Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

SOLVED: iptables, Apache2 and transparent Proxy on the same
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mort23
n00b
n00b


Joined: 03 Apr 2004
Posts: 39
PostPosted: Sun May 30, 2004 4:56 pm    Post subject: SOLVED: iptables, Apache2 and transparent Proxy on the same Reply with quote
Hi Forum!

I'm trying to put squid as an transparent proxy onto my router which also serves my website. Thats the situation:

Internet => eth0-gentoo-box-eth1 => Local Network

Portforwarding works fine with iptables. Also squid is working nice, but I have to put the adress of my gentoo-box into the proxy settings of the browsers with port 80 to make it work. What shouldn't be necesary since the gateway adress on the clients is set to the gentoo-box.

The apache is listening to port 8080, but not reachable from the outside and not recheable at all with port 80.

Basically, I wan't all port 80 http from eth0 (Internet) forwarded to apache and all port 80 http traffic from eth1 (LAN) to squid.

I tried lots of things and don't know where to continue, I'm attaching my squid and iptables script.

iptables:
Code:
iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -P INPUT DROP

#squid
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A INPUT -i eth1 -p tcp -d 192.168.0.1 -s 192.168.0.0/32 --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
#apache
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -A INPUT -i eth0 -p tcp -d 192.168.0.1 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT

#services
iptables -A INPUT -p tcp -m tcp --dport 80 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 6881:6889 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 6969 -j ACCEPT

#nat
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 4662 -j DNAT --to 192.168.0.2:4662
iptables -t nat -I PREROUTING -i eth0 -p udp --dport 4672 -j DNAT --to 192.168.0.2:4672
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 4771 -j DNAT --to 192.168.0.2:4771
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 6000 -j DNAT --to 192.168.0.2:6000

iptables -I FORWARD -i eth0 -p tcp -d 192.168.0.2/32 --dport 4662 -j ACCEPT
iptables -I FORWARD -i eth0 -p udp -d 192.168.0.2/32 --dport 4672 -j ACCEPT
iptables -I FORWARD -i eth0 -p tcp -d 192.168.0.2/32 --dport 4771 -j ACCEPT
iptables -I FORWARD -i eth0 -p tcp -d 192.168.0.2/32 --dport 6000 -j ACCEPT

iptables -I FORWARD -i eth0 -p tcp -s 192.168.0.2/32 --dport 4661 -j ACCEPT
iptables -I FORWARD -i eth0 -p tcp -s 192.168.0.2/32 --dport 6000 -j ACCEPT
iptables -I FORWARD -i eth0 -p tcp -s 192.168.0.2/32 --dport 4662 -j ACCEPT
iptables -I FORWARD -i eth0 -p udp -s 192.168.0.2/32 --dport 4672 -j ACCEPT
iptables -I FORWARD -i eth0 -p tcp -s 192.168.0.2/32 --dport 4771 -j ACCEPT

iptables -I FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


squid.conf:
Code:
http_port 192.168.0.1:3128
icp_port 0
cache_mem 20 MB
cache_dir ufs /home/tmp/squid 256 16 256
acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl allowed_hosts src 192.168.0.0/255.255.255.0
acl our_networks src 192.168.0.0/24
http_access allow our_networks
icp_access allow allowed_hosts
icp_access deny all
miss_access allow allowed_hosts
miss_access deny all
visible_hostname jk3.ath.cx
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Any help is appreciated very much!
Moritz

Last edited by mort23 on Tue Jun 01, 2004 8:08 pm; edited 1 time in total
Back to top
View user's profile Send private message
adaptr
Watchman
Watchman


Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
PostPosted: Sun May 30, 2004 11:55 pm    Post subject: Reply with quote
You're making life very difficult for yourself.

1. install apache2, set it to only listen on eth0:80, and test it.
2. install squid, set it to oly listen on eth1:80, and test it.
3. now you might be ready to start playing with iptables, but again - test each and every rule one by one.

