LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-09-2013, 12:25 PM   #1
Alcyone
LQ Newbie
 
Registered: May 2013
Posts: 3

Rep: Reputation: Disabled
Transparent proxy, 2 NICs, forward to internal proxy server


I'm banging my head against the wall on this for about a week and can't seem to get anywhere. Here's what I have

Ubuntu box with 2 NICs (used as a router)
-eth 0 - connected to internet with IP 192.168.12.253 (WAN)
-eth 1 - LAN with IP 192.168.24.1 - internal network

I want to set up a transparent proxy so that all internal requests from clients on the 192.168.24.0/24 network are routed to 192.168.24.5:8081

I've been able to setup a transparent proxy with squid and get it working, but when I tried to redirect squid to my desired internal proxy server I get access denied on all external websites. But I really could care less about squid. I just need to forward all internet traffic to an internal webmarshal server (on Windows) using port 8081 (IP address authentication). I want to use the ubuntu box as a router.

Here's my iptables config file: Please help :-)

#!/bin/sh
# ------------------------------------------------------------------------------------
# See URL: http://www.cyberciti.biz/tips/linux-...uid-howto.html
# (c) 2006, nixCraft under GNU/GPL v2.0+
# -------------------------------------------------------------------------------------
# squid server IP
SQUID_SERVER="192.168.24.5"
# Interface connected to Internet
INTERNET="eth1"
# Interface connected to LAN
LAN_IN="eth2"
# Squid port
SQUID_PORT="8081"

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Last edited by Alcyone; 05-09-2013 at 12:44 PM.
 
Old 05-09-2013, 07:11 PM   #2
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
Quote:
Ubuntu box with 2 NICs (used as a router)
-eth 0 - connected to internet with IP 192.168.12.253 (WAN)
-eth 1 - LAN with IP 192.168.24.1 - internal network
Quote:
# Interface connected to Internet
INTERNET="eth1"
# Interface connected to LAN
LAN_IN="eth2"
These eth(n) ports need to match....or redirection can not work.

Oh, and Welcome to LQ!
 
Old 05-10-2013, 02:33 PM   #3
Alcyone
LQ Newbie
 
Registered: May 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thanks for the response, but when I set them both to eth1 I get completely open internet (bypassing the proxy server). If I set them both to eth2 I don't get any internet at all. Is there something else I'm missing?
 
Old 05-10-2013, 05:05 PM   #4
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
I don't understand.

type ifconfig and check the device names there, your other scripts need to match them.

What I'm suggesting is that if eth0 is the external connection and eth1 is the internal connection

then the iptables script needs to use the same names.

if this is true...
Quote:
Ubuntu box with 2 NICs (used as a router)
-eth 0 - connected to internet with IP 192.168.12.253 (WAN)
-eth 1 - LAN with IP 192.168.24.1 - internal network
this is wrong.
Quote:
# Interface connected to Internet
INTERNET="eth1"
# Interface connected to LAN
LAN_IN="eth2"
then change to
Quote:
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
I have found this site usefull, easyfwgen.morizot.net/gen/

cheers, Glenn

Last edited by GlennsPref; 05-10-2013 at 05:05 PM. Reason: spelling
 
Old 05-10-2013, 05:28 PM   #5
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
Also, that article is very old.

Squid has evolved. Many things are automatic. Like "httpd_accel_"

If squid fails, after you sort out the eth probs,

type
Code:
squid -z
as root, to initialise the cache. (Tap enter to exit.)

A number of things may stop squid from working, low disk space (no cache) is one.
 
Old 05-14-2013, 02:29 PM   #6
Alcyone
LQ Newbie
 
Registered: May 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thanks for the responses. However, I'm running out of time to get this working. To clarify, it is eth1 = WAN and eth2 = LAN. ifconfig brings back lo, eth1 and eth2. But this just plain flat out refuses to work. I can neither forward to another internal proxy using squid.conf in suqid 3 nor can I use the iptables to forward to another internal server. It just won't work. I'll have to give up and find a windows solution with Routing and Remote Services. I assume what I'm trying to do in linux isn't possible. Thanks anyway.

Last edited by Alcyone; 05-14-2013 at 02:32 PM.
 
Old 05-14-2013, 07:15 PM   #7
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
Quote:
I assume what I'm trying to do in linux isn't possible.
Of course it's possible, I/we just can't see your machine to fix it for you.

If you really want it you'll find it.

what do you get when you type in
Code:
ifconfig

Last edited by GlennsPref; 05-14-2013 at 07:17 PM. Reason: ifconfig
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Should/Shoudn't proxy https while transparent proxy roopakl Linux - Newbie 1 03-12-2012 09:33 AM
transparent proxy with squid3 proxy help wanted to get it working keevill Linux - Newbie 11 02-21-2011 02:59 AM
Forwarding all traffic to the proxy to another proxy (transparent proxy/redirection) lakshithaww Linux - Networking 1 10-28-2009 12:54 AM
Can't make proxy server transparent scjvsTP Linux - Networking 2 11-29-2005 12:10 PM
proxy server setup, 2 NICs in same PC gjhicks Linux - Networking 4 04-06-2005 06:38 AM


All times are GMT -5. The time now is 12:25 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration