Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
transparent squid problem, iptables incorrectly set up?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
lukdk
n00b
n00b


Joined: 16 Jan 2010
Posts: 8

PostPosted: Sat Jan 16, 2010 7:30 pm    Post subject: transparent squid problem, iptables incorrectly set up? Reply with quote

Hello,


I'm having trouble setting up my proxy transparently. I've looked on the web for a solution but according to the manuals it should be very simple, however it is not working on my system.

I'm using a gentoo server with squid and nat.

this is in the squid.conf:
http_port 8888 transparent


I'm using these firewall rules:

/sbin/iptables -t nat -F
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --src 192.168.0.0/24 --dport 80 -j REDIRECT --to-port 8888

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:http redir ports 8888

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



When I try to browse to an unknown domain on a computer on the lan with ip 192.168.0.* I still get the default error page in stead of the squid generated error page.
When I manually set up the proxy in the browser, I see squid is working fine.

I'm not sure where to start looking for what exactly is going wrong, since I don't get any errors. Maybe I'm not looking on the correct location. I assume something with the firewall is incorrectly set up, or maybe I'm missing some support in the kernel for this?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15991

PostPosted: Sat Jan 16, 2010 9:47 pm    Post subject: Reply with quote

What do you mean an unknown domain? If you request a domain for which the answer is NXDOMAIN, the browser will not initiate a TCP connection because there is nowhere to go, so there is no chance for Squid to intercept it.
Back to top
View user's profile Send private message
lukdk
n00b
n00b


Joined: 16 Jan 2010
Posts: 8

PostPosted: Sat Jan 16, 2010 10:00 pm    Post subject: Reply with quote

this I mean with an unknown domain. I only get then when I set the proxy manually (and this is how I'm testing if it's working) As you can see, this is an error generated by squid (see bottom), but no squid error is received when I don't set the proxy, so it's not working I guess?



ERROR
The requested URL could not be retrieved

--------------------------------------------------------------------------------

The following error was encountered while trying to retrieve the URL: http://www.ergeryghergdfvd.com/

Unable to determine IP address from host name „www.ergeryghergdfvd.com”

The DNS server returned:

Name Error: The domain name does not exist.This means that the cache was not able to resolve the hostname presented in the URL. Check if the address is correct.

Your cache administrator is root.



--------------------------------------------------------------------------------

Generated Sat, 16 Jan 2010 21:58:19 GMT by ldk.mine.nu (squid/3.0.STABLE19)
Back to top
View user's profile Send private message
lukdk
n00b
n00b


Joined: 16 Jan 2010
Posts: 8

PostPosted: Sat Jan 16, 2010 10:14 pm    Post subject: Reply with quote

oh, seems to be solved!

the test i did wasn't correct.


apparently when i shut down the proxy server, I'm not able to browse the internet any more. So i would say it's working. Also according to the access.log I'm using the proxy.

Still, it's strange when I set the proxy manually I get another error page than when I don't set it. Any explanation for that? Is that just since the browser will work differently when a proxy is specified?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15991

PostPosted: Sun Jan 17, 2010 12:06 am    Post subject: Reply with quote

Yes. As I explained above, if you request a domain which does not exist, then the browser will get a response of NXDOMAIN from the DNS server. The browser then displays an inline error, without ever connecting to anything, so there is no opportunity for a connection to be intercepted. When you explicitly use a proxy, the browser delegates name resolution to Squid, so Squid receives a connection regardless of what you type in the address bar. Squid is thus able to return an error page for missing domains.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum