LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-02-2012, 07:33 AM   #1
uk.engr
Member
 
Registered: Apr 2012
Posts: 131

Rep: Reputation: Disabled
Transparent proxy squid 3.1


Assalam o Alaikum!

I have this configuration: PC1: eth0 192.168.1.18
eth1 192.168.2.18

PC2: eth1 192.168.2.111

PC 1: squid server: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.18:3128

Ok problem is that when I do not set proxy setting in browser of PC 2 (since transparent proxy) PC1's eth1 do not receive any packet (when browsing) I have analysed this via tcpdump and wireshark. Even do not receive any packet on PC2's eth1 when browsing webs on PC2. But when I set proxy setting in browser both interface receives packets but it is not part of transparent proxy. I have attached squid.conf. Kindly help thanks.
Attached Files
File Type: txt squid.txt (2.8 KB, 44 views)
 
Old 07-02-2012, 07:38 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
Well if the issue is when you aren't setting a proxy redirect on the server and no port 80 traffic even leaves the client, then you should realize that this couldn't possibly be anything to do with with Squid at all. The main difference is that the client system would be doing the DNS resolution instead of the server, so maybe it's a DNS issue.
 
Old 07-02-2012, 08:15 AM   #3
uk.engr
Member
 
Registered: Apr 2012
Posts: 131

Original Poster
Rep: Reputation: Disabled
thanks for your reply. Ok if this is DNS issue at client side how should i resolve this issue?
 
Old 07-02-2012, 08:16 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
It totally depends what the clients are and how your internal DNS setup works. At the most basic level, you use valid DNS servers on the clients.
 
Old 07-02-2012, 08:41 AM   #5
uk.engr
Member
 
Registered: Apr 2012
Posts: 131

Original Poster
Rep: Reputation: Disabled
yes, I think I am near to solution now but not resolved still. What I did, I defined gateway client as 192.168.2.18 (squid server's eth1 on internal network). My DNS is on external network having IP 192.168.1.1, so defined client's DNS IP as 192.168.1.1. On squid server side enable IP forwarding.

Now wireshark receives packets on those interfaces unlike before. But when I browsing, browser shows "server not found" on client side.
 
Old 07-03-2012, 12:42 AM   #6
uk.engr
Member
 
Registered: Apr 2012
Posts: 131

Original Poster
Rep: Reputation: Disabled
Now problem is that DNS request reaches to internal network's gateway 192.168.2.18. but not reaches to DNS server 192.168.1.1 (DNS server is actually DSL router on external network). My web request unable to reach DNS server. When I entered googles IP (173.194.35.183) it opens google websit, but when I enters www.google.com, then server not found. kindly help Thanks

Last edited by uk.engr; 07-03-2012 at 01:04 AM.
 
Old 07-03-2012, 01:50 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
well you need to look at the network routes then. what is the architecture between your two endpoints? Are they both hanging off of the same upstream device? can you ping the dns server? when you say it's not reaching it, do you really mean that, or do you just know there is no *reply*. With these hokey little LANs a common issue is that there are no return routes back to the internal network, often requiring static internal routes to be added to the DSL routers routing table. This doesn't sit very well with being able to reach google itself though. unless that is due to the squid proxy getting involved and not requiring the routing to work there. Can you ping the google IP?
 
Old 07-03-2012, 02:23 AM   #8
uk.engr
Member
 
Registered: Apr 2012
Posts: 131

Original Poster
Rep: Reputation: Disabled
No I can't ping dns server 192.168.1.1 and google's IP via client 192.168.2.111 having gateway 192.168.2.18. Network route between these end points is like below

DSL router-----> PC1 eth0:192.168.1.18-----eth1:192.168.2.18------>PC2: 192.168.2.111

PC2 can ping both interfaces of PC1 bt can't ping DNS router.

I have also tried it via adding routes on PC2: route add -net 192.168.1.0/24 gw 192.168.2.18

But still can't ping DNS server and google's IP. But PC1 can ping google's IP and DNS server.

I have connected another PC on 192.168.1.0's network give it IP to 192.168.1.252 then ping from client 192.168.2.111 to 192.168.1.252 initial it was unable to ping but I added routes on both end points then I was able to receive ping reply from 192.168.1.252 to 192.168.2.111.

But I have no access/permission to access DSL router. I want to use squid proxy to redirect my web request to DSL router (is it possible for my scenario?)

Last edited by uk.engr; 07-03-2012 at 02:37 AM.
 
Old 07-03-2012, 02:33 AM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
I'll say it's the return route then. The DSL router is on 192.168.1.0/24 so all hosts on that network work fine. But PC2 is on a network that the DSL router has no knowledge of. So you need to either put a route in the DSL router saying that 192.168.2.0/24 is reached via 192.168.1.18 or perform natting on PC1 so that traffic looks like it is coming from PC1 in the first place.

Mind you though... this is presuming you've enabled IP forwarding (routing) on PC1 in the first place... have you?? If not, there's not going to be any traffic moving *through* PC1, only to it and from it (which is fine for proxying.) Given that your goal was transparent proxying and not routing anyway, I would probably suggest you just add a simple dns server to PC1. dnsmasq is very simple to set up, and will pick up the dns servers already used by PC1 upstream. Then PC2 can query PC1 for DNS on its local subnet and jobs done.
 
Old 07-03-2012, 03:14 AM   #10
uk.engr
Member
 
Registered: Apr 2012
Posts: 131

Original Poster
Rep: Reputation: Disabled
I have enabled IP forwarding on PC1. Also flush all iptables rule. Again added iptables rule for NAT

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

Now successful to ping www.google.com and DNS server from PC2. Web browsing also done. But http traffic does not pass through squid proxy. what should I edit/add in above iptables line so that I am unable to pass web trafic through squid proxy?

Last edited by uk.engr; 07-03-2012 at 03:16 AM.
 
Old 07-03-2012, 03:19 AM   #11
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
can you show the full nat table now? As the redirect is on PREROUTING it should always get there first, and the POSTROUTING entry shouldn't matter.
 
Old 07-03-2012, 04:26 AM   #12
uk.engr
Member
 
Registered: Apr 2012
Posts: 131

Original Poster
Rep: Reputation: Disabled
[root@localhost demo_2]# iptables --flush
[root@localhost demo_2]# iptables --table nat --flush
[root@localhost demo_2]# iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
[root@localhost demo_2]# iptables --append FORWARD --in-interface eth1 -j ACCEPT
[root@localhost demo_2]# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
 
Old 07-03-2012, 06:49 AM   #13
uk.engr
Member
 
Registered: Apr 2012
Posts: 131

Original Poster
Rep: Reputation: Disabled
Following iptables rule works for me perfectly

[root@localhost demo_2]# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.18:3128
[root@localhost demo_2]# iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

Now I can browse webs through squid via transparent proxy.

Thanks a lot acid_kewpie.

Last edited by uk.engr; 07-03-2012 at 07:10 AM.
 
Old 07-03-2012, 07:42 AM   #14
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
be aware now though, that that internal machine can reach ANY external service not on port 80. E.g. a remote web proxy on port 3128 and bypass your proxy in a second.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid transparent proxy astalavista2000 Linux - Server 3 11-20-2011 07:40 PM
Squid Transparent Proxy SBN Linux - Server 6 07-11-2007 03:54 AM
Squid as a transparent proxy kemplej Linux - Software 2 12-08-2004 05:00 PM
Squid Transparent Proxy 1jamie Linux - Security 7 09-26-2003 06:09 AM
Squid with Transparent Proxy MarleyGPN Linux - Networking 1 08-28-2003 02:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration