Results 1 to 7 of 7
Thread: Squid and IPTABLES - Transparent
|
Enjoy an ad free experience by logging in. Not a member yet? Register.
|
|
-
01-12-2011 #1
- Join Date
- Jan 2011
- Posts
- 44
Squid and IPTABLES - Transparent
I setup squid with transparent proxy and its working, however, when I reboot the server, the proxy server doesnt work unless I run the following.
Code:# squid server IP SQUID_SERVER="192.168.1.1" # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client #modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Allow SSH on Public iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP
I dont want to run the above, everytime i reboot the server.
Thanks!
-
01-12-2011 #2
You need to save the rules with iptables-save.
On a RH/CentOS/Fedora system that is done with service iptables save.
-
01-13-2011 #3
- Join Date
- Jan 2011
- Posts
- 44
I've done that
# service iptables save
# chkconfig iptables on
But still the same, I have to run the codes above.
Any help ?
-
01-13-2011 #4
Post the contents from /etc/sysconfig/iptables
-
01-14-2011 #5
- Join Date
- Jan 2011
- Posts
- 44
Here's my iptables
Code:# Generated by iptables-save v1.3.5 on Thu Jan 13 02:21:58 2011 *mangle :PREROUTING ACCEPT [1169:102749] :INPUT ACCEPT [644:71601] :FORWARD ACCEPT [52:3591] :OUTPUT ACCEPT [203:29618] :POSTROUTING ACCEPT [282:37476] COMMIT # Completed on Thu Jan 13 02:21:58 2011 # Generated by iptables-save v1.3.5 on Thu Jan 13 02:21:58 2011 *nat :PREROUTING ACCEPT [880:63719] :POSTROUTING ACCEPT [6:520] :OUTPUT ACCEPT [110:7574] -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.20.2:3128 -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Thu Jan 13 02:21:58 2011 # Generated by iptables-save v1.3.5 on Thu Jan 13 02:21:58 2011 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [26:2011] :OUTPUT ACCEPT [34:13391] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -j DROP -A FORWARD -i eth1 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth1 -j ACCEPT COMMIT # Completed on Thu Jan 13 02:21:58 2011
-
01-14-2011 #6
- Join Date
- Nov 2007
- Posts
- 1,875
I didn't look through all of the script's iptables rules to verify whether they match what was saved, but this line is not an iptables command and is *not* going to survive a reboot:
Code:echo 1 > /proc/sys/net/ipv4/ip_forward
* You should take time to read and *understand* what your script is doing.
-
01-14-2011 #7
- Join Date
- Jan 2011
- Posts
- 44
Hi HROAdmin,
Thanks