LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 06-02-2009, 03:34 AM   #1
ochienged
Member
 
Registered: Oct 2007
Location: Plano, TX
Distribution: Fedora, CentOS, RHEL, Debian
Posts: 70

Rep: Reputation: 26
Forcing http request through Squid Proxy Server(Transparent proxying)


Am configuring a transparent proxy using iptables and squid version 2.6 stable on a CentOS 5.2 box. The following are my results:
Quote:
On confirguring proxy settings in the browsers, the desired results are achieved. However, removing them the requests timeout.
The problem is this is not the desired design, HTTP requests should be directed to squid without the need to configure the clients browsers. This is what I have done:
1) Made squid to listen on default port.
Quote:
http_port 3128 transparent
2) Configured my iptables as below:
Quote:
# Generated by iptables-save v1.3.5 on Thu May 28 15:27:35 2009
*mangle
:PREROUTING ACCEPT [14769:1931153]
:INPUT ACCEPT [14672:1900365]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6115:893955]
:POSTROUTING ACCEPT [6427:965079]
COMMIT
# Completed on Thu May 28 15:27:35 2009
# Generated by iptables-save v1.3.5 on Thu May 28 15:27:35 2009
*filter
:INPUT ACCEPT [14672:1900365]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6115:893955]
-A INPUT -s ! 192.168.0.101 -d 0.0.0.0 -i eth0 -p tcp -m tcp -j ACCEPT
-A FORWARD -s 192.168.0.0 -d ! 192.168.0.101 -i eth0 -j ACCEPT
-A OUTPUT -o ppp0 -p tcp -m tcp -j ACCEPT
COMMIT
# Completed on Thu May 28 15:27:35 2009
# Generated by iptables-save v1.3.5 on Thu May 28 15:27:35 2009
*nat
:PREROUTING ACCEPT [220:23170]
:POSTROUTING ACCEPT [116:18308]
:OUTPUT ACCEPT [116:18308]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -s 192.168.0.0 -i eth0 -j DNAT --to-destination 192.168.0.101
COMMIT
# Completed on Thu May 28 15:27:35 2009
Kindly note that the proxy server and the iptables are on the same box.
 
Old 06-02-2009, 03:57 AM   #2
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 51
You need to configure "your network" to direct traffic to the proxy server (make your proxy server the default gateway at the edge of your network or route the traffic using your network devices)
 
Old 06-02-2009, 08:02 AM   #3
ochienged
Member
 
Registered: Oct 2007
Location: Plano, TX
Distribution: Fedora, CentOS, RHEL, Debian
Posts: 70

Original Poster
Rep: Reputation: 26
Network configuration

Quote:
Originally Posted by chitambira View Post
You need to configure "your network" to direct traffic to the proxy server (make your proxy server the default gateway at the edge of your network or route the traffic using your network devices)
The configuration of my network, I suppose conforms to your suggestion unless I misunderstand you. Here is an overview of the arrangement.

Clients -> Proxy server -> Cisco Router -> Internet

The problem is clients can bypass the proxy server by removing the proxy configurations on their browsers. Kindly help identify any flaws in my iptables script that would result in the failure of the server intercepting http requests.
 
Old 06-02-2009, 08:17 AM   #4
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,278

Rep: Reputation: 148Reputation: 148
Quote:
The problem is clients can bypass the proxy server by removing the proxy configurations on their browsers
To block this, DROP all port 80 input traffic at your iptable or add a access-list on your router to block port 80
 
Old 06-02-2009, 10:25 AM   #5
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 51
Just to make sure, are your clients configured with default gateway pointing to the squid server?
If so, then sort yo iptables as:
Quote:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.101:3128
also was transparent proxy support enabled at your squid compiled time?
 
Old 06-02-2009, 10:54 AM   #6
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,278

Rep: Reputation: 148Reputation: 148
if you do not block port 80 traffic then peoples, they can simply bypass your proxy(with gateway ip)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
squid-3.0.STABLE1: transparent proxying not supported hemi_426 Linux - Server 3 04-27-2008 03:38 AM
Ubuntu, Squid Transparent Proxy server is not working pocs Linux - Networking 6 10-31-2007 10:42 AM
Squid and iptables---transparent proxying Woodsman Slackware 9 09-30-2006 02:49 PM
Transparent Proxying on Squid swoolley Linux - Networking 2 04-28-2005 03:38 PM
transparent squid proxy server alvi2 Linux - Networking 4 02-24-2005 01:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 05:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration