Anybody with 100% working NAT/MASQ/SQUID/HTTPS solution?

[Gentoo Server]

I try real hard but my basic

iptables --append FORWARD --in-interface eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

setting is good for http but any https transfer doesnt work

I have only eth0 and ppp0 anybody has a working solution for me?

Greetings Olaf

[xming]

Maybe this will help

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128

[/quote]

[Gentoo Server]

Maybe this will help

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128

[/quote]
I tried it but squid dont like 443 requests
how can I make squid 2.5.3 443 enabled ?

[jhboricua]

Have you checked the squid mailing lists?

I've seen some info there that suggested https and squid don't work well together, but I may be wrong.

[Chris W]

You can't transparently proxy HTTPS. Connections must be made end-to-end.

http://www.ibiblio.org/Linux/HOWTO/Tran ... html#ss2.3

[Gentoo Server]

I tried to disable the squid & redirect then not even http was working i think its a dns problem

ping on the client works 100%


my client has router = dns = wins = linux server

on linux server I use dnsmasq to get dns resolved

my isp is a pp0 with changing dns servers

I need some special config for dns/dnsmasq ?

internet on linux server is 100%

mtu of isp is 1400

Bye
Olaf

[Evileye]

If you only have 1 ethernet card, why do you need masquerading?

If you have two cards, did you do

cd /etc/init.d
cp net.eth0 net.eth1
rc-update add net.eth1 default

I have 2 network cards, one connects to my network(eth1), the other to the internet using ADSL(ppp0 over eth0).

First, do you have all the right kernel modules installed?

Here is my configuration thus far....

For the kernel, under networking options I have

<*> Packet socket
[*] Packet socket: mmapped IO

[*] Network packet filtering (replaces ipchains)
[*] Socket Filtering
<*> Unix domain sockets
[*] TCP/IP networking
[*] IP: advanced router

Then under IP Netfilter Configuration (which is found under networkting options) I have

<*> Connection tracking (required for masq/NAT)
<*> FTP protocol support
<*> IP tables support (required for filtering/masq/NAT)
<*> limit match support
<*> Connection state match support
<*> Packet filtering
<*> REJECT target support
<*> Full NAT
<*> MASQUERADE target support
<*> REDIRECT target support

For my firewall I created a scripts as follows

nano firewall.txt (call it whatever you want) then enter the following

iptables -F
iptables -t nat -F

iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A INPUT -i eth1 -p all -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i lo -p all -j ACCEPT
iptables -A FORWARD -i eth1 -p all -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT

eth1 is the network(ethernet) card connected to my network. ppp0 is my adsl connection to the internet.

chmod the script as follows so you can execute it

chmod 700 firewall.txt

then type

./firewall.txt

This will enter the rules into your iptables and you should see the following on your screen

Chain INPUT (policy DROP):15:02 2003
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Now in /etc/conf.d/local.start add the following

adsl-start

echo 1 > /proc/sys/net/ipv4/ip_forward

I assume you have run

adsl-setup

(you may have to change some options manually in /etc/ppp/pppoe.conf)

You should be good to go!

I don't think you can accept connections for https using squid and I have read using squid for port 80 has potential security risks but I have never tried that. I just have all the computers on my network connect to the internet through squid.

[Gentoo Server]

Thanks for your help!


iptables -F
iptables -t nat -F

iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -p all -j ACCEPT
iptables -A INPUT -i ppp0 -p all -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i lo -p all -j ACCEPT
iptables -A FORWARD -i eth0 -p all -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128



I did this and everythings works with http when i go to this banking site

https://homebanking.dvg-ka.de/050/index.html

i cannot get it on my client


when i enable proxy server:3128 at my ie6 it works

strange its not possible zu use a linux router without entering proxydata to ie6

Greetings
Olaf

[axxackall]

Maybe this will help

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128

[/quote]

What if my users are going to various site sitting on arbitrary ports other than 80? Is it possible to trasparently redirect web connections with arbitrary ports based not on the port number (too many port numbers will be in the table), but on the protocol fingerprint of HTTP?

[acidreign]

Might help ? http://www.subverted.net/wakka/wakka.ph ... SquidCache

Gentoo server, are you part of the Genoo Server Project ?