Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Question iptables and squid (newbie question)

    i've just installed Squid to run as transparent proxy oni ubuntu 11.04
    with the help of dnsmasq
    i have two nics eth1(lan and eth0 (wan, static)
    http works smoothly, though users cannot do the following:

    1. visit https
    2. connect to WLM (port 1863)
    3. ssh
    4. traceroute or ping
    5. visit the localserver on port 80

    i'm pretty sure it's an iptables issue and i'm such a newbie that i've spent 3 hours with no luck so far.

    NB: i've used the following script to setup transparent prioxy for http:
    # ------------------------------------------------------------------------------------
    Linux: Setup a transparent proxy with Squid in three easy steps[/url]
    # (c) 2006, nixCraft under GNU/GPL v2.0+
    # -------------------------------------------------------------------------------------
    # squid server IP
    # Interface connected to Internet
    # Interface connected to LAN
    # Squid port

    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    # Load IPTABLES modules for NAT and IP conntrack support
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    # For win xp ftp client
    #modprobe ip_nat_ftp
    echo 1 > /proc/sys/net/ipv4/ip_forward
    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # Allow UDP, DNS and Passive FTP
    iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
    # set this system as a router for Rest of LAN
    iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
    iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
    # unlimited access to LAN
    iptables -A INPUT -i $LAN_IN -j ACCEPT
    iptables -A OUTPUT -o $LAN_IN -j ACCEPT
    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
    # if it is same system
    iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    The Keystone State
    iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
    iptables -A FORWARD -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i $LAN_IN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -j DROP
    Your FORWARD is not allowing return traffic from the WAN.

    You can read more about IPTABLES HERE
    You should also stop mixing STATEFUL and STATELESS rules as it can make for a hard time troubleshooting.


    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts