[squid-users] Squid and IPTABLES

From: Scott Mayo <scotgmayo_at_gmail.com>
Date: Wed, 26 Feb 2014 07:51:52 -0600

I thought I would post this here also, even though I think it is more
of an IPTABLES question, but my Squid box is affecting the outcome. I
have it posted on netfilter.

My main Squid Filter has Private IP of 192.168.1.1 (eth1) and a public
IP of 1.1.1.1 (eth0). It also has a virtual public IP of 1.1.1.2
(eth0:0). I have a web server that sits behind the Squid box with
name EXAMPLE.ORG and a private IP of 192.168.1.2, which resolves to
the 1.1.1.2. Everything works fine outside the network when I go to
EXAMPLE.ORG. Everything works fine in the network if I go to
EXAMPLE.ORG without pointing my browser to the Squid proxy. Once I
point my browser to the Squid proxy though and try to go to
EXAMPLE.ORG, it comes back to the webpage of 1.1.1.1 which is my Squid
box. Any idea why it would matter if I go through Squid or not?

I broke my IPTABLES down to almost nothing just to test. I'll post
them below in case anyone uses them and can tell me if I need to do
something different to make them work with Squid. I am about to give
up. I DO NOT have an internal DNS server so right now that is not an
option. I am getting ready to set one up, but wanted this working
first. I assume the internal DNS server will get rid of the problem,
I hope it does not matter at that point if I go though Squid or not.
Thanks for any suggestions.

-------------------------------------------------------------
#!/bin/sh
EXT_IP="1.1.1.0/24"
EXT_IFACE="eth0"
EXT_BROADCAST="1.1.1.255"

INT_IP="192.168.0.1"
INT_IP_RANGE="192.168.0.0/16"
INT_IFACE="eth1"

LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="/sbin/iptables"

/sbin/depmod -a

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#Non required modules
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

echo "1" > /proc/sys/net/ipv4/ip_forward

#Create default policies and FLUSH the chains
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

#Allow the local network

$IPTABLES -t nat -A PREROUTING -d 1.1.1.2 -p tcp -j DNAT
--to-destination 192.168.0.2
$IPTABLES -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/16 -j
SNAT --to-source 1.1.1.2
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1

-- 
Scott Mayo
Mayo's Pioneer Seeds
Received on Wed Feb 26 2014 - 13:52:01 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 27 2014 - 12:00:07 MST