Find the answer to your Linux question:
Results 1 to 10 of 10
Hi everyone at the forum, Sorry for this detailed explanation, I just wanna make sure in what part i'm doing something wrong I've been trying for a while to make ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2009
    Posts
    19

    Problem with transparent proxy


    Hi everyone at the forum,

    Sorry for this detailed explanation, I just wanna make sure in what part i'm doing something wrong

    I've been trying for a while to make transparent the squid proxy that I have in Centos, but for a reason that I can't understand it's not working, I've tried with multiple configurations in squid.conf also in iptables and sysctl.conf tried with multiple possible configurations as I have red in different articles and manuals but I can't make it work. I have 2 network cards, eth0 connected to the switch which gives me internet and eth1 which generates the actual lan

    When I connect my laptop with default gateway to eth1 (192.168.2.1) and configure in my laptop the browser settings for proxy 192.168.2.1 and port 3128 everything works perfect I can surf on internet. But when I try to make this configuration
    transparent with "http_port 3128 transparent" in the squid conf and create the rules in the iptables...it doesn't work
    I have to manually configure the browser settings again to make it work even though I set it already transparent

    This is my squid conf (I don't know if I have to delete all the other lines that comes by default in squid or not....I haven't deleted those)

    http_port 3128 transparent
    cache_mem 1024 MB
    cache_dir ufs /var/spool/squid 5120 16 256
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl redinterna src 192.168.2.0/255.255.255.0
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    http_access allow redinterna
    http_access allow manager localhost
    http_access deny manager
    http_access allow localhost
    http_access deny all



    My iptables look like this

    *nat
    :PREROUTING ACCEPT [7958:598945]
    :POSTROUTING ACCEPT [3489:252606]
    :OUTPUT ACCEPT [1775:95700]
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    COMMIT

    *filter
    :INPUT ACCEPT [9184:3797786]
    :FORWARD ACCEPT [2783:253020]
    :OUTPUT ACCEPT [8210:899514]
    -A INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 3128 -j ACCEPT
    -A INPT -i eth0 -p tcp -Um state --state RELATED,ESTABLISHED -m tcp --sport 80 -j ACCEPT
    -A OUTPUT -o eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT
    -A OUTPUT -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 80 -j ACCEPT
    COMMIT


    Besides I have tried with this option too in sys
    # Controls IP packet forwarding
    net.ipv4.ip_forward = 0
    and this one too
    net.ipv4.ip_forward = 1


    I know the proxy works, but there must be something that is not working maybe with iptables or soemthing else....
    I know this thread is really long but I've tried so many times with different configurations and no luck for me....Can anybody help me with this problem?
    Thank you very much in advance for your responses

    Best regards

    Andres Camino

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    For starters your firewall block nothing, just hoping you are aware of this.

    You need to redirect port 80 to port 3128 in order for your proxy to receive the traffic going to the web.

    Use this TUTORIALto see how it is done.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Oct 2009
    Posts
    19
    Hi Lazydog,

    I donīt understand what you mean by firewall block nothing?

    Iīm checking the tutorial but I thought I was redirerecting in the eth1 the port 80 to 3128 as it is in this line....I know Iīm wrong otherwise it would be working, but not understanding the part that blocks nothing

    thank you very much for your help

    Best regards

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    *filter
    :INPUT ACCEPT [9184:3797786]
    :FORWARD ACCEPT [2783:253020]
    :OUTPUT ACCEPT [8210:899514]
    -A INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 3128 -j ACCEPT
    -A INPT -i eth0 -p tcp -Um state --state RELATED,ESTABLISHED -m tcp --sport 80 -j ACCEPT
    -A OUTPUT -o eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT
    -A OUTPUT -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 80 -j ACCEPT
    COMMIT
    ACCEPT is allow traffic to pass.
    DROP/REJECT blocks traffic.

    None of your rules or policies have DROP or REJECT in them thus everything is allowed to pass. You also have no FORWARD rules so everything is allowed to be pushed from eth0 to eth1 and eth1 to eth0. You problem is that traffic going to the inertnet and coming from the internet, passing through this box, is not being controlled. Rules for your proxy should be placed into the preroute filter for then to function properly.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Oct 2009
    Posts
    19
    Hi Lazydog
    I have 3 doubts

    so I should use DROP in the filter table?

    when you talk about FORWARD the packets, that should be on the nat table right?

    Do I need a mangle table to make it work?
    Thanks a lof for your help

    Best regards

    Andres Camino

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by andrescamino View Post
    Hi Lazydog
    I have 3 doubts

    so I should use DROP in the filter table?
    Yes, that is what a firewall is for to drop/block traffic you do not want. If it isn't blocking then there is no need for it.

    when you talk about FORWARD the packets, that should be on the nat table right?
    No, forward is a filter table

    Do I need a mangle table to make it work?
    That would depend on your setup. Anything going out to the internet must have a routeable ip address so that traffic can be returned. NATing should happen at the last hop before traffic is sent out to the internet.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Oct 2009
    Posts
    19
    Hi Lazydog

    I've added this to my filter table

    *filter
    :INPUT ACCEPT [2703:2207816]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [2832:435581]
    -A FORWARD -i eth1 -j ACCEPT

    It still dont make it transparent, this is on my nat table
    *nat
    :PREROUTING ACCEPT [94:13450]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [334:21140]
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    -A POSTROUTING -o eth0 -j MASQUERADE

    when I see the list on the terminal with iptables -t nat -L
    the source in prerouting and masquerade is anywhere, would that be the problem why my squid is not working transparently or is still the iptables?

  8. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    You need to redirect the packets for the web to your proxy. See the tutorial above for this.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  9. #9
    Just Joined!
    Join Date
    Oct 2009
    Posts
    19
    allright Lazydog, thanks a lot for the tutorial

    Best regards,

    Andres Camino

  10. #10
    Just Joined!
    Join Date
    Oct 2009
    Posts
    19
    Hi Lazydog,

    I did it finally...I am pretty new at this, and thanks for the tutorial it is kind of lenghty but it helps...

    My problem was in the iptables in the nat table and also when I was connecting my PC to the Linux I set my ip statically in the same network, but i never putted the DNS, that was the main reason why it didnīt make it transparent, now is working fine.

    thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •