transparent squid proxy not working

Niceman2005 · 01-16-2008, 09:11 PM

Dear friends,

I try to implement transparent proxy with my squid proxy server and iptables on the same machine but somehow it doesn't work although it looks relatively easy from what i have googled through.

From what i read, I simply need the following configurations to build a transparent proxy.

ON squid:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

ON IPTABLES:
note: eth3 = internal interface

$IPT -t nat -A PREROUTING -i eth3 -p tcp --dport 80 -j REDIRECT --to-ports 3128

But it doesn't work ....
It seems like it just doens't detect the squid proxy when i do not set it manually.

Below is the complete iptables if useful:

note: eth3 = internal interface
for table in mangle filter nat
do
$IPT -t $table -F
$IPT -t $table -X
$IPT -t $table -Z
done

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -F
$IPT -X

$IPT -t nat -A PREROUTING -i eth3 -p tcp --dport 80 -j REDIRECT --to-ports 3128

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state NEW -p tcp --dport 3128 -j ACCEPT
$IPT -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
$IPT -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -m state --state NEW -p tcp --dport 389 -j ACCEPT
$IPT -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -m state --state NEW -p tcp --dport 23 -j ACCEPT
$IPT -A INPUT -m state --state NEW -p udp --dport 21 -j ACCEPT
$IPT -A INPUT -m state --state NEW -p udp --dport 20 -j ACCEPT
$IPT -A INPUT -m state --state NEW -p tcp --dport 20 -j ACCEPT
$IPT -A INPUT -m state --state NEW -p tcp --dport 10000 -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -j DROP

$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state NEW -p tcp --dport 3128 -j ACCEPT
$IPT -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -m state --state NEW -p tcp --dport 389 -j ACCEPT
$IPT -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
$IPT -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
$IPT -A OUTPUT -m state --state NEW -p tcp --dport 23 -j ACCEPT
$IPT -A OUTPUT -m state --state NEW -p udp --dport 21 -j ACCEPT
$IPT -A OUTPUT -m state --state NEW -p udp --dport 20 -j ACCEPT
$IPT -A OUTPUT -m state --state NEW -p tcp --dport 20 -j ACCEPT
$IPT -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
$IPT -A OUTPUT -j DROP

$IPT -A FORWARD -o lo -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -j DROP

thanks for taking time helping!

gilead · 01-16-2008, 09:26 PM

What version of Squid are you running and have you looked through the Squid FAQ on this at http://wiki.squid-cache.org/SquidFaq/InterceptionProxy?

Firstly you need a compiled version of Squid that supports this. Also, if you're using version 2.6 or 3.0 you only need the following in the .conf file:

Code:

http_port 3128 transparent

For previous versions you need:

Code:

http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy  on
httpd_accel_uses_host_header on

As far as iptables goes, something like the following is recommended:

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

NOTE, that's --to-port, not --to-ports as you have listed.

Niceman2005 · 01-16-2008, 09:52 PM

Hi gilead,

thanks for your reply.
I am running squid-2.5.STABLE14-1.RHEL4.
so i use:
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

and also have corrected ports to port but still no luck...

gilead · 01-16-2008, 10:11 PM

Does the Squid process start? You can check this with:

Code:

netstat -tanp | grep 3128
tcp        0      0 127.0.0.1:3128          0.0.0.0:*               LISTEN     14654/(squid)
tcp        0      0 192.168.1.10:3128       0.0.0.0:*               LISTEN     14654/(squid)

You can confirm this by checking the Squid log (usually) in /var/log/squid/cache.log
If it started correctly, then you can check whether connections are reaching it by looking in /var/log/squid/access.log

win32sux · 01-17-2008, 12:53 AM

Quote:

Originally Posted by gilead

NOTE, that's --to-port, not --to-ports as you have listed.

If you check the iptables manual you'll see it's supposed to be --to-ports (with an "s"), but I wouldn't be surprised if they made it work without the "s" also.

Niceman2005, additionally to the log file information, please post the output of these three commands:

Code:

squid -v

Code:

cat /etc/squid/squid.conf | grep -v ^# | grep -v ^$

Code:

cat /proc/sys/net/ipv4/ip_forward

NOTE: I've moved this to Networking, as it's not a security issue.

gilead · 01-17-2008, 05:10 PM

Quote:

Originally Posted by win32sux

If you check the iptables manual you'll see it's supposed to be --to-ports (with an "s"), but I wouldn't be surprised if they made it work without the "s" also.

Thanks for pointing out the changed syntax win32sux. My firewall scripts (and the Squid FAQ) haven't been updated in a long time. I don't know when it was changed to --to-ports but the old syntax still works.