Problem with transparent proxy

[andrescamino]

Hi everyone at the forum,

Sorry for this detailed explanation, I just wanna make sure in what part i'm doing something wrong

I've been trying for a while to make transparent the squid proxy that I have in Centos, but for a reason that I can't understand it's not working, I've tried with multiple configurations in squid.conf also in iptables and sysctl.conf tried with multiple possible configurations as I have red in different articles and manuals but I can't make it work. I have 2 network cards, eth0 connected to the switch which gives me internet and eth1 which generates the actual lan

When I connect my laptop with default gateway to eth1 (192.168.2.1) and configure in my laptop the browser settings for proxy 192.168.2.1 and port 3128 everything works perfect I can surf on internet. But when I try to make this configuration
transparent with "http_port 3128 transparent" in the squid conf and create the rules in the iptables...it doesn't work
I have to manually configure the browser settings again to make it work even though I set it already transparent

This is my squid conf (I don't know if I have to delete all the other lines that comes by default in squid or not....I haven't deleted those)

http_port 3128 transparent
cache_mem 1024 MB
cache_dir ufs /var/spool/squid 5120 16 256
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl redinterna src 192.168.2.0/255.255.255.0
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow redinterna
http_access allow manager localhost
http_access deny manager
http_access allow localhost
http_access deny all



My iptables look like this

*nat
:PREROUTING ACCEPT [7958:598945]
:POSTROUTING ACCEPT [3489:252606]
:OUTPUT ACCEPT [1775:95700]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT

*filter
:INPUT ACCEPT [9184:3797786]
:FORWARD ACCEPT [2783:253020]
:OUTPUT ACCEPT [8210:899514]
-A INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 3128 -j ACCEPT
-A INPT -i eth0 -p tcp -Um state --state RELATED,ESTABLISHED -m tcp --sport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 80 -j ACCEPT
COMMIT


Besides I have tried with this option too in sys
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
and this one too
net.ipv4.ip_forward = 1


I know the proxy works, but there must be something that is not working maybe with iptables or soemthing else....
I know this thread is really long but I've tried so many times with different configurations and no luck for me....Can anybody help me with this problem?
Thank you very much in advance for your responses

Best regards

Andres Camino

[Lazydog]

For starters your firewall block nothing, just hoping you are aware of this.

You need to redirect port 80 to port 3128 in order for your proxy to receive the traffic going to the web.

Use this TUTORIALto see how it is done.

[andrescamino]

Hi Lazydog,

I don´t understand what you mean by firewall block nothing?

I´m checking the tutorial but I thought I was redirerecting in the eth1 the port 80 to 3128 as it is in this line....I know I´m wrong otherwise it would be working, but not understanding the part that blocks nothing

thank you very much for your help

Best regards

[Lazydog]

*filter
:INPUT ACCEPT [9184:3797786]
:FORWARD ACCEPT [2783:253020]
:OUTPUT ACCEPT [8210:899514]
-A INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 3128 -j ACCEPT
-A INPT -i eth0 -p tcp -Um state --state RELATED,ESTABLISHED -m tcp --sport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 80 -j ACCEPT
COMMIT

ACCEPT is allow traffic to pass.
DROP/REJECT blocks traffic.

None of your rules or policies have DROP or REJECT in them thus everything is allowed to pass. You also have no FORWARD rules so everything is allowed to be pushed from eth0 to eth1 and eth1 to eth0. You problem is that traffic going to the inertnet and coming from the internet, passing through this box, is not being controlled. Rules for your proxy should be placed into the preroute filter for then to function properly.

[andrescamino]

Hi Lazydog
I have 3 doubts

so I should use DROP in the filter table?

when you talk about FORWARD the packets, that should be on the nat table right?

Do I need a mangle table to make it work?
Thanks a lof for your help

Best regards

Andres Camino

[Lazydog]

Hi Lazydog
I have 3 doubts

so I should use DROP in the filter table?

Yes, that is what a firewall is for to drop/block traffic you do not want. If it isn't blocking then there is no need for it.

when you talk about FORWARD the packets, that should be on the nat table right?

No, forward is a filter table

Do I need a mangle table to make it work?

That would depend on your setup. Anything going out to the internet must have a routeable ip address so that traffic can be returned. NATing should happen at the last hop before traffic is sent out to the internet.

[andrescamino]

Hi Lazydog

I've added this to my filter table

*filter
:INPUT ACCEPT [2703:2207816]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2832:435581]
-A FORWARD -i eth1 -j ACCEPT

It still dont make it transparent, this is on my nat table
*nat
:PREROUTING ACCEPT [94:13450]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [334:21140]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j MASQUERADE

when I see the list on the terminal with iptables -t nat -L
the source in prerouting and masquerade is anywhere, would that be the problem why my squid is not working transparently or is still the iptables?

[Lazydog]

You need to redirect the packets for the web to your proxy. See the tutorial above for this.

[andrescamino]

allright Lazydog, thanks a lot for the tutorial

Best regards,

Andres Camino

[andrescamino]

Hi Lazydog,

I did it finally...I am pretty new at this, and thanks for the tutorial it is kind of lenghty but it helps...

My problem was in the iptables in the nat table and also when I was connecting my PC to the Linux I set my ip statically in the same network, but i never putted the DNS, that was the main reason why it didn´t make it transparent, now is working fine.

thanks