Find the answer to your Linux question:
Results 1 to 7 of 7
Hi, I setup squid with transparent proxy and its working, however, when I reboot the server, the proxy server doesnt work unless I run the following. Code: # squid server ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2011
    Posts
    44

    Squid and IPTABLES - Transparent


    Hi,

    I setup squid with transparent proxy and its working, however, when I reboot the server, the proxy server doesnt work unless I run the following.

    Code:
    # squid server IP
    SQUID_SERVER="192.168.1.1"
    # Interface connected to Internet
    INTERNET="eth0"
    # Interface connected to LAN
    LAN_IN="eth1"
    # Squid port
    SQUID_PORT="3128"
    
    # DO NOT MODIFY BELOW
    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    # Load IPTABLES modules for NAT and IP conntrack support
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    
    # For win xp ftp client
    #modprobe ip_nat_ftp
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    
    # Allow SSH on Public
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    
    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    # Allow UDP, DNS and Passive FTP
    iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # set this system as a router for Rest of LAN
    iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
    iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
    
    # unlimited access to LAN
    iptables -A INPUT -i $LAN_IN -j ACCEPT
    iptables -A OUTPUT -o $LAN_IN -j ACCEPT
    
    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
    
    # if it is same system
    iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
    
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP
    Then Proxy will start to work again. can you help me solve this issue please?

    I dont want to run the above, everytime i reboot the server.

    Thanks!

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    You need to save the rules with iptables-save.
    On a RH/CentOS/Fedora system that is done with service iptables save.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jan 2011
    Posts
    44
    I've done that
    # service iptables save
    # chkconfig iptables on

    But still the same, I have to run the codes above.

    Any help ?

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Post the contents from /etc/sysconfig/iptables

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Jan 2011
    Posts
    44
    Here's my iptables


    Code:
    # Generated by iptables-save v1.3.5 on Thu Jan 13 02:21:58 2011
    *mangle
    :PREROUTING ACCEPT [1169:102749]
    :INPUT ACCEPT [644:71601]
    :FORWARD ACCEPT [52:3591]
    :OUTPUT ACCEPT [203:29618]
    :POSTROUTING ACCEPT [282:37476]
    COMMIT
    # Completed on Thu Jan 13 02:21:58 2011
    # Generated by iptables-save v1.3.5 on Thu Jan 13 02:21:58 2011
    *nat
    :PREROUTING ACCEPT [880:63719]
    :POSTROUTING ACCEPT [6:520]
    :OUTPUT ACCEPT [110:7574]
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.20.2:3128
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Thu Jan 13 02:21:58 2011
    # Generated by iptables-save v1.3.5 on Thu Jan 13 02:21:58 2011
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [26:2011]
    :OUTPUT ACCEPT [34:13391]
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i eth1 -j ACCEPT
    -A INPUT -j DROP
    -A FORWARD -i eth1 -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -o eth1 -j ACCEPT
    COMMIT
    # Completed on Thu Jan 13 02:21:58 2011

  6. #6
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,755
    I didn't look through all of the script's iptables rules to verify whether they match what was saved, but this line is not an iptables command and is *not* going to survive a reboot:

    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    You need to edit sysctl.conf to make it permanent. Google

    * You should take time to read and *understand* what your script is doing.

  7. #7
    Just Joined!
    Join Date
    Jan 2011
    Posts
    44
    Hi HROAdmin,

    Thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •