Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've set up Ubuntu 9.04 (desktop) at home in a lab environment (workgroup rather than domain) and have configured Squid. Everything works fine but, when I took it to the next level and made the proxy transparent, my problems began. I can still access sites (having pointed the XP Pro client to the squid box as the DG) and the sites are logged in /var/log/squid/access.log but I am unable to use Outlook to access my SMTP and POP3. I guess that the setup is blocking ports 25 and 110 and I'll need to configure iptables to forward packets destined for these ports directly to the "real" DG, rather than the Squid box.
Here's the set up:
A single NIC (eth0) on 172.19.0.250 / 16 (static)
ADSL router ("real" DG) on 172.19.0.1
I executed iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
My squid.conf:
Code:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl mynet src 172.19.0.0/16
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow mynet
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
I've read MANY articles which seem to guide me in the right direction, but nothing works. Some mention that I must enable IP forwarding (echo 1 > /proc/sys/net/ipv4/ip_forward) whilst others say it's not necessary. I just wonder if I need to change anything in my squid.conf file?
I'm pulling my hair out trying to get this to work ... can anyone help please?
Configure the gateway of your client machines (XP) pointing to your ADSL modem. Then configure the browser of your clients (XP) to SQUID on the server.
This will work if you want to only test proxy settings.
But, if you want to use the linux firewall, you'll need to do some nat configs, because everything is on the same subnet and you have only on interface on Linux Server.
Think on that, if you need to config linux firewall, print your iptables rules here.
Thank you rafatmb for the prompt response. I can see the logic in your suggestion and I could do that easily in the lab that I have (one client and one Linux). However, I would like to implement this eventually in a larger organisation and would prefer to have DHCP configure the DG (as the Squid/iptables computer). I know that I could use Group Policy to enter the client proxy configuration then disallow uses from changing it but I figured it would be fairly simple to have some iptables rules to forward the relevant packets (destination ports 25 and 110) to the ADSL router. As there's only one NIC in the Squid computer, I guess that the Squid/iptables computer wouldn't have to apply NAT, otherwise the returning packets wouldn't know where to go.
The only iptables configuration that I have applied at present is:
As I said, I've tried applying many other rules and none of them works.
I saw the post here and got excited, but that scenario has 2 NICs in the Squid/iptables computer.
I'd be grateful for help with the rule(s) that I would need to send the SMTP/POP3 packets to the ADSL router (172.19.0.1). If I understand this correctly, that should allow me to access e-mail via Outlook.
I'm grateful for your further help Rafa. I'll certainly look at the rules that you've suggested. I think I see a couple of typos - I think that lines 3 and 4 should end "-j ACCEPT" and I think that there should be a final line referring to port 25 in addition to line 5 referring to port 110.
I'm sure that I would never have stumbled upon these rules ... I just hope that they work!
I'm grateful for your further help Rafa. I'll certainly look at the rules that you've suggested. I think I see a couple of typos - I think that lines 3 and 4 should end "-j ACCEPT" and I think that there should be a final line referring to port 25 in addition to line 5 referring to port 110.
I'm sure that I would never have stumbled upon these rules ... I just hope that they work!
---------- Post added 05-02-11 at 01:06 AM ----------
[/COLOR]
Quote:
Originally Posted by Capellous
I'm grateful for your further help Rafa. I'll certainly look at the rules that you've suggested. I think I see a couple of typos - I think that lines 3 and 4 should end "-j ACCEPT" and I think that there should be a final line referring to port 25 in addition to line 5 referring to port 110.
I'm sure that I would never have stumbled upon these rules ... I just hope that they work!
First things first. Its not the squid that is stopping your POP and SMTP traffic. Squid essentially is a HTTP proxy and it has nothing to do with SMTP or POP. So do not expect it to work as a proxy for other protocols.
Just making it transparent with forwarding 80 port requests will not enable pop and smtp for your clients. You will need to masquerade the outgoing requests, in short internet sharing using iptables.
I learnt this a hard way too.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.