Transparent Squid, iptables syntax and SMTP/POP3
I've set up Ubuntu 9.04 (desktop) at home in a lab environment (workgroup rather than domain) and have configured Squid. Everything works fine but, when I took it to the next level and made the proxy transparent, my problems began. I can still access sites (having pointed the XP Pro client to the squid box as the DG) and the sites are logged in /var/log/squid/access.log but I am unable to use Outlook to access my SMTP and POP3. I guess that the setup is blocking ports 25 and 110 and I'll need to configure iptables to forward packets destined for these ports directly to the "real" DG, rather than the Squid box.
Here's the set up: A single NIC (eth0) on 172.19.0.250 / 16 (static) ADSL router ("real" DG) on 172.19.0.1 I executed iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 My squid.conf: Code:
acl all src all I'm pulling my hair out trying to get this to work ... can anyone help please? Thank you for your time (and patience!). |
The first (and most easy) option to solve that:
Configure the gateway of your client machines (XP) pointing to your ADSL modem. Then configure the browser of your clients (XP) to SQUID on the server. This will work if you want to only test proxy settings. But, if you want to use the linux firewall, you'll need to do some nat configs, because everything is on the same subnet and you have only on interface on Linux Server. Think on that, if you need to config linux firewall, print your iptables rules here. |
Thank you rafatmb for the prompt response. I can see the logic in your suggestion and I could do that easily in the lab that I have (one client and one Linux). However, I would like to implement this eventually in a larger organisation and would prefer to have DHCP configure the DG (as the Squid/iptables computer). I know that I could use Group Policy to enter the client proxy configuration then disallow uses from changing it but I figured it would be fairly simple to have some iptables rules to forward the relevant packets (destination ports 25 and 110) to the ADSL router. As there's only one NIC in the Squid computer, I guess that the Squid/iptables computer wouldn't have to apply NAT, otherwise the returning packets wouldn't know where to go.
The only iptables configuration that I have applied at present is: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 As I said, I've tried applying many other rules and none of them works. I saw the post here and got excited, but that scenario has 2 NICs in the Squid/iptables computer. I'd be grateful for help with the rule(s) that I would need to send the SMTP/POP3 packets to the ADSL router (172.19.0.1). If I understand this correctly, that should allow me to access e-mail via Outlook. |
Hi,
Because you have only one NIC, and the machines are on same subnet, you MUST use a particular kind of NAT. Do this: Quote:
[]'s Rafa Linux, Linux and Linux! Suporte Linux |
I'm grateful for your further help Rafa. I'll certainly look at the rules that you've suggested. I think I see a couple of typos - I think that lines 3 and 4 should end "-j ACCEPT" and I think that there should be a final line referring to port 25 in addition to line 5 referring to port 110.
I'm sure that I would never have stumbled upon these rules ... I just hope that they work! |
Quote:
Dear Visit This link its works for me 100% http://freelinuxtutorial.blogspot.co...ind-squid.html ---------- Post added 05-02-11 at 01:06 AM ---------- [/COLOR] Quote:
|
First things first. Its not the squid that is stopping your POP and SMTP traffic. Squid essentially is a HTTP proxy and it has nothing to do with SMTP or POP. So do not expect it to work as a proxy for other protocols.
Just making it transparent with forwarding 80 port requests will not enable pop and smtp for your clients. You will need to masquerade the outgoing requests, in short internet sharing using iptables. I learnt this a hard way too. |
All times are GMT -5. The time now is 02:56 AM. |