80 to 8080 rule in iptables and NAT is also enabled for except http.

Now I saw that even my squid service not started but browsing is working. I checked access.log while browsing from a client but no new entries created. But when I use manual proxy setting new logs created and performance is also boost.

I tried port 80 in squid.conf but same.

Thats mean all traffic including http goes through NAT and squid have no part in it.

How can I run Squid (Transparent mode) and NAT at same time.

Here is my rc.local output.

touch /var/lock/subsys/local
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F -t mangle
iptables -Z -t mangle
iptables -F -t nat
iptables -Z -t nat
iptables -F
iptables -Z
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t mangle -A FORWARD -p tcp --dport 1863 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A FORWARD -p tcp --dport 5000 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A FORWARD -p tcp --dport 5050 -j TOS --set-tos Minimize-Delay

Is there something wrong.
 
Old 11-24-2004, 12:03 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Looks like your transparent settings are incorrect..

As a minimum you need..

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_single_host off
httpd_accel_uses_host_header on

Make squid listen to only 127.0.0.1 port 80
eg http_port 127.0.0.1:80
and change your REDIRECT for port 80
eg iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT

Last edited by peter_robb; 11-24-2004 at 12:07 PM.
 
Old 11-24-2004, 01:48 PM   #3
bdogg
Member
 
Registered: Sep 2004
Location: Salt Lake City, UT
Distribution: Debian Sarge
Posts: 93

Rep: Reputation: 15
From personal experience:

Restrict squid in some way or another. In it's defaults it can be used to send spam email. I have squid redirecting for only two sites behind the NAT on an internal network, and so I set some acl's like this:

acl safetraffic dst 192.168.0.0/255.255.255.0
http_access allow safetraffic
http_access deny all

Of course your setup could be different than mine, but it is always good to tie it down to what you want it to do. If you are unsure as to if it is being used as a relay, just run iptraf or netstat and you will see connections to port25 of a bunch of machines, then you know it is not secure enough, shut it down and secure it even more.

If you have any questions about how to secure it let us know your setup and we'll see what we can come up with.
 
Old 11-24-2004, 02:49 PM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
That's the reasoning behind having it only listen to the loopback 127.0.0.1

Only the traffic you direct to it gets to it..

Of course it can be abused by the internal machines, but that's a whole new subject..
 
Old 11-24-2004, 03:20 PM   #5
bdogg
Member
 
Registered: Sep 2004
Location: Salt Lake City, UT
Distribution: Debian Sarge
Posts: 93

Rep: Reputation: 15
I had mine listening on 192.168.0.1:4000, still was being used as an open relay.

If you set your rules to redirect from port 80 to the squid, then any port scanner searching port80 will find it because your rules will send them to it. So you could run it on your loopback, but you then need to secure your rules to only redirect safe traffic from port 80 to the loopbackort where it is listening.
 
Old 11-24-2004, 09:54 PM   #6
azfar
LQ Newbie
 
Registered: Nov 2004
Posts: 16

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by peter_robb
Looks like your transparent settings are incorrect..

As a minimum you need..

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_single_host off
httpd_accel_uses_host_header on

Make squid listen to only 127.0.0.1 port 80
eg http_port 127.0.0.1:80
and change your REDIRECT for port 80
eg iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT

Well I already have these lines in my squid.conf

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_single_host off
httpd_accel_uses_host_header on

I will try your following tips then let you know.

Make squid listen to only 127.0.0.1 port 80
eg http_port 127.0.0.1:80
and change your REDIRECT for port 80
eg iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid behind a NAT/FW colonyofcrumbs Linux - Networking 3 05-17-2005 11:18 PM
problem in nat table + squid alvi2 Linux - Networking 3 03-05-2005 06:18 AM
Squid NAT logging problem ncorreia Linux - Software 0 09-23-2004 06:52 AM
Help With Bind,squid,nat And Proxy debloxie Linux - Networking 0 01-20-2004 06:43 AM
problem about NAT and squid Warchief Linux - Networking 3 07-21-2003 07:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration