squid + iptables

SUSE Linux Enterprise Server SLES Configure-Administer
1

Hi all,

I have installed SQUID on a SLES 12 server.
The server (192.168.99.80) is in a DMZ.

If in Firefox I change the following settings …
proxy server: 192.168.99.80
port: 3128
… all is working correctly.

The problem is that I do not want to manually change the configuration of all the browsers in the LAN and therefore I use iptables to forward the http requests to the prox server (192.168.99.80).
As described in “http://www.tldp.org/HOWTO/TransparentProxy-6.html” I have done some changes in my firewall.
As a first step I want to enable the proxy server only for my PC (192.1.2.36).

Here the changes I have done in the firewall:
iptables -t nat -A PREROUTING -i eth0 -s 192.1.2.36 -p tcp --dport 80 -j DNAT --to 192.168.99.80:3128
iptables -t nat -A POSTROUTING -o eth0 -s 192.1.2.36 -d 192.168.99.80 -j SNAT --to 192.168.99.1

eth0 is the interface to LAN
192.1.2.36 is my PC (connected on the LAN)
192.168.99.1 is the “DMZ interface” on the Firewall

After this change I cannot connect to the Internet from my PC and in /var/log/squid/access.log I see following lines:
1416934683.591 0 192.1.2.36 NONE/400 3440 GET / - HIER_NONE/- text/html
1416934683.823 0 192.1.2.36 NONE/400 3468 GET /Artwork/SN.png - HIER_NONE/- text/html

In squid.conf I have tryed to change the following line:
old → http_port 3128
new → http_port 3128 intercept

but after this change nothing appears in /var/log/squid/access.log

In other words:
if I configure my browser to use the proxy server all is working correctly
but I have problems with iptables to forward the http requests to the prox server

Thanks a lot for any help.
Miche

2

Safe to assume you’re using method #1 (vs. #2) from that document?

It may be useful to get a LAN trace from the Squid box when you actually
see lines showing up in its log file. From there perhaps we’ll see things
are not being sent back properly, or perhaps they are and the firewall is
not completing that re-translation back to the source system.

Have you tried method #2? That looks nicer overall; policy-based routing
is slick if you can do that.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

3

Hi Miche,

[QUOTE=mrezzonico;25088]Hi all,

I have installed SQUID on a SLES 12 server.
The server (192.168.99.80) is in a DMZ.

If in Firefox I change the following settings …
proxy server: 192.168.99.80
port: 3128
… all is working correctly.

The problem is that I do not want to manually change the configuration of all the browsers in the LAN and therefore I use iptables to forward the http requests to the prox server (192.168.99.80).
As described in “http://www.tldp.org/HOWTO/TransparentProxy-6.html” I have done some changes in my firewall.
As a first step I want to enable the proxy server only for my PC (192.1.2.36).

Here the changes I have done in the firewall:
iptables -t nat -A PREROUTING -i eth0 -s 192.1.2.36 -p tcp --dport 80 -j DNAT --to 192.168.99.80:3128
iptables -t nat -A POSTROUTING -o eth0 -s 192.1.2.36 -d 192.168.99.80 -j SNAT --to 192.168.99.1

eth0 is the interface to LAN
192.1.2.36 is my PC (connected on the LAN)
192.168.99.1 is the “DMZ interface” on the Firewall

After this change I cannot connect to the Internet from my PC and in /var/log/squid/access.log I see following lines:
1416934683.591 0 192.1.2.36 NONE/400 3440 GET / - HIER_NONE/- text/html
1416934683.823 0 192.1.2.36 NONE/400 3468 GET /Artwork/SN.png - HIER_NONE/- text/html

In squid.conf I have tryed to change the following line:
old → http_port 3128
new → http_port 3128 intercept

but after this change nothing appears in /var/log/squid/access.log

In other words:
if I configure my browser to use the proxy server all is working correctly
but I have problems with iptables to forward the http requests to the prox server

Thanks a lot for any help.
Miche[/QUOTE]

is it correct that the client PC is on the internal network, squid is on a server on a different (DMZ) network an the firewall is connecting the two? Then the second iptables is not only not needed, but messing things up.

The document you reference assumes that the squid machine and the client would not communicate through the firewall (“iptables-box”) under normal circumstances.

Just setting

iptables -t nat -A PREROUTING    -i eth0 -s 192.1.2.36 -p tcp --dport 80 -j DNAT --to 192.168.99.80:3128

to route your client’s requests to the transparent proxy should be sufficient, iptables-wise. Of course you’ll have to set up your Squid properly, too.

Regards,
Jens

4

Hi ab and Jens,

thanks a lot for your help.
I think I have solved my problem.

Squid was installed in a DMZ. In my DMZ I have only one nic.
It seems that if you run Squid in transparent mode you need two nic’s.

Therefore I have installed Squid on my firewall.
Now all works correcly.

The rules are:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -p tcp --sport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $GOOD_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A good-if -p tcp --dport 3128 -j ACCEPT

Regards.
Miche

5

Hi Miche,

[QUOTE=mrezzonico;25125]Hi ab and Jens,

thanks a lot for your help.
I think I have solved my problem.

Squid was installed in a DMZ. In my DMZ I have only one nic.
It seems that if you run Squid in transparent mode you need two nic’s.

Therefore I have installed Squid on my firewall.
Now all works correcly.

The rules are:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -p tcp --sport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $GOOD_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A good-if -p tcp --dport 3128 -j ACCEPT[/QUOTE]

from your rule set I read it that any traffic to port 80 is PATed to 3128 (only dport is changed) - but where do you redirect it to your firewall’s ( == transparent Squid) IP address?

I would have thought that the packets in question have a destination of someInternetServerIP:80, which needs to be rewritten to SquidIP:3128 in the PREROUTING rule and the INPUT rule should let packets to port 3128 pass…

iptables -t nat -A PREROUTING -I $GOOD_IFACE -p tcp --dport 80  -j DNAT --to $SQUID_IP:3128

Regards,
Jens

6

Hi *,

[QUOTE=jmozdzen;25126]Hi Miche,

from your rule set I read it that any traffic to port 80 is PATed to 3128 (only dport is changed) - but where do you redirect it to your firewall’s ( == transparent Squid) IP address?

I would have thought that the packets in question have a destination of someInternetServerIP:80, which needs to be rewritten to SquidIP:3128 in the PREROUTING rule and the INPUT rule should let packets to port 3128 pass…

iptables -t nat -A PREROUTING -I $GOOD_IFACE -p tcp --dport 80  -j DNAT --to $SQUID_IP:3128

Regards,
Jens[/QUOTE]

my fault - since you’re using REDIRECT and not DNAT, you’re doing just what I proposed (re-mapping to 3128 on the local host, where your Squid is running), just with a different syntax. I’m off to fetch some coffee :wink:

Regards,
Jens