Hi,
I would like to seek anyone suggestions regarding my issue here.
I have setup transparent proxy (squid + dansguardian) 172.16.4.7/24 into one server with only one NIC card. I dont want to use 2 NICs for the reason I dont want my proxy box to be placed between LAN and firewall/router.
I,m attaching it with my core switch Cisco and forcing my clients to use the proxy as the gateway.
here is my network:
FIREWALL
|
|
|
CORE SWITCH
| | |
| | |
lan01 lan02 proxy
I,m using below iptables command to allow my proxy to be transparent to my clients:
#!/bin/sh
# Squid server IP
SQUID_SERVER="172.16.4.7"
# Interface connected to Internet
INTERNET="eth0"
# Address connected to LAN
LOCAL="172.16.4.0/24"
LOCAL2="172.16.5.0/24"
# Squid port
SQUID_PORT="3128"
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -s $LOCAL -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -s $LOCAL2 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
#open everything
iptables -A INPUT -i $INTERNET -j ACCEPT
iptables -A OUTPUT -o $INTERNET -j ACCEPT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
# Result: my transparent proxy (squid) is working fine and when I tail -F access.log it resulting all my clients ip address LOCAL1 and LOCAL2 is accessing the web. like below:
# Access.log
1258534990.658 1498
172.16.5.224 TCP_MISS/200 514 GET
http://chatenabled.mail.google.com/m.../cleardot.gif? - DIRECT/216.239.61.189 image/gif
1258534991.878 2726
172.16.5.224 TCP_MISS/200 42718 GET
http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript
1258534992.383 1810
172.16.5.224 TCP_MISS/200 2357 POST
http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript
1258534995.380 3384
172.16.5.224 TCP_MISS/200 7218 GET
http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript
1258534995.846 3463
172.16.5.224 TCP_MISS/200 2370 POST
http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript
1258534997.560 6305
172.16.5.224 TCP_MISS/200 971 GET
http://b.mail.google.com/mail/channel/test? - DIRECT/216.239.61.189 text/html
1258535000.056 4210
172.16.5.224 TCP_MISS/200 2368 POST
http://mail.google.com/mail/? - DIRECT/216.239.61.83 text/javascript
1258535000.791 3229
172.16.5.224 TCP_MISS/200 710 POST
http://mail.google.com/mail/channel/bind? - DIRECT/216.239.61.83 text/plain
1258535001.137 14008
172.16.5.224 TCP_MISS/200 6646 GET
http://www-gm-opensocial.googleuserc...ets/js/rpc.js? - DIRECT/64.233.189.132 text/java
However with the above iptables config my dansguardian is not working anyway. I know when i try to access the blocking page its still allowing. And I coming up with new iptables config like below to tackle this problem. First I flush and reset the Linux Firewall.
# New iptables to let dansguardian working
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 8080
iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
# Result: Now dansguardian is working and blocking everything I want. But problem arise when I check tail -F access.log it showing like below:
1258378079.875 9
127.0.0.1 TCP_HIT/200 843 GET
http://pagead2.googlesyndication.com/pagead/js/abg.js - NONE/- text/javascript
1258378079.884 7
127.0.0.1 TCP_HIT/200 847 GET
http://pagead2.googlesyndication.com...d/images/i.png - NONE/- image/png
1258378080.302 438
127.0.0.1 TCP_MISS/200 38892 GET
http://pagead2.googlesyndication.com/pagead/imgad? - DIRECT/216.239.61.164 image/gif
1258378080.609 805
127.0.0.1 TCP_MISS/200 519 GET
http://adserver.adtechus.com/addyn/3...key3+key4;grp=[group];misc=1258349346500 - DIRECT/64.236.144.229 application/x-javascript
1258378081.091 376
127.0.0.1 TCP_MISS/200 3043 GET
http://pubads.g.doubleclick.net/gampad/ads? - DIRECT/216.239.61.154 text/javascript
1258378081.681 417
127.0.0.1 TCP_MISS/200 38806 GET
http://pagead2.googlesyndication.com/pagead/imgad? - DIRECT/216.239.61.164 image/gif
That seems my squid (access.log) is not logging any clients ip address LOCAL1 and LOCAL2 but only logging localhost ip 127.0.0.1. That seems not right to me. This will bring me to another issue where I cannot apply my ACL delay Pools based on my defined LAN. I want to make my transparent proxy (squid and dansguardian) working with one NIC as explained earlier
Its seems to long to explain my problem here and I believe iptables is the issue and really appreciate anyone who can help me to solve this problem.
Regards,