Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello, I have a strange setup and I'm not getting anywhere with it. I've have a DSL router, which is connected to the gateway, which manages the network, dhcp, dns and so on. Now there is in the network a squid server which should be used as a transparent proxy for http (not https).
gateway server ip's:
eth0 (10.0.10.2) internet
eth1 (192.168.10.1) intranet - dhcp server
squid server ip:
eth0 (192.168.10.253)
There are 2 networks, 192.168.10.0/24 (ethernet) and 192.168.2.0/24 (wifi), both this networks should use the squid server for http as a transparent proxy.
Here is the iptables setup on the gateway:
Code:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
-A INPUT -j DROP
COMMIT
Code:
cat /proc/sys/net/ipv4/ip_forward
1
Can anyone tell me the iptable rules which I should add to the gateway so it would properly forward all traffic to the squid proxy server and give it properly to the clients.
That would redirect all outbound traffic destined for TCP port 80 to port 3128 on the Squid server, but unfortunately the clients would never receive a response. Here's why:
The client sends a packet to a web server (source: local PC, destination: some web server on the Internet)
The gateway receives the packet and replaces the destination IP with that of the proxy (source: local PC, destination: Squid)
The Squid server receives the packet, and since it's the 1st packet of a three-way TCP handshake (SYN), it generats a SYN-ACK package (source: Squid, destination: local PC)
The Squid server sends the above packet directly to the PC. After all, it's on the same network, so no point in going through the router, right? (Wrong, it's bypassing the entire NAT mechanism.)
The local PC receives the SYN-ACK packet from the Squid server, notices that at no time did it ask to speak to this server, and promptly discards the packet.
Steps 1-5 are repeated a few times until the connection eventually times out.
You could add a second NAT entry, NATing all packets to the Squid server behind eth1 on the firewall:
...but that qualifies as a really ugly hack that would also invalidate any logs on the Squid server (all traffic would appear to come from 192.168.10.1).
That was the long answer. The short answer: You need to either redesign your network slightly, so that the Squid server ends up on a different subnet, or you could use the Web Proxy Autodiscovery Protocol (WPAD) to serve out a PAC file and force all HTTP traffic through Squid (and then block all other TCP/80 traffic in the firewall).
doesn't work at all, the requests don't even end-up at the squid server, but when adding the POSTROUTING one, the requests end-up in the squid server but as Access Denied (error 403)
Quote:
1337975555.501 0 192.168.10.1 TCP_MISS/403 2646 GET http://www.osnews.com/ - NONE/- text/html
1337975555.502 2 192.168.10.1 TCP_MISS/403 2798 GET http://www.osnews.com/ - DIRECT/74.86.31.159 text/html
1337975558.805 0 192.168.10.1 TCP_NEGATIVE_HIT/403 2804 GET http://www.osnews.com/ - NONE/- text/html
So basically it just doesn't do it, can't see the web page, just the squid error.
---------- Post added 05-25-12 at 09:56 PM ----------
What do you mean about re-design the network, what am I doing wrong?
Simply put, this works. I can browse web pages on the Internet. If I stop the squid process, there's no web access via HTTP. If I try to reach a valid but currently unavailable web site, I get an error page from squid.
What exactly happens when you attempt this setup? Where does the "access denied" message come from? What's in the logs?
With this exact setup there is nothing happening. The requests don't go to the squid server, there is nothing in the squid logs. Note that I have an extra MASQUERADE rule "-A POSTROUTING -o eth0 -j MASQUERADE" which may screw the situation, but anyway, the above setup doesn't redirect the requests to the squid server, for whatever reason, which I don't know.
Here is the squid proxy conf:
Quote:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.10.0/24 192.168.2.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl purge method PURGE
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_reply_access allow all
dns_nameservers 192.168.10.1 10.0.10.2
cache_swap_low 85
cache_swap_high 95
maximum_object_size_in_memory 4096 KB
cache_mem 1024 MB
memory_pools off
minimum_object_size 0 KB
maximum_object_size 2048 KB
quick_abort_min 0 KB
ipcache_size 1024
ipcache_low 85
ipcache_high 95
positive_dns_ttl 15 minutes
negative_dns_ttl 1 minutes
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off
icp_access allow all
http_port 3128 transparent
#httpd_accel_host virtual
#httpd_accel_port 80
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header on
http_reply_access allow all
hierarchy_stoplist cgi-bin ?
cache_dir aufs /array/md4/squid 41960 16 256
cache_swap_log /array/md4/squid/swap.log
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
log_fqdn off
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern -i (.*jpg$|.*gif$) 0 50% 28800
refresh_pattern -i (.*html$|.*htm|.*shtml) 0 20% 1440
refresh_pattern (http://.*/$) 0 20% 1440
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
cache_mgr support@example.lan
httpd_suppress_version_string on
visible_hostname proxy.local.example.lan
icp_port 3130
acl FTP proto FTP
always_direct allow FTP
coredump_dir /array/md4/squid
no_cache deny QUERY
hosts_file /etc/hosts
dead_peer_timeout 5 seconds
client_lifetime 1 day
half_closed_clients on
pipeline_prefetch on
server_persistent_connections off
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
NOTE: with this configuration the squid proxy works if I set it up in firefox.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.