LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 11-17-2009, 07:57 PM   #1
azrim
LQ Newbie
 
Registered: Nov 2009
Posts: 6

Rep: Reputation: 0
Unhappy Transparent Proxy (squid + Dansguardian) with one NIC


Hi,

I would like to seek anyone suggestions regarding my issue here.
I have setup transparent proxy (squid + dansguardian) 172.16.4.7/24 into one server with only one NIC card. I dont want to use 2 NICs for the reason I dont want my proxy box to be placed between LAN and firewall/router.

I,m attaching it with my core switch Cisco and forcing my clients to use the proxy as the gateway.

here is my network:

FIREWALL
|
|
|
CORE SWITCH
| | |
| | |
lan01 lan02 proxy


I,m using below iptables command to allow my proxy to be transparent to my clients:

#!/bin/sh

# Squid server IP
SQUID_SERVER="172.16.4.7"

# Interface connected to Internet
INTERNET="eth0"

# Address connected to LAN
LOCAL="172.16.4.0/24"
LOCAL2="172.16.5.0/24"

# Squid port
SQUID_PORT="3128"

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -s $LOCAL -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -s $LOCAL2 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT


#open everything
iptables -A INPUT -i $INTERNET -j ACCEPT
iptables -A OUTPUT -o $INTERNET -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

# Result: my transparent proxy (squid) is working fine and when I tail -F access.log it resulting all my clients ip address LOCAL1 and LOCAL2 is accessing the web. like below:

# Access.log
1258534990.658 1498 172.16.5.224 TCP_MISS/200 514 GET http://chatenabled.mail.google.com/m.../cleardot.gif? - DIRECT/216.239.61.189 image/gif
1258534991.878 2726 172.16.5.224 TCP_MISS/200 42718 GET http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript
1258534992.383 1810 172.16.5.224 TCP_MISS/200 2357 POST http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript
1258534995.380 3384 172.16.5.224 TCP_MISS/200 7218 GET http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript
1258534995.846 3463 172.16.5.224 TCP_MISS/200 2370 POST http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript
1258534997.560 6305 172.16.5.224 TCP_MISS/200 971 GET http://b.mail.google.com/mail/channel/test? - DIRECT/216.239.61.189 text/html
1258535000.056 4210 172.16.5.224 TCP_MISS/200 2368 POST http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript
1258535000.791 3229 172.16.5.224 TCP_MISS/200 710 POST http://mail.google.com/mail/channel/bind? - DIRECT/216.239.61.83 text/plain
1258535001.137 14008 172.16.5.224 TCP_MISS/200 6646 GET http://www-gm-opensocial.googleuserc...ets/js/rpc.js? - DIRECT/64.233.189.132 text/java


However with the above iptables config my dansguardian is not working anyway. I know when i try to access the blocking page its still allowing. And I coming up with new iptables config like below to tackle this problem. First I flush and reset the Linux Firewall.

# New iptables to let dansguardian working
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 8080

iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP

# Result: Now dansguardian is working and blocking everything I want. But problem arise when I check tail -F access.log it showing like below:

1258378079.875 9 127.0.0.1 TCP_HIT/200 843 GET http://pagead2.googlesyndication.com/pagead/js/abg.js - NONE/- text/javascript
1258378079.884 7 127.0.0.1 TCP_HIT/200 847 GET http://pagead2.googlesyndication.com...d/images/i.png - NONE/- image/png
1258378080.302 438 127.0.0.1 TCP_MISS/200 38892 GET http://pagead2.googlesyndication.com/pagead/imgad? - DIRECT/216.239.61.164 image/gif
1258378080.609 805 127.0.0.1 TCP_MISS/200 519 GET http://adserver.adtechus.com/addyn/3...key3+key4;grp=[group];misc=1258349346500 - DIRECT/64.236.144.229 application/x-javascript
1258378081.091 376 127.0.0.1 TCP_MISS/200 3043 GET http://pubads.g.doubleclick.net/gampad/ads? - DIRECT/216.239.61.154 text/javascript
1258378081.681 417 127.0.0.1 TCP_MISS/200 38806 GET http://pagead2.googlesyndication.com/pagead/imgad? - DIRECT/216.239.61.164 image/gif


That seems my squid (access.log) is not logging any clients ip address LOCAL1 and LOCAL2 but only logging localhost ip 127.0.0.1. That seems not right to me. This will bring me to another issue where I cannot apply my ACL delay Pools based on my defined LAN. I want to make my transparent proxy (squid and dansguardian) working with one NIC as explained earlier

Its seems to long to explain my problem here and I believe iptables is the issue and really appreciate anyone who can help me to solve this problem.

