Iain Posted February 9, 2011 Posted February 9, 2011 I've set up a Squid proxy on Ubuntu 9.04 desktop in my home lab (with the intention of transferring to a small business environment eventually) and everything works fine. I want to take it to the next stage by making it transparent. Here's the setup and what I've done: 1. The "real" DG at the ADSL router is 192.168.0.1 2. The squid box has a single NIC (eth0) which is 192.168.0.250 / 24 (static) 3. Squid.conf modified to have the line <http_port 3128 transparent> 4. Executed the line "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128" 5. Configured the Windows client DG to 192.168.0.250 and removed reference to the proxy in Internet Options > Connections I can access the internet via the client and the transparent squid proxy logs the sites that I visit, however any https traffic and e-mail send or receive via Outlook are blocked. I know that squid doesn't "play nicely" with or cache https traffic. I suspect that I need to have some iptables rules to check the destination port of the packets and, if it's 25, 110 or 443, the packet should be sent to the "real" DG at 192.168.0.1. I've tried MANY permutations of various iptables commands but haven't hit on the correct syntax. I've also read some articles that suggest that ip forwarding has to be enabled (via echo 1 > /proc/sys/net/ipv4/ip_forward) but others say it's not necessary. Am I correct about what I need iptables to do? Do I need to enable ip forwarding? Can someone help me with the syntax that I must use to do what I need? Thanks in advance. Quote
Infiltrator Posted February 14, 2011 Posted February 14, 2011 (edited) What happens if you add another ip table rule like the one below, but instead of port 80 set it to 443. Does it still block, or what do the log files say when you try to visit a HTTPS website. "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128" Edited February 14, 2011 by Infiltrator Quote
Iain Posted February 14, 2011 Author Posted February 14, 2011 I've tried several permutations but there's no logic in what I've done because I don't really understand iptables. It's almost been like the blind leading the unsighted! I've tried "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT -d 192.168.0.1" (plus similar statements referring to ports 25 and 110) but not got it to work (yet). It seems that the Squid/iptables computer isn't forwarding the relevant traffic to the ADSL router. Quote
Infiltrator Posted February 14, 2011 Posted February 14, 2011 (edited) I found this sample on the net, it might be able to help you sort your issue. Source: http://www.brandonhutchinson.com/squid_iptables_firewall.html #!/bin/sh LAN="eth1" INTERNET="eth0" IPTABLES="/sbin/iptables" # Kernel monitoring support # More information: # /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt # http://www.linuxgazette.com/book/view/1645 # http://www.spirit.com/Network/net0300.html # Drop ICMP echo-request messages sent to broadcast or multicast addresses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Drop source routed packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN cookie protection from SYN floods echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Don't accept ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don't send ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Enable source address spoofing protection echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible source addresses echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Needed for FTP (specifically, to allow incoming ftp-data connections) /sbin/modprobe ip_conntrack_ftp # Flush all chains $IPTABLES --flush # Allow unlimited traffic on the loopback interface $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # Set default policies $IPTABLES --policy INPUT DROP $IPTABLES --policy OUTPUT DROP $IPTABLES --policy FORWARD DROP # Previously initiated and accepted exchanges bypass rule checking $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow incoming port 22 (ssh) connections on LAN interface $IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state \ --state NEW -j ACCEPT # Allow incoming port 3128 (squid) connections on LAN interface $IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state \ --state NEW -j ACCEPT # Allow ICMP ECHO REQUESTS on LAN interface $IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT # Allow DNS resolution $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state \ --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state \ --state NEW -j ACCEPT # Allow ntp synchronization $IPTABLES -A OUTPUT -o $LAN -p udp --destination-port 123 -m state \ --state NEW -j ACCEPT # Allow ssh on LAN interface $IPTABLES -A OUTPUT -o $LAN -p tcp --destination-port 22 -m state \ --state NEW -j ACCEPT # Allow Squid to proxy ftp, http, https, and AIM traffic $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state \ --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state \ --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state \ --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 5190 -m state \ --state NEW -j ACCEPT # Create a LOGDROP chain to log and drop packets $IPTABLES -N LOGDROP $IPTABLES -A LOGDROP -j LOG $IPTABLES -A LOGDROP -j DROP # Drop all other traffic $IPTABLES -A INPUT -j LOGDROP # Have these rules take effect when iptables is started /sbin/service iptables save Edited February 15, 2011 by Infiltrator Quote
Iain Posted February 15, 2011 Author Posted February 15, 2011 Thanks for the help. The script indicates 2 NICs (eth0 and eth1) but my scenario involves only one NIC and the routing is to another host (the real DG at the ADSL router) on the same network. I'll look at the script in detail though I think it will be similar to several others that I've seen posted on the 'net. There seems to be very few which deal with just one NIC. Maybe I'll post a question on one of the Linux or, more specifically, Ubuntu fora. I thought that this would be a doddle to resolve! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.