LinuxQuestions.org - Transparent Squid, iptables syntax and SMTP/POP3

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - Transparent Squid, iptables syntax and SMTP/POP3 (https://www.linuxquestions.org/questions/linux-newbie-8/transparent-squid-iptables-syntax-and-smtp-pop3-861792/)

Transparent Squid, iptables syntax and SMTP/POP3

I've set up Ubuntu 9.04 (desktop) at home in a lab environment (workgroup rather than domain) and have configured Squid. Everything works fine but, when I took it to the next level and made the proxy transparent, my problems began. I can still access sites (having pointed the XP Pro client to the squid box as the DG) and the sites are logged in /var/log/squid/access.log but I am unable to use Outlook to access my SMTP and POP3. I guess that the setup is blocking ports 25 and 110 and I'll need to configure iptables to forward packets destined for these ports directly to the "real" DG, rather than the Squid box.

Here's the set up:

A single NIC (eth0) on 172.19.0.250 / 16 (static)
ADSL router ("real" DG) on 172.19.0.1
I executed iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

My squid.conf:

Code:

acl all src all

acl manager proto cache_object

acl localhost src 127.0.0.1/32

acl to_localhost dst 127.0.0.0/8

acl localnet src 10.0.0.0/8        # RFC1918 possible internal network

acl localnet src 172.16.0.0/12        # RFC1918 possible internal network

acl mynet src 172.19.0.0/16

acl localnet src 192.168.0.0/16        # RFC1918 possible internal network

acl SSL_ports port 443                # https

acl SSL_ports port 563                # snews

acl SSL_ports port 873                # rsync

acl Safe_ports port 80                # http

acl Safe_ports port 21                # ftp

acl Safe_ports port 443                # https

acl Safe_ports port 70                # gopher

acl Safe_ports port 210                # wais

acl Safe_ports port 1025-65535        # unregistered ports

acl Safe_ports port 280                # http-mgmt

acl Safe_ports port 488                # gss-http

acl Safe_ports port 591                # filemaker

acl Safe_ports port 777                # multiling http

acl Safe_ports port 631                # cups

acl Safe_ports port 873                # rsync

acl Safe_ports port 901                # SWAT

acl purge method PURGE

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access allow mynet 

http_access deny all

icp_access allow localnet

icp_access deny all

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp:                1440        20%        10080

refresh_pattern ^gopher:        1440        0%        1440

refresh_pattern -i (/cgi-bin/|\?) 0        0%        0

refresh_pattern (Release|Package(.gz)*)$        0        20%        2880

refresh_pattern .                0        20%        4320

acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]

upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT

hosts_file /etc/hosts

coredump_dir /var/spool/squid

I've read MANY articles which seem to guide me in the right direction, but nothing works. Some mention that I must enable IP forwarding (echo 1 > /proc/sys/net/ipv4/ip_forward) whilst others say it's not necessary. I just wonder if I need to change anything in my squid.conf file?

I'm pulling my hair out trying to get this to work ... can anyone help please?

Thank you for your time (and patience!).

The first (and most easy) option to solve that:

Configure the gateway of your client machines (XP) pointing to your ADSL modem. Then configure the browser of your clients (XP) to SQUID on the server.

This will work if you want to only test proxy settings.

But, if you want to use the linux firewall, you'll need to do some nat configs, because everything is on the same subnet and you have only on interface on Linux Server.

Think on that, if you need to config linux firewall, print your iptables rules here.

Thank you rafatmb for the prompt response. I can see the logic in your suggestion and I could do that easily in the lab that I have (one client and one Linux). However, I would like to implement this eventually in a larger organisation and would prefer to have DHCP configure the DG (as the Squid/iptables computer). I know that I could use Group Policy to enter the client proxy configuration then disallow uses from changing it but I figured it would be fairly simple to have some iptables rules to forward the relevant packets (destination ports 25 and 110) to the ADSL router. As there's only one NIC in the Squid computer, I guess that the Squid/iptables computer wouldn't have to apply NAT, otherwise the returning packets wouldn't know where to go.

The only iptables configuration that I have applied at present is:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

As I said, I've tried applying many other rules and none of them works.

I saw the post here and got excited, but that scenario has 2 NICs in the Squid/iptables computer.

I'd be grateful for help with the rule(s) that I would need to send the SMTP/POP3 packets to the ADSL router (172.19.0.1). If I understand this correctly, that should allow me to access e-mail via Outlook.

Hi,

Because you have only one NIC, and the machines are on same subnet, you MUST use a particular kind of NAT.

Do this:

Quote:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -m state --state NEW,ESTABLISHED ACCEPT
iptables -A FORWARD -p tcp --dport 25 -m state --state NEW,ESTABLISHED ACCEPT
iptables -t nat -A POSTROUTING -p tcp --dport 110 -d 172.19.0.1 -j MASQUERADE

Good luck.

[]'s

Rafa
Linux, Linux and Linux! Suporte Linux

I'm grateful for your further help Rafa. I'll certainly look at the rules that you've suggested. I think I see a couple of typos - I think that lines 3 and 4 should end "-j ACCEPT" and I think that there should be a final line referring to port 25 in addition to line 5 referring to port 110.

I'm sure that I would never have stumbled upon these rules ... I just hope that they work!

Quote:

Originally Posted by Capellous (Post 4256133)

Dear Visit This link its works for me 100%

http://freelinuxtutorial.blogspot.co...ind-squid.html

---------- Post added 05-02-11 at 01:06 AM ----------

[/COLOR]

Quote:

Originally Posted by Capellous (Post 4256133)

First things first. Its not the squid that is stopping your POP and SMTP traffic. Squid essentially is a HTTP proxy and it has nothing to do with SMTP or POP. So do not expect it to work as a proxy for other protocols.
Just making it transparent with forwarding 80 port requests will not enable pop and smtp for your clients. You will need to masquerade the outgoing requests, in short internet sharing using iptables.
I learnt this a hard way too.