Regards,
 
Old 11-17-2009, 11:27 PM   #2
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,652
Blog Entries: 33

Rep: Reputation: 283Reputation: 283Reputation: 283
Hi, I didn't think it was possible to setup squid with only one nic, but....

I found this page and after reading, I feel it may be of use to you.

http://www.delodder.be/blog/ubuntu/t...-with-one-nic/

A web site I have found useful in the past....

http://www.linuxhomenetworking.com/w...ess_with_Squid

Regards Glenn
 
Old 11-18-2009, 12:01 AM   #3
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,278

Rep: Reputation: 148Reputation: 148
Refer the following link
http://www.linuxquestions.org/questi...-proxy-701710/
 
Old 11-18-2009, 12:59 AM   #4
azrim
LQ Newbie
 
Registered: Nov 2009
Posts: 6

Original Poster
Rep: Reputation: 0
Hi,

Thanks all for your suggestions. Let me brief a bit my server.

SERVER: CENTOS v5.4
SQUID : 2.6 stable 6 (run on port 3128)
DANSGUARDIAN: 2.8.0 (run on port 8080)

FYI squid and dansguardian sit on the same server with the ip address 172.16.4.7. I believe my dansguardian config and squid config is correct.

Initially in the post I,m able to setup transparent proxy (squid) by using iptables below for my LAN's: this was reffered to the link http://www.delodder.be/blog/ubuntu/t...-with-one-nic/ as I use it before.

SCENARIO 1
iptables -t nat -A PREROUTING -s $LOCAL -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -s $LOCAL2 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT


Result : my var/log/access.log showing as what it suppose to be. All clients IP address is logged. Now I know my transparent proxy is working and I can do all the ACL Delay pools in my squid.conf.

In order to makes my dansguardian run and logs all the clients IP address then I need to use below iptables only:

SCENARIO 2
iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT --to-port 8080

Result: My var/log/dansguardian/access.log is logging all CLient IP address as what it suppose to. Thats was great and my dansguardian is blocking what is suppose to.

There is no issue with both scenarios but I would like to mix squid and dansguardian config where both access.log's can have their log respectively together by using the correct iptables command.

I,m have try many possibilities making these iptables for a week to reflect my requirement in order to makes my squid and dansguardian works best. Unfortunately it still not works.


I,m looking anyone who has idea on how to make these http request 80 will be redirect to both squidbox:3128 and dansguardian:8080 so that both will copy all Ip clients request in access.log.

thanx
 
Old 04-28-2010, 08:42 AM   #5
baumie
LQ Newbie
 
Registered: Apr 2010
Posts: 1

Rep: Reputation: 0
Hi it is very possible to setup squid with only one nic. I have the following setup:
Internet-->router-->Squid
-->users
Both squid and the users are on the same subnet and they have the router as gateway. It's running quite nice.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Transparent squid with dansguardian , parmeshwary2k Linux - Networking 29 05-04-2010 12:35 PM
setting up dansguardian as a transparent proxy for hosts dcordina Ubuntu 3 03-02-2009 08:57 AM
IPTABLES, SQUID, DANSGUARDIAN and Transparent Proxy metallica1973 Linux - Networking 18 09-03-2007 07:17 PM
FC4 - How to setup Transparent Proxy with Dansguardian RTX Networks Linux - Networking 1 09-12-2006 12:49 AM
squid (Transparent proxy) & Dansguardian metallica1973 Linux - Security 8 12-15-2005 07:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration