Re: [squid-users] Transparent Proxy & IPTables from Tiago Fioreze on 2002-05-15 (squid-users)

From: Tiago Fioreze <tapera@dont-contact.us>
Date: Wed, 15 May 2002 11:39:55 -0300

Hi Henrik !!!

I'm sorry but I'm a little confuse about your explanation.

I used tcpdump command to see the 'conversation' among the firewall, the
squid and one host of "My Network". Aparently, it seems normal. See below:

On My host box: (command: tcpdump my_squid_server)

  tcpdump: listening on eth0
  11:19:44.840765 arp who-has my_squid_server tell my_firewall
  11:19:44.841455 my_squid_server.webcache > myhost.34414: S
2554006259:2554006259(0) ack 2117538155 win 17520 <mss 1460>
  11:19:44.841554 myhost.34414 > my_squid_server.webcache: R
2117538155:2117538155(0) win 0 (DF)
  11:19:47.841408 my_squid_server.webcache > myhost.34414: S
2554454259:2554454259(0) ack 2117538155 win 17520 <mss 1460>
  11:19:47.841492 myhost.34414 > my_squid_server.webcache: R
2117538155:2117538155(0) win 0 (DF)
  11:19:53.841028 my_squid_server.webcache > myhost.34414: S
2555286259:2555286259(0) ack 2117538155 win 17520 <mss 1460>
  11:19:53.841106 myhost.34414 > my_squid_server.webcache: R
2117538155:2117538155(0) win 0 (DF)
  11:19:58.839967 arp who-has my_squid_server tell myhost
  11:19:58.840187 arp reply my_squid_server is-at 0:20:35:12:bf:28
  11:20:05.841318 my_squid_server.webcache > myhost.34414: S
2556886259:2556886259(0) ack 2117538155 win 17520 <mss 1460>
  11:20:05.841420 myhost.34414 > my_squid_server.webcache: R
2117538155:2117538155(0) win 0 (DF)

On Firewall Box: (command: tcpdump host my_squid_server)

  tcpdump: listening on eth0
  11:25:17.553850 arp who-has my_squid_server tell my_firewall
  11:25:17.554012 arp reply my_squid_server is-at 0:20:35:12:bf:28
  11:25:17.554048 myhost.34414 > my_squid_server.webcache: S
2117538154:2117538154(0) win 5840 <mss 1460,sackOK,timestamp 5828581
0,nop,wscale 0> (DF)
  11:25:20.553958 myhost.34414 > my_squid_server.webcache: S
2117538154:2117538154(0) win 5840 <mss 1460,sackOK,timestamp 5828882
0,nop,wscale 0> (DF)
  11:25:26.554427 myhost.34414 > my_squid_server.webcache: S
2117538154:2117538154(0) win 5840 <mss 1460,sackOK,timestamp 5829482
0,nop,wscale 0> (DF)
  11:25:38.555334 myhost.34414 > my_squid_server.webcache: S
2117538154:2117538154(0) win 5840 <mss 1460,sackOK,timestamp 5830682
0,nop,wscale 0> (DF)

  On My Squid Server: (command: tcpdump host my_host)

  tcpdump: listening on en0
  11:21:46.666307970 myhost.34414 > my_squid_server.8080: S 21175381
54:2117538154(0) win 5840 <mss 1460,sackOK,timestamp 167794927
3841982464,nop,wscale 0> (DF)]
  11:21:46.666744410 my_squid_server.8080 > myhost.34414: S 25540062
59:2554006259(0) ack 2117538155 win 17520 <mss 1460>]
  11:21:46.667005878 myhost.34414 > my_squid_server.8080: R 21175381
55:2117538155(0) win 0 (DF)]
  11:21:49.666083669 myhost.34414 > my_squid_server.8080: S 21175381
54:2117538154(0) win 5840 <mss 1460,sackOK,timestamp 167794929
301989888,nop,wscale 0> (DF)]
  11:21:49.666660957 my_squid_server.8080 > myhost.34414: S 25544542
59:2554454259(0) ack 2117538155 win 17520 <mss 1460>]
  11:21:49.666932290 myhost.34414 > my_squid_server.8080: R 21175381
55:2117538155(0) win 0 (DF)]
  11:21:55.665952253 myhost.34414 > my_squid_server.8080: S 21175381
54:2117538154(0) win 5840 <mss 1460,sackOK,timestamp 167794931
1778384896,nop,wscale 0> (DF)]
  11:21:55.666266275 my_squid_server.8080 > myhost.34414: S 25552862
59:2555286259(0) ack 2117538155 win 17520 <mss 1460>]
  11:21:55.666508755 myhost.34414 > my_squid_server.8080: R 21175381
55:2117538155(0) win 0 (DF)]
  11:22:00.665370003 arp who-has my_squid_server tell myhost
  11:22:00.665403012 arp reply my_squid_server is-at 0:20:35:12:bf:28
  11:22:07.665904477 myhost.34414 > my_squid_server.8080: S 21175381
54:2117538154(0) win 5840 <mss 1460,sackOK,timestamp 167794936
436207616,nop,wscale 0> (DF)]
  11:22:07.666472892 my_squid_server.8080 > myhost.34414: S 25568862
59:2556886259(0) ack 2117538155 win 17520 <mss 1460>]
  11:22:07.666754090 myhost.34414 > my_squid_server.8080: R 21175381
55:2117538155(0) win 0 (DF)]

What do you think about this ?

Citando "Squid Support (Henrik Nordstrom)" <hno@marasystems.com>:

> Should work (except for the issue mentioned in my previous reply), but you
> may need to disable ICMP REDIRECT for the eth0 interface on the firewall..
>
> But also verify your firewalling rules. Perhaps your firewall rules do not
> allow "My network" to talk to "Squid".
>
> Regards
> Henrik
>
> Tiago Fioreze wrote:
> > Hi everybody !!!
> >
> > I have one problem with my project and I would like some help.
> >
> > I'm implemanting transparent proxy in my network. I'm using
> > SQUID and IPtables for this.
> >
> > The scenario:
> > |----------| eth1|----------|eth0 |------------|
> > | Internet |------| Firewall |--------|---------| My Network |
> > |----------| |----------| | |------------|
> > |
> > |-------|
> > | SQUID |
> > |-------|
> >
> > The idea (project):
> >
> > The users in my network must to access http through of squid instead
> > directly.
> >
> > The rules:
> >
> > --> SQUID:
> >
> > httpd_accel_host virtual
> > httpd_accel_port 80
> > httpd_accel_single_host off
> > httpd_accel_with_proxy on
> > httpd_accel_uses_host_header on
> >
> > --> IPTables:
> >
> > iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> > --dport 80 -j DNAT --to squid-box:8080
> > iptables -A FORWARD -s local-network -d squid-box -i eth0 -o
> eth0
> > -p tcp --dport 8080 -j ACCEPT
> >
> >
> > The problem:
> >
> > The iptables changes the destination (from anywhere:80 to
> > squid-box:8080), but the SQUID didn't receive none packets on port 8080.
> >
> > Ps.: If I add, between the rules of the IPTables, the rule
> below:
> >
> > iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
> > squid-box -j SNAT --to iptables-box
> >
> > the transparent proxy works very well, but my squid only
> receives
> > connection from firewall (because of the rule above). So, I don't have
> > control (by squid) of that my users are accessing in the internet.
> >
> > Can somebody help me ?
> >
> > Thanks in advance,
> >
> > Tiago Fioreze
> >
> > ********************************************
> > * Administrador da Rede *
> > * *
> > * Núcleo de Ciência da Computação *
> > * Universidade Federal de Santa Maria *
> > * Santa Maria - Rio Grande do Sul - Brasil *
> > ********************************************
>
> --
> Basic free Squid support provided thanks to MARA Systems AB
> Your source of advanced reverse proxy solutions or customized
> Squid solutions. http://www.marasystems.com/products/
>
>

Tiago Fioreze

********************************************
* Administrador da Rede *
* *
* Núcleo de Ciência da Computação *
* Universidade Federal de Santa Maria *
* Santa Maria - Rio Grande do Sul - Brasil *
********************************************
Received on Wed May 15 2002 - 08:40:22 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:08 MST