Re: [squid-users] Squid 3.3 Interception Proxy from Amos Jeffries on 2013-03-30 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 31 Mar 2013 15:23:04 +1300

On 31/03/2013 2:27 p.m., Ethan H wrote:
> Hi,
>
> I am having trouble setting up a Squid Interception/transparent proxy
> server. I am using Ubuntu Server Edition 12.10, Squid 3.3 and a DD-WRT
> Router to redirect traffic to the proxy. The script I am using I got
> at this link: http://www.dd-wrt.ca/wiki/index.php/Squid_Transparent_Proxy

That wiki is wrong. The NAT step *must* be done on the Squid box. The
WRT device needs to be using policy-routing to send packets to the Squid
box.
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

It *seems* to work on older Squid in that they accept the connections
despite the missing IP address information. But that allowed clients to
send arbitrary HTTP headers to bypass any firewall security you had in
place. The log information recorded by Squid was also full of lies about
the connection IP addresses and ports as a result. Squid is now more
secure by making use of the destination IP address as the location it
will deliver the trafifc to and can only do so when the server IP:port
is identifiable.

> My exact iptables script is (from that link):
>
> #!/bin/sh
> PROXY_IP=192.168.0.10
> PROXY_PORT=3127
> LAN_IP=`nvram get lan_ipaddr`
> LAN_NET=$LAN_IP/`nvram get lan_netmask`
>
> iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp
> --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80
> -j DNAT --to $PROXY_IP:$PROXY_PORT
> iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
> -j SNAT --to $LAN_IP
> iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
> --dport $PROXY_PORT -j ACCEPT
>
>
> I have also tried to use PROXY_PORT 3128 (not 3127) also. I can
> successfully edit the PROXY_PORT to 80 (local Apache web server) and
> it works, no problem.

Apache is a web server, it will supply whatever domains it is configured
to respond for regardless of what IP addresses the client is using to
contact it on.

> My error message I am getting in /var/log/squid/cache.log is:
>
> TIME HERE kid1| NF getsockopt(SO_ORIGINAL_DST) failed on
> local=SERVER_IP:3127 remote=ROUTER_IP:62479 FD 20 flags=33: (92)
> Protocol not available

This is how it shows up. The Squid box NAT table does not contain the
NAT entries for this connection -> destination server IP address does
not exist -> FAIL.

Amos
Received on Sun Mar 31 2013 - 02:23:10 MDT

This archive was generated by hypermail 2.2.0 : Sun Mar 31 2013 - 12:00:05 MDT