Re: [squid-users] Re: Squid transparent proxy with one nic access denied problem.

From: Spyros Vlachos <spyros86_at_gmail.com>
Date: Thu, 20 Feb 2014 14:12:31 +0200

Thank you! I will try them this evening again.

On 20/2/2014 11:58 πμ, Amos Jeffries wrote:
> On 20/02/2014 9:59 a.m., Spyros Vlachos wrote:
>> Hello again! Thank you for your support. I am a little bit frustrated
>> but I managed to test it again.
>> Long story short, I tried every combination from the suggested links to
>> no avail.
>>
>> For the router I did the following as suggested:
>> ( I tried using lan, br-lan, eth0, eth0.1 as the nic's name because it
>> is not obvious to me which one is the correct.)
>> ################################################################
>> # permit Squid box out to the Internet
>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -s 192.168.1.20 -j ACCEPT
>>
>>
>> # mark everything else on port 80 to be routed to the Squid box
>> iptables -t mangle -A PREROUTING -i lan -p tcp --dport 80 -j MARK
>> --set-mark 2
>> iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
>>
>>
>> # NP: Ensure that traffic from inside the network is allowed to loop
>> back inside again.
>> iptables -t filter -A FORWARD -i lan -o lan -p tcp --dport 80 -j ACCEPT
>>
>>
>> echo "201 proxy" >> /etc/iproute2/rt_tables
>> ip rule add fwmark 2 table proxy
>> ip route add default via 192.168.1.20 table proxy
>> #################################################################
>>
>> For the squid server I did both of the following ( with a service
>> networking restart between them )
>>
>> #################################################################
>>
>> # your proxy IP
>> SQUIDIP=192.168.1.20
>>
>> # your proxy listening port
>> SQUIDPORT=3128
>>
>>
>> iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
>> $SQUIDPORT
>> iptables -t nat -A POSTROUTING -j MASQUERADE
>> iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
>>
>> #################################################################
>>
>> And the next trial
>>
>> #################################################################
>> # your proxy IP
>> SQUIDIP=192.168.1.20
>>
>> # your proxy listening port
>> SQUIDPORT=3128
>>
>>
>> sudo iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
>> sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
>> --to-destination $SQUIDIP:$SQUIDPORT
>> sudo iptables -t nat -A POSTROUTING -j MASQUERADE
>> sudo iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
>>
>> # Controls IP packet forwarding
>> net.ipv4.ip_forward = 1
>>
>> # Controls source route verification
>> net.ipv4.conf.default.rp_filter = 0
>>
>> # Do not accept source routing
>> net.ipv4.conf.default.accept_source_route = 0
>
> These sysctl settings should be in *both* DNAT and REDIRECT setups of Squid.
>
> Also if you have a recent kernel check that forwarding setting is being
> applied. I found my 3.9+ kernels ignoring or somehow overriding the
> sysctl config file value.
>
>> #################################################################
>>
>>
>> I kept getting connection refused ( no squid message) on the browser and
>> I had nothing in the access logs.
>> tcpdump on port 3128 showed nothing.
>
> Of course. The port 3128 is an internal mapping in the squid box NAT
> system. There are no packets goign over teh network anywhere with that
> port in them so tcpdump has nothing to show.
>
> What you should expect is to see packets destined to some
> non192.168.1.20 machine the Internet on port _80_ arriving and leaving
> the Squid box.
>
> Amos
>
>>
>> Thank you again!
>> Spyros
>>
>>
>>
>> On 18/2/2014 10:30 μμ, Niki Gorchilov wrote:
>>> Second NIC is unnecessary.
>>>
>>> Better go the way Amos suggested - do a policy based routing on
>>> OpenWRT (http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute)
>>> and traffic interception on Linux
>>> (http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat or
>>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect).
>>>
>>> Best,
>>> Niki
>>>

-- 
*Spyros Vlachos*
Received on Thu Feb 20 2014 - 12:12:45 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 20 2014 - 12:00:06 MST