Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 10-22-2004, 03:30 PM   #1
LQ Newbie
Registered: Oct 2003
Posts: 27

Rep: Reputation: 15
IP tables / squid incoming traffic

Using Fedora 3. got squid set up and working as long as i put the address and port info into IE. otherwise if i try and reach something i can get the address by name but nothing else.
Pinging [] with 32 bytes of data:
host unreachable

with IE if i put in you can see in the status bar where it has resolved the address. yet cant display anything and eventually times out.

i have my IP tables set up according to this site: under the section "Squid (transparent) Running in the local network"

to me it seems that either squid or more likely my iptables are blocking incoming requests while trying to run squid transparently.

thanks for any help,
Old 10-22-2004, 05:55 PM   #2
Registered: Nov 2003
Location: Belgium
Distribution: Slackware
Posts: 184

Rep: Reputation: 36
you also need to configure squid for it

probably you have somewhere as squid.conf (/etc/squid of /usr/local/squid/etc/squid .. or any
other place 'updatedb locate ..)

httpd_accel_uses_host_header on

more info on

see also for more info on squid
Old 10-25-2004, 11:42 AM   #3
LQ Newbie
Registered: Oct 2003
Posts: 27

Original Poster
Rep: Reputation: 15
nope. that didnt help. here is my squid config and iptable setup:

http_port 3128
icp_port 3128
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
ftp_passive off
acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443 563
acl Safe_ports port 3128 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src
http_access allow our_networks
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
reply_body_max_size 0 allow all
httpd_accel_port 80
httpd_accel_uses_host_header on
memory_pools off


if [ -z "`ip rule list | grep www.out`" ] ; then
ip rule add fwmark CA table www.out # Note 0xCA = 202
ip route add default via dev eth1 table www.out
ip route flush cache
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects


loc eth1 detect routeback


ACCEPT loc loc tcp www


loc loc ACCEPT

iptables -t mangle -A PREROUTING -i eth1 -s ! -p tcp --dport 80 -j MARK --set-mark 202
iptables -t nat -A PREROUTING -i eth0 -d ! -p tcp --dport 80 -j REDIRECT --to-ports 3128

then i ran iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables on

when IE is not configured manually i am able to ping external sites and resolve to IP. but not get the ICMP packet back, as well as cant get a page to come up in IE.

trying to get this to all be transparent.
Old 10-25-2004, 12:20 PM   #4
Registered: Nov 2003
Location: Belgium
Distribution: Slackware
Posts: 184

Rep: Reputation: 36
I think you have eth0 at the internet and
eth1 to your network with an ip


tcpdump -i eth1 host 192,.168.1.3

you will see what is happening. My guess:

a pc in your network lets say sends a packet to (somewhere on the net)

your firewall changes the destination from tp (your squid)

squid receives the packet (aan the next ones also)
does its jobs makes a connection to (from

Then it goes wrong:

since squid know the src address it will reply directly, instead of
returning to your firewall where the reverse action of the nat happens.

the computer will not understand these packet since they come
from some other computer that is had no connection with

I solved it once by putting the squid on another network that way the replay had to
go throug the gateway (which is also the firewall with the dnat),

Maybe with marking the packet and do also an SNAT in the postrouting you can get
the same effect of forcing the reply through the firewall to reverse the nat

Just a wild guess but this is what I've already seen, and my solution.
(FYI you can have more ip addresses on the same network interface)
Old 10-25-2004, 12:35 PM   #5
LQ Newbie
Registered: Oct 2003
Posts: 27

Original Poster
Rep: Reputation: 15
sorry about that... yes eth0 is to the internet and eth1 is to the lan at

as it stands right now i am setting this up for work. so right now the squid server is getting its eth0 address via DHCP from our network. then its connected to another machine that i am testing all of this on.
Old 10-25-2004, 01:38 PM   #6
Registered: Nov 2003
Location: Belgium
Distribution: Slackware
Posts: 184

Rep: Reputation: 36
can you check if my guess is correct?

the system I set up once also give address with dhcp,

The interface eth1 can have 2 address and you can still use dhcp for them
as long as the networks are disjunct, and in 1 network you need to use
the mac address to specify an ip address.

the things for dhcpd.conf (check man dhcpd.conf)

you need shared-network { } arround the subnets in dhcpd
and with this option
'deny unknown clients;'

you allow only the hosts you specify by mac addres in the subnet {} block
on this network, the others can get a dynamic address.

# some hints for the dhcpd.conf (keep a copy of the original)
shared-network .. {
subnet .... {
host squid {
hardware ethernet 00:30:21:23:dc:d1;
shared-network .. {

maybe this can help, but first you need to know if the problem appears as


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Logging All Incoming / Outbound Traffic technick Linux - Security 1 10-24-2005 02:32 PM
IPCop : Limit incoming traffic to selected IPs and hostnames lothario Linux - Networking 0 01-28-2005 06:35 PM
Allow Incoming Traffic clarence1720 Mandriva 15 12-06-2004 11:26 PM
squid traffic control tarak4u Linux - Networking 0 03-17-2004 02:52 AM
Setting ip tables to block all traffic LinuxBAH Linux - Security 1 02-07-2004 06:15 AM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:46 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration