Transparent Proxy (squid + Dansguardian) with one NIC
Hi,
I would like to seek anyone suggestions regarding my issue here. I have setup transparent proxy (squid + dansguardian) 172.16.4.7/24 into one server with only one NIC card. I dont want to use 2 NICs for the reason I dont want my proxy box to be placed between LAN and firewall/router. I,m attaching it with my core switch Cisco and forcing my clients to use the proxy as the gateway. here is my network: FIREWALL | | | CORE SWITCH | | | | | | lan01 lan02 proxy I,m using below iptables command to allow my proxy to be transparent to my clients: #!/bin/sh # Squid server IP SQUID_SERVER="172.16.4.7" # Interface connected to Internet INTERNET="eth0" # Address connected to LAN LOCAL="172.16.4.0/24" LOCAL2="172.16.5.0/24" # Squid port SQUID_PORT="3128" # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Enable Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE iptables -A FORWARD -s $LOCAL -j ACCEPT # unlimited access to LAN iptables -A INPUT -s $LOCAL -j ACCEPT iptables -A OUTPUT -s $LOCAL -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -s $LOCAL -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT iptables -t nat -A PREROUTING -s $LOCAL2 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT #open everything iptables -A INPUT -i $INTERNET -j ACCEPT iptables -A OUTPUT -o $INTERNET -j ACCEPT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP # Result: my transparent proxy (squid) is working fine and when I tail -F access.log it resulting all my clients ip address LOCAL1 and LOCAL2 is accessing the web. like below: # Access.log 1258534990.658 1498 172.16.5.224 TCP_MISS/200 514 GET http://chatenabled.mail.google.com/m.../cleardot.gif? - DIRECT/216.239.61.189 image/gif 1258534991.878 2726 172.16.5.224 TCP_MISS/200 42718 GET http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript 1258534992.383 1810 172.16.5.224 TCP_MISS/200 2357 POST http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript 1258534995.380 3384 172.16.5.224 TCP_MISS/200 7218 GET http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript 1258534995.846 3463 172.16.5.224 TCP_MISS/200 2370 POST http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript 1258534997.560 6305 172.16.5.224 TCP_MISS/200 971 GET http://b.mail.google.com/mail/channel/test? - DIRECT/216.239.61.189 text/html 1258535000.056 4210 172.16.5.224 TCP_MISS/200 2368 POST http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript 1258535000.791 3229 172.16.5.224 TCP_MISS/200 710 POST http://mail.google.com/mail/channel/bind? - DIRECT/216.239.61.83 text/plain 1258535001.137 14008 172.16.5.224 TCP_MISS/200 6646 GET http://www-gm-opensocial.googleuserc...ets/js/rpc.js? - DIRECT/64.233.189.132 text/java However with the above iptables config my dansguardian is not working anyway. I know when i try to access the blocking page its still allowing. And I coming up with new iptables config like below to tackle this problem. First I flush and reset the Linux Firewall. # New iptables to let dansguardian working iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 8080 iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP # Result: Now dansguardian is working and blocking everything I want. But problem arise when I check tail -F access.log it showing like below: 1258378079.875 9 127.0.0.1 TCP_HIT/200 843 GET http://pagead2.googlesyndication.com/pagead/js/abg.js - NONE/- text/javascript 1258378079.884 7 127.0.0.1 TCP_HIT/200 847 GET http://pagead2.googlesyndication.com...d/images/i.png - NONE/- image/png 1258378080.302 438 127.0.0.1 TCP_MISS/200 38892 GET http://pagead2.googlesyndication.com/pagead/imgad? - DIRECT/216.239.61.164 image/gif 1258378080.609 805 127.0.0.1 TCP_MISS/200 519 GET http://adserver.adtechus.com/addyn/3...key3+key4;grp=[group];misc=1258349346500 - DIRECT/64.236.144.229 application/x-javascript 1258378081.091 376 127.0.0.1 TCP_MISS/200 3043 GET http://pubads.g.doubleclick.net/gampad/ads? - DIRECT/216.239.61.154 text/javascript 1258378081.681 417 127.0.0.1 TCP_MISS/200 38806 GET http://pagead2.googlesyndication.com/pagead/imgad? - DIRECT/216.239.61.164 image/gif That seems my squid (access.log) is not logging any clients ip address LOCAL1 and LOCAL2 but only logging localhost ip 127.0.0.1. That seems not right to me. This will bring me to another issue where I cannot apply my ACL delay Pools based on my defined LAN. I want to make my transparent proxy (squid and dansguardian) working with one NIC as explained earlier Its seems to long to explain my problem here and I believe iptables is the issue and really appreciate anyone who can help me to solve this problem. Regards, |
Hi, I didn't think it was possible to setup squid with only one nic, but....
I found this page and after reading, I feel it may be of use to you. http://www.delodder.be/blog/ubuntu/t...-with-one-nic/ A web site I have found useful in the past.... http://www.linuxhomenetworking.com/w...ess_with_Squid Regards Glenn |
Refer the following link
http://www.linuxquestions.org/questi...-proxy-701710/ |
Hi,
Thanks all for your suggestions. Let me brief a bit my server. SERVER: CENTOS v5.4 SQUID : 2.6 stable 6 (run on port 3128) DANSGUARDIAN: 2.8.0 (run on port 8080) FYI squid and dansguardian sit on the same server with the ip address 172.16.4.7. I believe my dansguardian config and squid config is correct. Initially in the post I,m able to setup transparent proxy (squid) by using iptables below for my LAN's: this was reffered to the link http://www.delodder.be/blog/ubuntu/t...-with-one-nic/ as I use it before. SCENARIO 1 iptables -t nat -A PREROUTING -s $LOCAL -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT iptables -t nat -A PREROUTING -s $LOCAL2 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT Result : my var/log/access.log showing as what it suppose to be. All clients IP address is logged. Now I know my transparent proxy is working and I can do all the ACL Delay pools in my squid.conf. In order to makes my dansguardian run and logs all the clients IP address then I need to use below iptables only: SCENARIO 2 iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT --to-port 8080 Result: My var/log/dansguardian/access.log is logging all CLient IP address as what it suppose to. Thats was great and my dansguardian is blocking what is suppose to. There is no issue with both scenarios but I would like to mix squid and dansguardian config where both access.log's can have their log respectively together by using the correct iptables command. I,m have try many possibilities making these iptables for a week to reflect my requirement in order to makes my squid and dansguardian works best. Unfortunately it still not works. I,m looking anyone who has idea on how to make these http request 80 will be redirect to both squidbox:3128 and dansguardian:8080 so that both will copy all Ip clients request in access.log. thanx |
Hi it is very possible to setup squid with only one nic. I have the following setup:
Internet-->router-->Squid -->users Both squid and the users are on the same subnet and they have the router as gateway. It's running quite nice. |
All times are GMT -5. The time now is 04:33 AM. |