On 20/02/2014 9:59 a.m., Spyros Vlachos wrote:
> Hello again! Thank you for your support. I am a little bit frustrated
> but I managed to test it again.
> Long story short, I tried every combination from the suggested links to
> no avail.
>
> For the router I did the following as suggested:
> ( I tried using lan, br-lan, eth0, eth0.1 as the nic's name because it
> is not obvious to me which one is the correct.)
> ################################################################
> # permit Squid box out to the Internet
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -s 192.168.1.20 -j ACCEPT
>
>
> # mark everything else on port 80 to be routed to the Squid box
> iptables -t mangle -A PREROUTING -i lan -p tcp --dport 80 -j MARK
> --set-mark 2
> iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
>
>
> # NP: Ensure that traffic from inside the network is allowed to loop
> back inside again.
> iptables -t filter -A FORWARD -i lan -o lan -p tcp --dport 80 -j ACCEPT
>
>
> echo "201 proxy" >> /etc/iproute2/rt_tables
> ip rule add fwmark 2 table proxy
> ip route add default via 192.168.1.20 table proxy
> #################################################################
>
> For the squid server I did both of the following ( with a service
> networking restart between them )
>
> #################################################################
>
> # your proxy IP
> SQUIDIP=192.168.1.20
>
> # your proxy listening port
> SQUIDPORT=3128
>
>
> iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
> $SQUIDPORT
> iptables -t nat -A POSTROUTING -j MASQUERADE
> iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
>
> #################################################################
>
> And the next trial
>
> #################################################################
> # your proxy IP
> SQUIDIP=192.168.1.20
>
> # your proxy listening port
> SQUIDPORT=3128
>
>
> sudo iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
> sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
> --to-destination $SQUIDIP:$SQUIDPORT
> sudo iptables -t nat -A POSTROUTING -j MASQUERADE
> sudo iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
>
> # Controls IP packet forwarding
> net.ipv4.ip_forward = 1
>
> # Controls source route verification
> net.ipv4.conf.default.rp_filter = 0
>
> # Do not accept source routing
> net.ipv4.conf.default.accept_source_route = 0
These sysctl settings should be in *both* DNAT and REDIRECT setups of Squid.
Also if you have a recent kernel check that forwarding setting is being
applied. I found my 3.9+ kernels ignoring or somehow overriding the
sysctl config file value.
> #################################################################
>
>
> I kept getting connection refused ( no squid message) on the browser and
> I had nothing in the access logs.
> tcpdump on port 3128 showed nothing.
Of course. The port 3128 is an internal mapping in the squid box NAT
system. There are no packets goign over teh network anywhere with that
port in them so tcpdump has nothing to show.
What you should expect is to see packets destined to some
non192.168.1.20 machine the Internet on port _80_ arriving and leaving
the Squid box.
Amos
>
> Thank you again!
> Spyros
>
>
>
> On 18/2/2014 10:30 μμ, Niki Gorchilov wrote:
>> Second NIC is unnecessary.
>>
>> Better go the way Amos suggested - do a policy based routing on
>> OpenWRT (http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute)
>> and traffic interception on Linux
>> (http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat or
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect).
>>
>> Best,
>> Niki
>>
Received on Thu Feb 20 2014 - 09:58:57 MST
This archive was generated by hypermail 2.2.0 : Sat Feb 22 2014 - 12:00:05 MST