[squid-users] squid transparent proxy from Wennie V. Lagmay on 2008-04-03 (squid-users)

From: Wennie V. Lagmay <wlagmay@dont-contact.us>
Date: Thu, 3 Apr 2008 09:51:12 +0300 (AST)

Dear all,

I am trying to activate transparent proxy on my setup but I cannot run it. with the standard setup (configuring the client PC with browser configuration) everything is working good, squid is responding and the client can browse the internet. Now we are trying to implement a setup wherein client has an option to put or not to put a configuration on the browser.

I have separate machine 1st machine is the firewall/NAT server running Fedora Core 4 64 bit (with public IP on the interface) and the 2nd machine is the squid running Fedora Core 8 64 bit (also with a public IP address). Although all the clients uses a private IP, squid can still serve them pretty well.

Now I have configure my squid (squid-2.6stable19) to accept transparent connection, and its seems it is working because as the cache.log says, "accepting transparently proxied http connection at 0.0.0.0, port 8080, FD 11

But I configure the client browser without a proxy configuration I cannot browse the internet.

I am attaching below my firewall/NAT iptables configuration. Can you please check it for me and let me know if I am missing something. Also if you can provide me a step by step configuration of a transparent proxy setup.

# Generated by iptables-save v1.2.8 on Thu Dec 23 08:44:33 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# -A INPUT -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 778 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-net-prohibited
#
-A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.10.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
-A FORWARD -s 192.168.10.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.168.10.0/255.255.255.0 -j ACCEPT
-A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.11.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
-A FORWARD -s 192.168.11.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.168.11.0/255.255.255.0 -j ACCEPT
-A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.12.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
-A FORWARD -s 192.168.12.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.168.12.0/255.255.255.0 -j ACCEPT
-A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.14.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
-A FORWARD -s 192.168.14.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.168.14.0/255.255.255.0 -j ACCEPT
-A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.15.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
-A FORWARD -s 192.168.15.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.168.15.0/255.255.255.0 -j ACCEPT
-A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.80 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.82 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.87 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.16.0/255.255.255.0 -d xxx.xx.193.74 -j REJECT
-A FORWARD -s 192.168.16.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.168.16.0/255.255.255.0 -j ACCEPT
-A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.80 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.82 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.87 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.24.0/255.255.248.0 -d xxx.xx.193.74 -j REJECT
-A FORWARD -s 192.168.24.0/255.255.248.0 -j ACCEPT
-A FORWARD -d 192.168.24.0/255.255.248.0 -j ACCEPT
#
-A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.80 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.82 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.87 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.64.0/255.255.224.0 -d xxx.xx.193.74 -j REJECT
-A FORWARD -s 192.168.64.0/255.255.224.0 -j ACCEPT
-A FORWARD -d 192.168.64.0/255.255.224.0 -j ACCEPT
#
-A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.80 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.82 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.87 -j REJECT
-A FORWARD -p tcp --syn -s 192.168.96.0/255.255.224.0 -d xxx.xx.193.74 -j REJECT
-A FORWARD -s 192.168.96.0/255.255.224.0 -j ACCEPT
-A FORWARD -d 192.168.96.0/255.255.224.0 -j ACCEPT
#
-A FORWARD -s xx.xx.184.32/255.255.255.224 -j ACCEPT
-A FORWARD -d xx.xx.184.32/255.255.255.224 -j ACCEPT
-A FORWARD -s xx.xx.184.64/255.255.255.224 -j ACCEPT
-A FORWARD -d xx.xx.184.64/255.255.255.224 -j ACCEPT
-A FORWARD -s xx.xx.184.120/255.255.255.248 -j ACCEPT
-A FORWARD -d xx.xx.184.120/255.255.255.248 -j ACCEPT
-A FORWARD -s xx.xx.184.128/255.255.255.248 -j ACCEPT
-A FORWARD -d xx.xx.184.128/255.255.255.248 -j ACCEPT
-A FORWARD -s xx.xx.184.0/255.255.255.240 -j ACCEPT
-A FORWARD -d xx.xx.184.0/255.255.255.240 -j ACCEPT
-A FORWARD -s xx.xx.184.144/255.255.255.240 -j ACCEPT
-A FORWARD -d xx.xx.184.144/255.255.255.240 -j ACCEPT
#
# -A OUTPUT -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 778 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 778 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1863 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1863 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
#
COMMIT
# Completed on Thu Dec 23 08:44:33 2004
# Generated by iptables-save v1.2.8 on Thu Dec 23 08:44:33 2004
*nat
:PREROUTING ACCEPT [77:4447]
:POSTROUTING ACCEPT [85:7701]
:OUTPUT ACCEPT [85:7701]
#
-A PREROUTING -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -s 192.168.11.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -s 192.168.12.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -s 192.168.14.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -s 192.168.15.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -s 192.168.16.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -s 192.168.24.0/255.255.248.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -s 192.168.64.0/255.255.224.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -s 192.168.96.0/255.255.224.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
#
-A POSTROUTING -s 192.168.10.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.65-xx.xx.184.66
-A POSTROUTING -s 192.168.11.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.67-xx.xx.184.68
-A POSTROUTING -s 192.168.12.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.69-xx.xx.184.70
-A POSTROUTING -s 192.168.14.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.71-xx.xx.184.72
-A POSTROUTING -s 192.168.15.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.73-xx.xx.184.74
-A POSTROUTING -s 192.168.16.0/255.255.255.0 -j SAME --nodst --to xx.xx.184.75-xx.xx.184.76
-A POSTROUTING -s 192.168.24.0/255.255.248.0 -j SAME --nodst --to xx.xx.184.77-xx.xx.184.80
-A POSTROUTING -s 192.168.64.0/255.255.224.0 -j SAME --nodst --to xx.xx.184.1-xx.xx.184.6
-A POSTROUTING -s 192.168.96.0/255.255.224.0 -j SAME --nodst --to xx.xx.184.145-xx.xx.184.150
COMMIT
# Completed on Thu Dec 23 08:44:33 2004

Thank you very much,

Wennie

Received on Thu Apr 03 2008 - 00:43:01 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT