On 1/04/2013 2:10 p.m., Ethan H wrote:
> I now have my router setup to send packets to the proxy using the
> following script:
>
> # permit Squid box out to the Internet
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -s 192.168.0.10 -j ACCEPT
>
> # mark everything else on port 80 to be routed to the Squid box
> iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 80 -j MARK --set-mark 2
> iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
>
> (used script from the link you gave me)
>
> I setup the following script on my proxy server to redirect port 80 to
> the interception port 3127:
>
> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT
> --to-port 3127
>
> (you said that I need to do the NAT setup on the proxy server and that
> I needed to do policy routing on the router)
>
>
> With this setup I am able to access the internet but I am not going
> through the proxy. It seems as if the router isn't even sending the
> packets to the proxy at all, there are no lines in the access.log or
> the cache.log. I then noticed that the iptables script I got from the
> wiki isn't redirecting the packets at all, just marking them. How
> would I redirect them to the proxy server modifying the iptables
> script (I am new to iptables)?
The kernel routing layer does the routing based on the firewall markings
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute#Routing_Setup
>
> On Sat, Mar 30, 2013 at 7:23 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 31/03/2013 2:27 p.m., Ethan H wrote:
>>> Hi,
>>>
>>> I am having trouble setting up a Squid Interception/transparent proxy
>>> server. I am using Ubuntu Server Edition 12.10, Squid 3.3 and a DD-WRT
>>> Router to redirect traffic to the proxy. The script I am using I got
>>> at this link: http://www.dd-wrt.ca/wiki/index.php/Squid_Transparent_Proxy
>>
>> That wiki is wrong. The NAT step *must* be done on the Squid box. The WRT
>> device needs to be using policy-routing to send packets to the Squid box.
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>>
>>
>> It *seems* to work on older Squid in that they accept the connections
>> despite the missing IP address information. But that allowed clients to send
>> arbitrary HTTP headers to bypass any firewall security you had in place. The
>> log information recorded by Squid was also full of lies about the connection
>> IP addresses and ports as a result. Squid is now more secure by making use
>> of the destination IP address as the location it will deliver the trafifc to
>> and can only do so when the server IP:port is identifiable.
>>
>>
>>
>>> My exact iptables script is (from that link):
>>>
>>> #!/bin/sh
>>> PROXY_IP=192.168.0.10
>>> PROXY_PORT=3127
>>> LAN_IP=`nvram get lan_ipaddr`
>>> LAN_NET=$LAN_IP/`nvram get lan_netmask`
>>>
>>> iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp
>>> --dport 80 -j ACCEPT
>>> iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80
>>> -j DNAT --to $PROXY_IP:$PROXY_PORT
>>> iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
>>> -j SNAT --to $LAN_IP
>>> iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
>>> --dport $PROXY_PORT -j ACCEPT
>>>
>>>
>>> I have also tried to use PROXY_PORT 3128 (not 3127) also. I can
>>> successfully edit the PROXY_PORT to 80 (local Apache web server) and
>>> it works, no problem.
>>
>> Apache is a web server, it will supply whatever domains it is configured to
>> respond for regardless of what IP addresses the client is using to contact
>> it on.
>>
>>
>>> My error message I am getting in /var/log/squid/cache.log is:
>>>
>>> TIME HERE kid1| NF getsockopt(SO_ORIGINAL_DST) failed on
>>> local=SERVER_IP:3127 remote=ROUTER_IP:62479 FD 20 flags=33: (92)
>>> Protocol not available
>>
>> This is how it shows up. The Squid box NAT table does not contain the NAT
>> entries for this connection -> destination server IP address does not exist
>> -> FAIL.
>>
>> Amos
Received on Mon Apr 01 2013 - 02:55:38 MDT
This archive was generated by hypermail 2.2.0 : Mon Apr 01 2013 - 12:00:07 MDT