I could ream off 3 or 4 reasons off the top of my head for why your "config" won't do what you want, but I won't comment on them, because A. it is late, and 2. I disapprove of teaching bad habits. ;-)

Really.
Try to read at least a little about network security and tcp/ip basics before grappling with iptables.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen
Back to top
View user's profile Send private message
Chris W
l33t
l33t


Joined: 25 Jun 2002
Posts: 972
Location: Brisbane, Australia
PostPosted: Sun May 30, 2004 11:58 pm    Post subject: Reply with quote
At a cursory glance, are you sure this is correct:
Code:
iptables -A INPUT -i eth1 -p tcp -d 192.168.0.1 -s 192.168.0.0/32 --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT

I think...
Code:
iptables -A INPUT -i eth1 -p tcp -d 192.168.0.1 -s 192.168.0.0/24 --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
(i.e. the source is anywhere on your network) will help.
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein
Back to top
View user's profile Send private message
mort23
n00b
n00b


Joined: 03 Apr 2004
Posts: 39
PostPosted: Mon May 31, 2004 12:55 am    Post subject: Reply with quote
adaptr:
I did point one and two before I posted and right now I am playing. Also, I'm aware of the tcp/ip basics.
I decided to let apache Listen to port 80 at eth0, since that doesent seem to break anything.
I will test the rules one by one and report back later.


Chris W:
That doesn't change anything. I still can acces the proxy on eth1 at port 80, it just has to be set in the browser, else the browser bypasses squid.
Back to top
View user's profile Send private message
adaptr
Watchman
Watchman


Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
PostPosted: Mon May 31, 2004 10:38 am    Post subject: Reply with quote
mort23 wrote:
adaptr:
I did point one and two before I posted and right now I am playing. Also, I'm aware of the tcp/ip basics.

I'm not trying to bait you here - look at the rules for forwarding/redirecting HTTP on both sides of the box.
You say you want transparent proxying on the inside, and yet you redirect all traffic to the normal squid port.
That is not transparent proxying; squid itself takes care of that.

Next, you duplicate all http requests in the INPUT chain of the normal filter table - why ?
If anything is caught by the NAT table - and everyting is! - then those packets will never see the filter chain.
Or vice versa.

mort23 wrote:
I decided to let apache Listen to port 80 at eth0, since that doesent seem to break anything.

Then let me elucidate wat I meant you should do:
1. set up apache to listen on <external IP>:80 - this way, it will not even see internal requests, but you have to make sure squid can reach your own web server, or you can't reach it at all.
2. set up squid to do transparent proxying, this is adequately explained in the squid docs
3. do not bother with http in iptables, since it is not needed.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen
Back to top
View user's profile Send private message
LeTene
Guru
Guru


Joined: 02 Mar 2004
Posts: 348
Location: Ah'll glass ye!
PostPosted: Mon May 31, 2004 10:46 am    Post subject: Reply with quote
There is a lovely, comprehensive guide on various aspects of a home server box in the gentoo Wiki:

HOWTO setup a home-server
_________________
Docs, Tips & Tricks at the Gentoo Wiki page.
Back to top
View user's profile Send private message
mort23
n00b
n00b


Joined: 03 Apr 2004
Posts: 39
PostPosted: Tue Jun 01, 2004 8:04 pm    Post subject: Reply with quote
OK, I've got it working now :D

The problem was squid. I often restarted squid with the init scripts for testing new configurations . Unforunately "/etc/init.d/squid stop" doesn't kill squid completely. There was always a process hanging arround blocking port 3128. Trying to start squid did bring up some error messages, but I was dumb enough to not check the logs.

Thanks to all for trying to help me, especially adaptr.


LeTene wrote:
There is a lovely, comprehensive guide on various aspects of a home server box in the gentoo Wiki:

HOWTO setup a home-server

That's exactly from where I started, I just can recommend it!

Now I'm going to pretty up those iptables rules.

Thanks again
Moritz
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy