Squid proxy vs. local Apache vs. iptables

kikinovak · 08-12-2011, 02:30 AM

Hi,

I have a local gateway/firewall/proxy server/web server running Slackware64. I just installed and configured Squid on it, and it runs quite nice. I've configured iptables so all HTTP requests get redirected to port 3128 (Squid defaults), so I don't have to configure the proxy individually in every users' browser (and more important, they can't disable Squidguard filtering anymore

).

Here's what the according line in my rc.firewall looks like:

Code:

# Rediriger les requêtes HTTP vers le proxy Squid
$IPT -t nat -A PREROUTING -i $IFACE_LAN -p tcp --dport 80 -j REDIRECT --to-port 3128

Now the problem is, I also have a local webserver running on that same machine. This server is not supposed to be accessible from the Internet, it merely serves as a local package repo for various Linux distros, for use with various netinstall CDs.

Question: how can I still go on using this server without requests being redirected to Squid? E. g. usually all port 80 requests get redirected to port 3128, except for this single machine. I sense the answer is a simple one-liner, but I'm stuck here. Too much coffee, not enough sleep.

acid_kewpie · 08-12-2011, 03:09 AM

what do you mean "except for this single machine"? is this single machine not the proxy?

Generically you can just put a different aliased IP on the same interface to keep things very separate, or you can exclude the destination IP of the machine itself in that line, e.g add "-d ! 192.168.12.34" or whatever to that line.

Generally I don't like transparent proxies anyway, I'd not do that in the first place. There are good ways to stop people bypassing proxies by automatically configuring their browsers

kikinovak · 08-12-2011, 03:35 AM

Quote:

Originally Posted by acid_kewpie

what do you mean "except for this single machine"? is this single machine not the proxy?

Generally I don't like transparent proxies anyway, I'd not do that in the first place. There are good ways to stop people bypassing proxies by automatically configuring their browsers

Well, I do need a transparent proxy here. It's for a network in a school - currently running a 100% CentOS-based network - and after a few months, most of the students had it figured out how to bypass proxy configuration in Firefox, which allowed them to happily surf porn sites and the likes.

By "except for this single machine", I mean requests for the Apache server on this machine:

Code:

http://192.168.2.1

acid_kewpie · 08-12-2011, 03:37 AM

Quote:

Originally Posted by kikinovak

Well, I do need a transparent proxy here. It's for a network in a school - currently running a 100% CentOS-based network - and after a few months, most of the students had it figured out how to bypass proxy configuration in Firefox, which allowed them to happily surf porn sites and the likes.

You're fixing the wrong problem. You need a firewall, they're probably still poking all sorts of holes you don't know about. They could easily run tor on your systems, right?? maybe they already are.

Quote:

Originally Posted by kikinovak

By "except for this single machine", I mean requests for the Apache server on this machine:

Code:

http://192.168.2.1

right so try the -d ! suggestion

kikinovak · 08-12-2011, 04:24 AM

Code:

  # Rediriger les requêtes HTTP vers le proxy Squid, sauf celles pour le
  # serveur lui-même :
  $IPT -t nat -A PREROUTING -i $IFACE_LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
  $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 80 -d 192.168.2.1 -j ACCEPT

The -d switch, of course. *facepalm*. Thanks!

acid_kewpie · 08-12-2011, 04:28 AM

Quote:

Originally Posted by kikinovak

Code:

  # Rediriger les requêtes HTTP vers le proxy Squid, sauf celles pour le
  # serveur lui-même :
  $IPT -t nat -A PREROUTING -i $IFACE_LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
  $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 80 -d 192.168.2.1 -j ACCEPT

The -d switch, of course. *facepalm*. Thanks!

well no, this shouldn't work, as the traffic is no longer on port 80 by the time it reaches the INPUT table.

kikinovak · 08-12-2011, 05:08 AM

Uh oh.

Code:

  # Rediriger les requêtes HTTP vers le proxy Squid, sauf celles pour le
  # serveur lui-même :
  $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 80 -d 192.168.2.1 -j ACCEPT
  $IPT -t nat -A PREROUTING -i $IFACE_LAN -p tcp --dport 80 -j REDIRECT --to-port 3128

Better now?

acid_kewpie · 08-12-2011, 05:31 AM

no, the order you write them doesn't matter as they are different tables.

as I said, try excluding the IP from the redirect:

$IPT -t nat -A PREROUTING -i $IFACE_LAN -d ! 192.168.2.1 -p tcp --dport 80 -j REDIRECT --to-port 3128