Squid and IPTABLES - Transparent

[wizzkid]

Hi,

I setup squid with transparent proxy and its working, however, when I reboot the server, the proxy server doesnt work unless I run the following.

Code:

# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Allow SSH on Public
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Then Proxy will start to work again. can you help me solve this issue please?

I dont want to run the above, everytime i reboot the server.

Thanks!

[Lazydog]

You need to save the rules with iptables-save.
On a RH/CentOS/Fedora system that is done with service iptables save.

[wizzkid]

I've done that
# service iptables save
# chkconfig iptables on

But still the same, I have to run the codes above.

Any help ?

[Lazydog]

Post the contents from /etc/sysconfig/iptables

[wizzkid]

Here's my iptables

Code:

# Generated by iptables-save v1.3.5 on Thu Jan 13 02:21:58 2011
*mangle
:PREROUTING ACCEPT [1169:102749]
:INPUT ACCEPT [644:71601]
:FORWARD ACCEPT [52:3591]
:OUTPUT ACCEPT [203:29618]
:POSTROUTING ACCEPT [282:37476]
COMMIT
# Completed on Thu Jan 13 02:21:58 2011
# Generated by iptables-save v1.3.5 on Thu Jan 13 02:21:58 2011
*nat
:PREROUTING ACCEPT [880:63719]
:POSTROUTING ACCEPT [6:520]
:OUTPUT ACCEPT [110:7574]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.20.2:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Jan 13 02:21:58 2011
# Generated by iptables-save v1.3.5 on Thu Jan 13 02:21:58 2011
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [26:2011]
:OUTPUT ACCEPT [34:13391]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i eth1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
COMMIT
# Completed on Thu Jan 13 02:21:58 2011

[HROAdmin26]

I didn't look through all of the script's iptables rules to verify whether they match what was saved, but this line is not an iptables command and is *not* going to survive a reboot:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

You need to edit sysctl.conf to make it permanent. Google

* You should take time to read and *understand* what your script is doing.

[wizzkid]

Hi HROAdmin,

Thanks