Jump to content

Recommended Posts

Posted

I've set up a Squid proxy on Ubuntu 9.04 desktop in my home lab (with the intention of transferring to a small business environment eventually) and everything works fine. I want to take it to the next stage by making it transparent. Here's the setup and what I've done:

1. The "real" DG at the ADSL router is 192.168.0.1

2. The squid box has a single NIC (eth0) which is 192.168.0.250 / 24 (static)

3. Squid.conf modified to have the line <http_port 3128 transparent>

4. Executed the line "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128"

5. Configured the Windows client DG to 192.168.0.250 and removed reference to the proxy in Internet Options > Connections

I can access the internet via the client and the transparent squid proxy logs the sites that I visit, however any https traffic and e-mail send or receive via Outlook are blocked. I know that squid doesn't "play nicely" with or cache https traffic.

I suspect that I need to have some iptables rules to check the destination port of the packets and, if it's 25, 110 or 443, the packet should be sent to the "real" DG at 192.168.0.1. I've tried MANY permutations of various iptables commands but haven't hit on the correct syntax. I've also read some articles that suggest that ip forwarding has to be enabled (via echo 1 > /proc/sys/net/ipv4/ip_forward) but others say it's not necessary.

Am I correct about what I need iptables to do? Do I need to enable ip forwarding? Can someone help me with the syntax that I must use to do what I need?

Thanks in advance.

Posted (edited)

What happens if you add another ip table rule like the one below, but instead of port 80 set it to 443. Does it still block, or what do the log files say when you try to visit a HTTPS website.

"iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128"

Edited by Infiltrator
Posted

I've tried several permutations but there's no logic in what I've done because I don't really understand iptables. It's almost been like the blind leading the unsighted!

I've tried "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT -d 192.168.0.1" (plus similar statements referring to ports 25 and 110) but not got it to work (yet). It seems that the Squid/iptables computer isn't forwarding the relevant traffic to the ADSL router.

Posted (edited)

I found this sample on the net, it might be able to help you sort your issue.

Source: http://www.brandonhutchinson.com/squid_iptables_firewall.html

#!/bin/sh

LAN="eth1"

INTERNET="eth0"

IPTABLES="/sbin/iptables"

# Kernel monitoring support

# More information:

# /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt

# http://www.linuxgazette.com/book/view/1645

# http://www.spirit.com/Network/net0300.html

# Drop ICMP echo-request messages sent to broadcast or multicast addresses

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Needed for FTP (specifically, to allow incoming ftp-data connections)

/sbin/modprobe ip_conntrack_ftp

# Flush all chains

$IPTABLES --flush

# Allow unlimited traffic on the loopback interface

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Set default policies

$IPTABLES --policy INPUT DROP

$IPTABLES --policy OUTPUT DROP

$IPTABLES --policy FORWARD DROP

# Previously initiated and accepted exchanges bypass rule checking

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming port 22 (ssh) connections on LAN interface

$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state \

--state NEW -j ACCEPT

# Allow incoming port 3128 (squid) connections on LAN interface

$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state \

--state NEW -j ACCEPT

# Allow ICMP ECHO REQUESTS on LAN interface

$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT

# Allow DNS resolution

$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state \

--state NEW -j ACCEPT

$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state \

--state NEW -j ACCEPT

# Allow ntp synchronization

$IPTABLES -A OUTPUT -o $LAN -p udp --destination-port 123 -m state \

--state NEW -j ACCEPT

# Allow ssh on LAN interface

$IPTABLES -A OUTPUT -o $LAN -p tcp --destination-port 22 -m state \

--state NEW -j ACCEPT

# Allow Squid to proxy ftp, http, https, and AIM traffic

$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state \

--state NEW -j ACCEPT

$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state \

--state NEW -j ACCEPT

$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state \

--state NEW -j ACCEPT

$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 5190 -m state \

--state NEW -j ACCEPT

# Create a LOGDROP chain to log and drop packets

$IPTABLES -N LOGDROP

$IPTABLES -A LOGDROP -j LOG

$IPTABLES -A LOGDROP -j DROP

# Drop all other traffic

$IPTABLES -A INPUT -j LOGDROP

# Have these rules take effect when iptables is started

/sbin/service iptables save

Edited by Infiltrator
Posted

Thanks for the help. The script indicates 2 NICs (eth0 and eth1) but my scenario involves only one NIC and the routing is to another host (the real DG at the ADSL router) on the same network. I'll look at the script in detail though I think it will be similar to several others that I've seen posted on the 'net. There seems to be very few which deal with just one NIC.

Maybe I'll post a question on one of the Linux or, more specifically, Ubuntu fora. I thought that this would be a doddle to resolve!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...