Find the answer to your Linux question:
Results 1 to 6 of 6
I'm using iptables to calculate the amount of transferred data are using on a monthly basis. When my users go over a certain amount of bytes, I add a firewall ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2008
    Posts
    3

    Iptables & Squid


    I'm using iptables to calculate the amount of transferred data are using on a monthly basis. When my users go over a certain amount of bytes, I add a firewall rule which prevent them of accessing the internet. That's working great.

    At this point, however, I would like to incorporate Squid, so all website from my users are cached in the proxy. I tried altering my script, but haven't succeeded yet.

    Now I'm facing two problems: either the clients cannot surf the web or squid isn't used to cache. Plus when I do the math and calculate the exact amount of data went through the firewall, this is not correct.

    This is my script:
    PHP Code:
    #!/bin/sh  
    # squid server IP  
    SQUID_SERVER="192.168.0.100\"  
    # Interface connected to Internet  
    INTERNET=\"eth0\"  
    # Interface connected to LAN  
    LAN_IN=\"eth1\"  
    # Squid port  
    SQUID_PORT=\"3128\"  

    # Clean old firewall  
    iptables -F  
    iptables -Z  
    iptables -X  
    iptables -t nat -F  
    iptables -t nat -X  
    iptables -t mangle -F  
    iptables -t mangle -X  

    # Load IPTABLES modules for NAT and IP conntrack support  
    modprobe ip_tables  
    modprobe iptable_nat  
    modprobe ip_nat_irc  
    modprobe ip_conntrack  
    modprobe ip_conntrack_ftp  
    modprobe ip_nat_ftp  

    echo \"Done loading modules...\\n\"  

    echo \" Enabling forwarding..\"  
    echo 1 > /proc/sys/net/ipv4/ip_forward  

    # Setting default filter policy  
    iptables -P INPUT ACCEPT  
    iptables -P OUTPUT ACCEPT  

    iptables -N accounting-in  
    iptables -N accounting-out  

    iptables -A FORWARD -i 
    $INTERNET -o $LAN_IN -j accounting-in  

    iptables -A FORWARD -i 
    $LAN_IN -o $INTERNET -j accounting-out  

    iptables -A accounting-out -s 192.168.0.101 -m mac --mac-source 00:19:B9:52:46:4A -j RETURN  
    iptables -A accounting-out -s 192.168.0.102 -m mac --mac-source 00:90:4B:B0:01:A6 -j RETURN  

    iptables -A accounting-out -j LOG --log-prefix \"Unknown mac:\" --log-ip-options  
    iptables -A accounting-out -j REJECT  

    iptables -A accounting-in -d 192.168.0.101 -j RETURN  
    iptables -A accounting-in -d 192.168.0.102 -j RETURN  

    iptables -A accounting-in -j LOG --log-prefix \"Unknown ip: \" --log-ip-options  
    iptables -A accounting-in -j DROP  

    iptables -t nat -A PREROUTING -i 
    $INTERNET -p tcp --dport 80 -j REDIRECT --to-port 3128 
    iptables -t nat -A POSTROUTING -o 
    $INTERNET -j MASQUERADE 
    Can someone help? Thx

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    You have a default policy for INPUT and OUTPUT but none for FORWARD.

    You have your forwards dropping to a sub chain and then returning.
    What is IPTABLES doing with them once they are returned?
    Instead of RETURN try replacing with ACCEPT?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jul 2008
    Posts
    3
    Quote Originally Posted by Lazydog View Post
    You have a default policy for INPUT and OUTPUT but none for FORWARD.

    You have your forwards dropping to a sub chain and then returning.
    What is IPTABLES doing with them once they are returned?
    Instead of RETURN try replacing with ACCEPT?
    Hi Lazydog, thanks for trying to help me out!

    First of all: I've added a default policy for FORWARD like this:
    PHP Code:
    iptables -P FORWARD ACCEPT 
    I tried changing the sub-chains of FORWARD (accounting-in and accounting-out) with ACCEPT instead of RETURN, but cannot see any difference. Like this:

    PHP Code:
    iptables -A accounting-out -s 192.168.0.101 -m mac --mac-source 00:19:B9:52:46:4A -j ACCEPT
    iptables 
    -A accounting-in -d 192.168.0.101 -j ACCEPT 
    At the moment the behaviour looks a bit like this: all html-traffic looks to be accounted for when doing 'iptables -L -vxn'. When firing up Youtube and start to viewing a movie, that isn't accounted for. BUT when I look at the Squid cache (parsed by LightSquid), all traffic which has been generated by the clients, looks OK. So basically, the amount of bytes isn't correct when doing 'iptables -L -vxn', which I parse to feed the database.

    Do you have other thoughts?
    Thx

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Maybe you should fine a way to use squid instead of iptables for this.
    Isn't there some sort of metering/limit you can set in squid?
    I don't use it so I don't know.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #5
    Just Joined!
    Join Date
    Jul 2008
    Posts
    3
    Doesn't anyone has experience with this?

  7. #6
    Just Joined!
    Join Date
    Dec 2008
    Location
    Canberra, Australia
    Posts
    8
    You are counting the FORWARD chain....

    As soon as you redirect to local squid it becomes INPUT/OUTPUT

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •