IPTables, Squid in a restricted network

[r31griffo]

G'day everyone,
I've been having some troubles when it comes to setting up IPTables and I humbly request your assistance because I just don't get it.

Basically I'm attempting to setup a network with very limited internet access. All addresses resolve internally except for a few that resolve externally. I have Squid3 setup in transparent mode on port 3128 and it is working great. However due to the limitations of transparent proxies on HTTPS I am not able to achieve everything through Squid

This limitation I'm hoping to get around through the use of IPTables as I only need access to a very limited number of websites.

Below was my attempt to get this all working...however the HTTPS part needs a complete redo. I was attempting to get just 443 to masquerade through the server however when I turn the proxy off I can also FTP to IP addresses, I believe this demonstrates I am NAT'ing more than just port 443.

Please help, in short I'd like to setup the following rules:
- allow all from lo (I think the below is correct)
- NAT transparent proxy port 80 to 172.16.0.5:3128 (think it is correct)
- Masquerade all outgoing TCP/UDP 443 to a limited number of IP address ranges

This is my current IPTables rules. Thank you in advance,
Griffo

# loopback allow all - working
iptables -I INPUT -i lo -j ACCEPT

# Transparent proxy with NAT - working
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.0.5:3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

# This is supposed to NAT only TCP 443. other ports getting through too, but I'd like to convert this to add acceptable IP ranges.
iptables -A FORWARD -o eth1 -i eth0 -s 172.16.0.0/22 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

EDIT***Sorry, I really should add the following:
Server network config
eth0: 172.16.0.5/22 - LAN network
eth1: 192.168.0.1/24 gateway: 192.168.0.254 - WAN network - hoping this will be a public IP when it is deployed...but if it is possible to just use the interface (without the need for the IP) that would be awesome

[Lazydog]

You might want to start looking at your firewall another way. I either allow or block traffic on the inbound interface. Because I am already allowing it there is no reason to allow it again on exit. for example your rule;

Code:

iptables -A FORWARD -o eth1 -i eth0 -s 172.16.0.0/22 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT

could be written like this;

Code:

iptables -A FORWARD -i eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT

Notice there is no need for IP Addresses or the outbound interface. This rule allows all traffic heading to 443 from any machine on your network. Should you require to block certain ip addresses then you can add ip address information to the rule.

You only really need to add outbound interfaces to the rules when there is more then one interface outbound and you want to ensure that it goes out the proper interface.

[r31griffo]

Excellent, thanks for the reply. I'll try it out when I get home.

Regarding the outbound IP ranges, would you have any suggestions regarding that?

Cheers,

Brad

[Lazydog]

What are you looking to do?

[r31griffo]

Sorry Robert, I didn't explain what I was after. I must have been trying to do too many things at once.

I'm hoping to create a white list of IP ranges for port 443 packets leaving the output interface.
For the tcp 443 packets that go out the outbound interface, I want to create a white list of IP ranges and deny all other outbound 443 packets (or would this be better achieved on the incoming interface?). Squid is doing an excellent job of looking after HTTP.

Some P2P applications use port 443 due to the lack of control proxies have over SSL, I'm hoping to avoid the whole issue as I only need to access a limited number of IP addresses over 443.

For example, I'm attempting to get a website to work correctly that accesses googleapis.com (using HTTPS to access an AJAX .js file), using dig I find that several A records between the following range: 173.194.69.99-173.194.69.147...this is the only one I know of so far, but I'm sure there will be more in the future

Cheers,

Brad

[Lazydog]

Have a look at this IP Range Match.
Replace INPUT with FORWARD and ensure that you are filtering on the LAN interface.
Take a look at the whole Tutorial which you may find very helpful.