Find the answer to your Linux question:
Results 1 to 2 of 2
i've just installed Squid to run as transparent proxy oni ubuntu 11.04 with the help of dnsmasq i have two nics eth1(lan 192.168.90.0/24) and eth0 (wan,192.168.1.65 static) http works smoothly, ...
  1. 01-29-2012 #1
    dnalor
    dnalor is offline
    Just Joined!
    Join Date
    Jan 2012
    Posts
    1

    Question iptables and squid (newbie question)

    i've just installed Squid to run as transparent proxy oni ubuntu 11.04
    with the help of dnsmasq
    i have two nics eth1(lan 192.168.90.0/24) and eth0 (wan,192.168.1.65 static)
    http works smoothly, though users cannot do the following:

    1. visit https
    2. connect to WLM (port 1863)
    3. ssh
    4. traceroute or ping
    5. visit the localserver on port 80


    i'm pretty sure it's an iptables issue and i'm such a newbie that i've spent 3 hours with no luck so far.

    NB: i've used the following script to setup transparent prioxy for http:
    #!/bin/sh
    # ------------------------------------------------------------------------------------
    Linux: Setup a transparent proxy with Squid in three easy steps[/url]
    # (c) 2006, nixCraft under GNU/GPL v2.0+
    # -------------------------------------------------------------------------------------
    # squid server IP
    SQUID_SERVER="192.168.90.1"
    # Interface connected to Internet
    INTERNET="eth0"
    # Interface connected to LAN
    LAN_IN="eth1"
    # Squid port
    SQUID_PORT="3128"

    # DO NOT MODIFY BELOW
    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    # Load IPTABLES modules for NAT and IP conntrack support
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    # For win xp ftp client
    #modprobe ip_nat_ftp
    echo 1 > /proc/sys/net/ipv4/ip_forward
    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # Allow UDP, DNS and Passive FTP
    iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
    # set this system as a router for Rest of LAN
    iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
    iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
    # unlimited access to LAN
    iptables -A INPUT -i $LAN_IN -j ACCEPT
    iptables -A OUTPUT -o $LAN_IN -j ACCEPT
    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
    # if it is same system
    iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP
    Reply With Quote Reply With Quote
  2. 01-31-2012 #2
    Lazydog
    Lazydog is offline
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,281
    Replace
    Code:
    iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
    with
    Code:
    iptables -A FORWARD -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN_IN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j DROP
    Your FORWARD is not allowing return traffic from the WAN.

    You can read more about IPTABLES HERE
    You should also stop mixing STATEFUL and STATELESS rules as it can make for a hard time troubleshooting.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

...