rgeber n00b
Joined: 01 Jun 2011 Posts: 19 Location: Germany/Dresden
|
Posted: Sun Dec 02, 2012 2:34 pm Post subject: Problems with Transparent Squid Proxy |
|
|
[list]Hi,
I'm attemtping to run a transparent proxy on my home server to reduce lag and traffic on the satellite connection I'm using. To achieve this I followed this Tutorial to begin with. I was able to successfully transform my box into a NAT router however ran into trouble with the proxy part.
Squid by itself works fine when used in a traditional way, however when used transparently it doesn't receive the URL. This a snippet of the squid log when I request a URL directly through the browser's proxy client:
Code: | 1354457946.247 2295 192.168.42.42 TCP_MISS/404 4784 GET http://www.delodder.be/blog/wp-content/themes/vigilance/images/favicon.ico DIRECT/81.95.119.36 text/html |
When requesting the same URL using the iptables mechanism I'll get this:
Code: | 1354458163.059 0 192.168.42.42 NONE/400 3639 GET /blog/wp-content/themes/vigilance/images/favicon.ico - NONE/- text/html
1354458163.579 0 192.168.42.42 NONE/400 3565 GET /Artwork/SN.png - NONE/- text/html
1354458164.267 0 192.168.42.42 NONE/400 3559 GET /favicon.ico - NONE/- text/html |
I've suspected an improper kernel configuration and ensured for these settings to be in place:
Code: | NF_CONNTRACK=m
NETFILTER_TPROXY=m
NETFILTER_XT_MATCH_SOCKET=m
NETFILTER_XT_TARGET_TPROXY=m |
The modules are loaded and while remerging squid I've received success messages. However the transparency still doesn't work. Squid is compiled with the and USE Flags.
This is my current squid.conf
Code: | http_port 3128 tproxy
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl lan src 192.168.42.0/24 192.168.43.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname mydomain.com
always_direct allow all
always_direct allow lan
coredump_dir /var/spool/squid |
I've copied most of it from this blog entry.
My current iptables config script looks like this:
Code: | #!/bin/sh
# Squid server IP
SQUID_SERVER="192.168.42.250"
# Interface connected to Internet
INTERNET="eth0"
# Address connected to LAN
LOCAL="192.168.42.0/24"
LOCAL2="192.168.43.0/24"
# Squid port
SQUID_PORT="3128"
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -s $LOCAL -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -s $LOCAL2 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# open everything
iptables -A INPUT -i $INTERNET -j ACCEPT
iptables -A OUTPUT -o $INTERNET -j ACCEPT
# specifically open SSH
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP |
This is the output of ifconfig:
Code: | eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.43.250 netmask 255.255.255.0 broadcast 192.168.43.255
inet6 fe80::f66d:4ff:fee4:e724 prefixlen 64 scopeid 0x20<link>
ether f4:6d:04:e4:e7:24 txqueuelen 1000 (Ethernet)
RX packets 32362 bytes 3818506 (3.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 47101 bytes 51111845 (48.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.42.250 netmask 255.255.255.0 broadcast 192.168.42.255
ether f4:6d:04:e4:e7:24 txqueuelen 1000 (Ethernet)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 16436
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 76 bytes 11087 (10.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 76 bytes 11087 (10.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
Another useful link would be [url=wiki.squid-cache.org/Features/Tproxy4]this one[/url] on the official Squid Wiki, however it didn't quite solve the porblem.
Does anyone have an idea on how to get a transparent proxy to work? I'm not too well versed in the usage of iptables so its quite possible thats the source of my trouble. I ran out of options and skills to fix this, now I hope that someone may point me in the right direction.
Thanks a lot in advance.
cu
Roman _________________ We are all connected |
|