[SOLVED] IPtables for a remote transparent proxy

Ser Olmy · 05-26-2012, 03:08 PM

Quote:

Originally Posted by robertjinx

With this exact setup there is nothing happening. The requests don't go to the squid server, there is nothing in the squid logs.

When you say "nothing happens", do you mean the clients can't access web pages? Or do you mean that they can, but that they aren't being redirected through squid?

Edit: The following line contains a bug:

Code:

-A POSTROUTING -o eth1 -d 192.168.10.253/32 -p tcp --dport 80 -j MASQUERADE

It's NATing redirected traffic to the squid server, to make sure it gets routed through the gateway on its way back. However, the NATed packets go to port 3128 of the squid server, not port 80. The line should read:

Code:

-A POSTROUTING -o eth1 -d 192.168.10.253/32 -p tcp --dport 3128 -j MASQUERADE

robertjinx · 05-27-2012, 12:03 PM

Ok, this rules sends requests to the squid server, but I get "Access Denied" from the squid server, which is again due to "WARNING: Forwarding loop detected for:"

Ser Olmy · 05-27-2012, 04:13 PM

Quote:

Originally Posted by robertjinx

Ok, this rules sends requests to the squid server, but I get "Access Denied" from the squid server, which is again due to "WARNING: Forwarding loop detected for:"

Then it seems traffic from the squid server to external web servers is still being redirected back to squid. The "ACCEPT" rule in the PREROUTING chain of the nat table is supposed to prevent that.

Simple test: Does telnet <IP address of a web server> 80 from the squid server land you at the server in question (as it should), or are you redirected back to the squid process at port 3128?

robertjinx · 05-28-2012, 10:33 AM

The ip address of a webserver you referring to something like osnews.com and the answer is "Access Denied" also, but you have to keep in mind that on the squid server there are 2 network cards eth0: 192.168.10.254 and eth1: 192.168.10.253 (which is squid).

Squid is setup to run on 192.168.10.253:3128, but it doesn't matter, I'm still getting the same "Access Denied.".

Ser Olmy · 05-28-2012, 02:44 PM

Quote:

Originally Posted by robertjinx

but you have to keep in mind that on the squid server there are 2 network cards eth0: 192.168.10.254 and eth1: 192.168.10.253 (which is squid).

Any particular reason why you chose not to mention this earlier?

Add a the second ACCEPT rule to the nat chain for this IP address.

And how about the telnet test? Did it work or not?

robertjinx · 05-28-2012, 02:47 PM

Yes, I can telnet to 192.168.10.253 on port 3128. Actually I can use the proxy server the 'normal' way.
I'm still not sure what there is need for another ACCEPT rule if that ip address is not used at all and that squid listens only on 192.168.10.253?

robertjinx · 05-28-2012, 02:50 PM

OK here is the full and "proper" iptables:

Code:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -i eth1 -d 192.168.10.253/32 -j ACCEPT
-A PREROUTING -i eth1 -d 192.168.10.254/32 -j ACCEPT
-A PREROUTING -i eth1 -s 192.168.10.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.253:3128
-A POSTROUTING -o eth1 -d 192.168.10.253/32 -p tcp --dport 3128 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

Ser Olmy · 05-28-2012, 03:09 PM

Your iptables rules are still wrong. This:

Code:

-A PREROUTING -i eth1 -d 192.168.10.253/32 -j ACCEPT
-A PREROUTING -i eth1 -d 192.168.10.254/32 -j ACCEPT

...says "outbound traffic to 192.168.10.253 and 254 should not be DNATed". These rules should prevent traffic from these addresses from getting DNATed.

The correct version of the above:

Code:

-A PREROUTING -i eth1 -s 192.168.10.253/32 -j ACCEPT
-A PREROUTING -i eth1 -s 192.168.10.254/32 -j ACCEPT

Alter the rules and then please try the telnet test as outlined in post #18. Run the test from the squid server, with and without the squid proces running.

The purpose of the test is to determine whether outbound traffic from the squid server to port 80 on a server on the internet is getting redirected back to squid.

robertjinx · 05-28-2012, 03:19 PM

Ok that works, seem to be fine now. Thanks very much, you've been a true help all the way

kindman · 06-04-2012, 05:58 AM

Quote:

Originally Posted by Ser Olmy

Of course. You need to exclude the Squid server from being redirected to itself. Flush and repopulate the PREROUTING chain as follows:

Code:

iptables -t nat -F PREROUTING
iptables -t nat -A PREROUTING -i eth1 -s 192.168.10.253/32 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.10.0/24 \
-p tcp --dport 80 -j DNAT --to-destination 192.168.10.253:3128

...and you should have an ugly but proxy probably working hack.

I'm do it like you say and my problew was corrected ,I don't know what's your problem , why you cauldn't correct your problem like me ?

robertjinx · 06-04-2012, 07:37 AM

What are you talking about, my issue was solved, even the thread is set as SOLVED.