LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-17-2011, 04:37 AM   #1
keevill
LQ Newbie
 
Registered: Dec 2009
Posts: 28

Rep: Reputation: 0
transparent proxy with squid3 proxy help wanted to get it working


My setup : Standalone Ubuntu 10.04 ( 32 bit ) workstation with a single network card with IP of 192.168.0.160 taking connections on port 3148.
My access to Internet is by way of an adsl modem/router with a fixed IP of 192.168.0.254

I managed to get squid3 set up and it is working fine except that I can't get transparent proxy to work.

I found an article describing how to do it and the tutorial provided a script to configure iptables.

I know very little about iptables so the script seems a great thing for me.

I popped the script in /etc and did the chmod x on it and tried to execute it by double clicking but nothing seems to happen.

Could someone take a look at IP tables script and my squid.conf ( both pasted below ) and see if there's something obviously wrong ?

Did I put it in the right place and did I execute it correctly?

Thx,

-keevill-
_________________________-

#!/bin/sh

# squid server IP

SQUID_SERVER="192.168.0.160"

# Interface connected to Internet

INTERNET="eth0"

# Interface connected to LAN

LAN_IN="eth0"

# Squid port

SQUID_PORT="3148"

# DO NOT MODIFY BELOW

# Clean old firewall

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support

modprobe ip_conntrack

modprobe ip_conntrack_ftp

# For win xp ftp client

#modprobe ip_nat_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

# Unlimited access to loop back

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP

iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN

iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE

iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

# unlimited access to LAN

iptables -A INPUT -i $LAN_IN -j ACCEPT

iptables -A OUTPUT -o $LAN_IN -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system

iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it

iptables -A INPUT -j LOG

____________________

squid.conf

________________________

acl manager proto cache_object

acl localhost src*127.0.0.1/32

acl to_localhost dst*127.0.0.0/8*0.0.0.0/32

acl localnet src*192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443

acl SSL_ports port 2087

acl SSL_ports port 2083

acl SSL_ports port 993 # Google IMAP

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl Safe_ports port 8080

acl Safe_ports port 88

acl Safe_ports port 2525 #Sending Mail

acl Safe_ports port 25 #Sending Mail

acl Safe_ports port 2087 #CPanel

acl Safe_ports port 5800-6901

acl Safe_ports port 143 #Mail Server

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

acl fails rep_mime_type ^.*mms.*

acl fails rep_mime_type ^.*ms-hdr.*

acl fails rep_mime_type ^.*x-fcs.*

acl fails rep_mime_type ^.*x-ms-asf.*

acl fails2 urlpath_regex dvrplayer mediastream mms://

acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$

acl deny_rep_mime_flashvideo rep_mime_type -i video/flv

acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$

acl x-type req_mime_type -i ^application/octet-stream$

acl x-type req_mime_type -i application/octet-stream

acl x-type req_mime_type -i ^application/x-mplayer2$

acl x-type req_mime_type -i application/x-mplayer2

acl x-type req_mime_type -i ^application/x-oleobject$

acl x-type req_mime_type -i application/x-oleobject

acl x-type req_mime_type -i application/x-pncmd

acl x-type req_mime_type -i ^video/x-ms-asf$

acl x-type2 rep_mime_type -i ^application/octet-stream$

acl x-type2 rep_mime_type -i application/octet-stream

acl x-type2 rep_mime_type -i ^application/x-mplayer2$

acl x-type2 rep_mime_type -i application/x-mplayer2

acl x-type2 rep_mime_type -i ^application/x-oleobject$

acl x-type2 rep_mime_type -i application/x-oleobject

acl x-type2 rep_mime_type -i application/x-pncmd

acl x-type2 rep_mime_type -i ^video/x-ms-asf$

http_reply_access deny deny_rep_mime_flashvideo

http_reply_access deny deny_rep_mime_shockwave

http_access deny fails

http_reply_access deny fails

http_access deny fails2

http_reply_access deny fails2

http_access deny x-type

http_reply_access deny x-type

http_access deny x-type2

http_reply_access deny x-type2

acl ban_websites dstdomain .youtube.com*hi5.com*tumblr.com

http_access deny ban_websites

acl blocksites url_regex tumblr

http_access deny blocksites

acl deny_rep_mime_flashvideo rep_mime_type video/x-flv

http_reply_access deny deny_rep_mime_flashvideo

http_access allow localnet

http_access allow localhost

http_access deny all

icp_access deny all

htcp_access deny all

http_port 3148

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid3/access.log squid

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern (cgi-bin|\?) 0 0% 0

refresh_pattern . 0 20% 4320

icp_port 3130

error_directory /usr/share/squid3/errors/templates

coredump_dir /var/spool/squid3
 
Old 02-17-2011, 05:02 AM   #2
anurupr
Member
 
Registered: Mar 2010
Posts: 71

Rep: Reputation: 16
can you post any of the errors that you are getting? and also please tell us what you are trying to achieve
 
Old 02-17-2011, 05:18 AM   #3
keevill
LQ Newbie
 
Registered: Dec 2009
Posts: 28

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by anurupr View Post
can you post any of the errors that you are getting? and also please tell us what you are trying to achieve
When I navigate to the etc folder - ls shows fx.proxy ( the script ) - it's green showing the 755 permissions I believe.
then
sudo fx.proxy
gives command not found .

I am trying to force users thru the proxy in order that I don't have to configure each machine to use the proxy in their browser settings.
Also, useful for dhcp clients of which there are about 12 or so.
-keevill-
 
Old 02-18-2011, 12:29 AM   #4
anurupr
Member
 
Registered: Mar 2010
Posts: 71

Rep: Reputation: 16
well just because its in /etc doesn't mean that typing sudo fx.proxy will work. if you want that to happen. you have to set the path of the script in the PATH system variable. but a more simple way would be to put it in /bin. /bin is by default in the PATH system variable.
 
Old 02-18-2011, 12:38 AM   #5
keevill
LQ Newbie
 
Registered: Dec 2009
Posts: 28

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by anurupr View Post
well just because its in /etc doesn't mean that typing sudo fx.proxy will work. if you want that to happen. you have to set the path of the script in the PATH system variable. but a more simple way would be to put it in /bin. /bin is by default in the PATH system variable.
OK, I just did that ( put it in /bin
When I double click to execute, I am asked if I want to run in terminal etc and I select 'run'.
This time, no errors and nothing to indicate that it was done.

I am not sure if it's relevant but I should point out that this box is configured as dhcp server and here is the output of the conf file for that.

_____

david@ubuntu240110-desktop:/etc/dhcp3$ sudo grep -v "^#" dhcpd.conf | sed -e '/^$/d'
ddns-update-style none;
default-lease-time 600;
max-lease-time 1200;
authoritative;
log-facility local7;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.20 192.168.0.50;
option routers 192.168.0.1;
-keevill-
 
Old 02-19-2011, 09:09 AM   #6
anurupr
Member
 
Registered: Mar 2010
Posts: 71

Rep: Reputation: 16
i'm not sure whether it is relevant or not either but we can get back to that later.

can you show me the squid.conf file on your system?

it is located in /etc/squid/squid.conf
 
Old 02-19-2011, 07:10 PM   #7
keevill
LQ Newbie
 
Registered: Dec 2009
Posts: 28

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by anurupr View Post
i'm not sure whether it is relevant or not either but we can get back to that later.

can you show me the squid.conf file on your system?

it is located in /etc/squid/squid.conf
Hi,
My squid.conf content is pasted in my OP just above.
Thx,
-keevill-
 
Old 02-20-2011, 01:16 AM   #8
keevill
LQ Newbie
 
Registered: Dec 2009
Posts: 28

Original Poster
Rep: Reputation: 0
Also in an effort to find the solution and reading around, I am beginning to think that I *must* have 2 network cards in this squid box in order to correctly configure it as a router. Am I correct ??
Currently on have one.
Attached is a picture of the basic layout of my current setup
-keevill-
Attached Thumbnails
Click image for larger version

Name:	anetwork.JPG
Views:	16
Size:	97.1 KB
ID:	6206  
 
Old 02-20-2011, 03:32 AM   #9
anurupr
Member
 
Registered: Mar 2010
Posts: 71

Rep: Reputation: 16
where?? isn't that dhpcd.conf?

well it would be easier to do it if you had two network cards but its also possible using the same network card because you can configure more than one IP address for a single network card
 
Old 02-20-2011, 04:37 AM   #10
keevill
LQ Newbie
 
Registered: Dec 2009
Posts: 28

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by anurupr View Post
where?? isn't that dhpcd.conf?

well it would be easier to do it if you had two network cards but its also possible using the same network card because you can configure more than one IP address for a single network card
The top one is iptables.conf and the second one is squid.conf ( with all commented lines and blank lines removed )

-keevill-
 
Old 02-21-2011, 02:27 AM   #11
anurupr
Member
 
Registered: Mar 2010
Posts: 71

Rep: Reputation: 16
oh my bad.. sorry about that .. well i looked at the squid.conf file and it looks fine to me..but i'm not sure this makes sense to me
Code:
acl localhost src*127.0.0.1/32

acl to_localhost dst*127.0.0.0/8*0.0.0.0/32

acl localnet src*192.168.0.0/16 # RFC1918 possible internal network
what is the "*" for? i have never used that in my proxy configuration
 
Old 02-21-2011, 03:59 AM   #12
keevill
LQ Newbie
 
Registered: Dec 2009
Posts: 28

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by anurupr View Post
oh my bad.. sorry about that .. well i looked at the squid.conf file and it looks fine to me..but i'm not sure this makes sense to me
Code:
acl localhost src*127.0.0.1/32

acl to_localhost dst*127.0.0.0/8*0.0.0.0/32

acl localnet src*192.168.0.0/16 # RFC1918 possible internal network
what is the "*" for? i have never used that in my proxy configuration
I think something went wrong with my copy / paste. There are no entries like that in the squid.conf.
Here is the correct one and sorry...
Still needing help how to configure iptables and transparent proxy.
-keevill-

________

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl SSL_ports port 2087
acl SSL_ports port 2083
acl SSL_ports port 993 # Google IMAP
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080
acl Safe_ports port 88
acl Safe_ports port 2525 #Sending Mail
acl Safe_ports port 25 #Sending Mail
acl Safe_ports port 2087 #CPanel
acl Safe_ports port 5800-6901
acl Safe_ports port 143 #Mail Server
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl fails rep_mime_type ^.*mms.*
acl fails rep_mime_type ^.*ms-hdr.*
acl fails rep_mime_type ^.*x-fcs.*
acl fails rep_mime_type ^.*x-ms-asf.*
acl fails2 urlpath_regex dvrplayer mediastream mms://
acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$
acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$
acl x-type req_mime_type -i ^application/octet-stream$
acl x-type req_mime_type -i application/octet-stream
acl x-type req_mime_type -i ^application/x-mplayer2$
acl x-type req_mime_type -i application/x-mplayer2
acl x-type req_mime_type -i ^application/x-oleobject$
acl x-type req_mime_type -i application/x-oleobject
acl x-type req_mime_type -i application/x-pncmd
acl x-type req_mime_type -i ^video/x-ms-asf$
acl x-type2 rep_mime_type -i ^application/octet-stream$
acl x-type2 rep_mime_type -i application/octet-stream
acl x-type2 rep_mime_type -i ^application/x-mplayer2$
acl x-type2 rep_mime_type -i application/x-mplayer2
acl x-type2 rep_mime_type -i ^application/x-oleobject$
acl x-type2 rep_mime_type -i application/x-oleobject
acl x-type2 rep_mime_type -i application/x-pncmd
acl x-type2 rep_mime_type -i ^video/x-ms-asf$
http_reply_access deny deny_rep_mime_flashvideo
http_reply_access deny deny_rep_mime_shockwave
http_access deny fails
http_reply_access deny fails
http_access deny fails2
http_reply_access deny fails2
http_access deny x-type
http_reply_access deny x-type
http_access deny x-type2
http_reply_access deny x-type2
acl ban_websites dstdomain .youtube.com hi5.com tumblr.com
http_access deny ban_websites
acl blocksites url_regex tumblr
http_access deny blocksites
acl deny_rep_mime_flashvideo rep_mime_type video/x-flv
http_reply_access deny deny_rep_mime_flashvideo
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access deny all
htcp_access deny all
http_port 3148
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid3/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
error_directory /usr/share/squid3/errors/templates
coredump_dir /var/spool/squid3
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Forwarding all traffic to the proxy to another proxy (transparent proxy/redirection) lakshithaww Linux - Networking 1 10-28-2009 01:54 AM
Totally messed up with squid3 as transparent proxy PATRINOS06 Linux - Networking 2 10-12-2008 02:10 PM
transparent squid proxy not working Niceman2005 Linux - Networking 5 01-17-2008 06:10 PM
Transparent proxy not working conrado Slackware 6 10-21-2007 07:16 AM
to get privoxy working with transparent proxy raklo Linux - Software 10 11-26-2006 11:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 04:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration