transparent proxy with squid and iptables won't log correct IPs from lan

kabuki · 08-25-2010, 06:07 AM

Hi there,

i just finished setup a proxy machine that runs in a separate box from gw.
the adresses i use in firewall are
squid box = 10.5.5.121
gw = 10.5.5.1
lan = 10.5.5.0/24

i have the following iptables rules

on squid box

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

on gw
Code:

Code:

iptables -t nat -A PREROUTING -i eth1 -s ! 10.5.5.121 -p tcp --dport 80 -j DNAT --to 10.5.5.121:3128
iptables -t nat -A POSTROUTING -o eth1 -s 10.5.5.0/24 -d 10.5.5.121 -j SNAT --to 10.5.5.1
iptables -A FORWARD -s 10.5.5.0/24 -d 10.5.5.121 -i eth1 -o eth1 -p tcp --dport 3128 -j ACCEPT

everything appears to function right, except the fact that all the logs in squid log appear as if they're coming from gw IP 10.5.5.1, no matter from what machine they were initiated.

here's an example

Code:

1282549242.411  74219 10.5.5.1 TCP_MISS/200 285 GET some_http_address - DIRECT/208.43.202.34 text/html

my question is how can i modify the iptables rules so it will forward the real ip's where the requests are originated from.

thanks in advance.

linuxlover.chaitanya · 08-26-2010, 01:07 AM

Have you checked x_forwarded_for option in squid? Not the same exact issue, but I had this when I put Dans with squid and this is what happened with squid logs. Allow x_forwarded_for for certain source addresses solved the issue.

SuperJediWombat! · 08-26-2010, 09:16 AM

Quote:

Originally Posted by kabuki

...

Code:

iptables -t nat -A POSTROUTING -o eth1 -s 10.5.5.0/24 -d 10.5.5.121 -j SNAT --to 10.5.5.1

...
my question is how can i modify the iptables rules so it will forward the real ip's where the requests are originated from.

It is not possible to use iptables to do this. Squid makes these logs based on the packet header which is rewritten by the SNAT rule above.

If you were to put the squid box on a dedicated interface from the gateway you could remove the SNAT rule.