IPTables, Squid in a restricted network
I've been having some troubles when it comes to setting up IPTables and I humbly request your assistance because I just don't get it.
Basically I'm attempting to setup a network with very limited internet access. All addresses resolve internally except for a few that resolve externally. I have Squid3 setup in transparent mode on port 3128 and it is working great. However due to the limitations of transparent proxies on HTTPS I am not able to achieve everything through Squid :(
This limitation I'm hoping to get around through the use of IPTables as I only need access to a very limited number of websites.
Below was my attempt to get this all working...however the HTTPS part needs a complete redo. I was attempting to get just 443 to masquerade through the server however when I turn the proxy off I can also FTP to IP addresses, I believe this demonstrates I am NAT'ing more than just port 443.
Please help, in short I'd like to setup the following rules:
- allow all from lo (I think the below is correct)
- NAT transparent proxy port 80 to 172.16.0.5:3128 (think it is correct)
- Masquerade all outgoing TCP/UDP 443 to a limited number of IP address ranges
This is my current IPTables rules. Thank you in advance,
# loopback allow all - working
iptables -I INPUT -i lo -j ACCEPT
# Transparent proxy with NAT - working
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.0.5:3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# This is supposed to NAT only TCP 443. other ports getting through too, but I'd like to convert this to add acceptable IP ranges.
iptables -A FORWARD -o eth1 -i eth0 -s 172.16.0.0/22 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
EDIT***Sorry, I really should add the following:
Server network config
eth0: 172.16.0.5/22 - LAN network
eth1: 192.168.0.1/24 gateway: 192.168.0.254 - WAN network - hoping this will be a public IP when it is deployed...but if it is possible to just use the interface (without the need for the IP) that would be awesome