| View previous topic :: View next topic |
| Author |
Message |
Herodot
Guru
Joined: 29 Jul 2002
Posts: 429
Location: Professor Xavier's school for gifted youngsters
|
 Posted: Sun Apr 03, 2005 11:20 pm Post subject: Help with setting up a proxy |
 |
|
Hi,
I'm trying to set up a Squid transparent proxy. Here is my hardware situation:
(1) Internet <-> (2) ADSL/NAT/gateway/router <-> (3) Linux server <-> (4) 40 computers
ad (2): This is a small Cisco device. Works fine. No ports are forwarded from (1) to (3).
ad (3): A Dell server, running Gentoo. Provides several services to the inside network (the LAN), e.g. an Apache webserver. Netfilter/IPtables forwards traffic between eth0 and eth1 like this:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.254
(192.168.1.254 is the adress of the "outside" eth0 NIC, connected to (2))
ad (4): All computers are connected with switches.
All this works fine. It's quite transparent of course, nobody notices the server, unless they actually surf to its webserver.
I now want to set up a proxy on the server, partly to help with caching, but mostly to make it possible to log all www traffic. This proxy must be transparent, ie. nobody will have to change anything on their computers.
Some questions:
1) Is this possible at all?
For normal web traffic I believe so, but what about https, chat programs, ssl, ssh and I-don't-know-what? If such things are difficult to get to work or will cause my users (neighbours actually...) to have to change settings, it's not good. So, will I be able to log (and maybe cache) www traffic without the users having any problems at all?
2) How will my routing rule in iptables look?
The best guide I've found is http://squid.visolve.com/squid/trans_caching.htm but all in all it seems to me that Squid documentation isn't very detailed. Anyway, that guide gives a number of iptables rules that I must use:
iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -p TCP -s 0/0 --dport 21 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP -d 0/0 --dport 20 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 25 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 22 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 23 -j MASQUERADE
I'm very happy with my current rule -- it's only one line and it works! I'm not an expert in these matters, but it seems to me that the above rules will only permit traffic on a few ports between eth0 and eth1. Is that right and what do I do about it? Or am I confusing internal traffic on eth1 with eth0<->eth1 traffic?
3) At the moment I'm running a DNS caching program on the server: dnsmasq. It seems to be working just fine, though without any visible improvements -- our ISP's DNS is pretty fast I guess. Will Squid use that DNS cache, or will it provide its own?
_________________
Excelsior! |
|
| Back to top |
|
 |
Riftwing
Apprentice
Joined: 06 Oct 2002
Posts: 293
|
| Posted: Mon Apr 04, 2005 11:02 pm Post subject: |
|
|
1. Squid is an HTTP proxy cache. It won't work on anything other than HTTP and yes, it will work transparently for that. As far as SSL, I would let it pass through the firewall and not redirect it to squid since it won't work that way transparently.
2. Sure that will work but make sure you also accept incoming connections to the server from the internal lan to port 3128.
3. I believe so.
_________________
Good, bad, I'm the guy with the gun. - Ash, Army of Darkness
Last edited by Riftwing on Wed Apr 06, 2005 5:48 am; edited 1 time in total |
|
| Back to top |
|
|
Casper Gasper
Tux's lil' helper
Joined: 07 Sep 2004
Posts: 75
Location: London
|
| Posted: Tue Apr 05, 2005 1:16 pm Post subject: |
|
|
1) Squid won't work for https as a transparent proxy. If you really want that traffic to go through squid, you'll have to set it manually. Squid will also do ftp traffic as well.
3) You can set the DNS servers squid uses, or otherwise it will just get the list from /etc/resolv.conf
Casper. |
|
| Back to top |
|
|
Herodot
Guru
Joined: 29 Jul 2002
Posts: 429
Location: Professor Xavier's school for gifted youngsters
|
| Posted: Wed Apr 13, 2005 4:28 pm Post subject: |
|
|
Thank you both for your answers. Can anybody give me a detailed answer to my question 2?
_________________
Excelsior! |
|
| Back to top |
|
|
Casper Gasper
Tux's lil' helper
Joined: 07 Sep 2004
Posts: 75
Location: London
|
| Posted: Wed Apr 13, 2005 10:06 pm Post subject: |
|
|
You only need the top line by the looks of things:
| Code: | | iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128 |
That's all you need for the transparent proxy; can't see why you need the other rules, SNAT looks like it's being provided by your router. The other firewall rules you set up will depend on how restrictive you want to be -- all traffic going through your box which isn't destined for it will end up on the FORWARD chain of the filter table. So, the policy you set for that will determine whether all traffic is allowed through or blocked by default.
Casper. |
|
| Back to top |
|
|
Herodot
Guru
Joined: 29 Jul 2002
Posts: 429
Location: Professor Xavier's school for gifted youngsters
|
| Posted: Thu Apr 14, 2005 8:08 pm Post subject: |
|
|
Thank you for your help.
| Code: | | iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128 |
I can't get that to work. Apparently something is working, because the Squid log is full of "TCP_DENIED/400". The proxy works fine if I set my browser to use it, ie. not transparent.
I still don't fully understand how this works or is supposed to work. The actual forwarding between the two NICs is enabled because I've uncommented this in /etc/sysctl.conf:
| Code: | net.ipv4.ip_forward = 1
net.ipv4.tcp_ecn = 0
net.ipv4.conf.default.rp_filter = 1 |
So I guess I don't really need anything in Iptables to make that work. And yes, removing my one-line rule mentioned in my first post doesn't ruin the forwarding.
So basically I can concentrate on getting port 80 redirected to port 3128, which is what your rule does. But as I said, it doesn't work. It looks like Squid doesn't want to serve pages when the connection is redirected.
Here is my entire Squid config:
| Code: | http_port 192.168.2.1:3128
icp_port 0
cache_mem 20 MB
cache_dir aufs /usr/tmp/squid 1024 16 256
acl all src 0.0.0.0/0.0.0.0
http_access allow all |
_________________
Excelsior! |
|
| Back to top |
|
|
Casper Gasper
Tux's lil' helper
Joined: 07 Sep 2004
Posts: 75
Location: London
|
| Posted: Thu Apr 14, 2005 8:30 pm Post subject: |
|
|
If you're getting error messages in your squid logs, that shows you that the iptables redirection to port 3128 is working, it's just your proxy is not setup for transparent proxying. There are a few changes you need to make to squid.conf -- can't remember what, but this is a faq.
I would recommend you restrict access to your proxy, even if it is behind a nat-ed router.
Casper |
|
| Back to top |
|
|
Herodot
Guru
Joined: 29 Jul 2002
Posts: 429
Location: Professor Xavier's school for gifted youngsters
|
| Posted: Thu Apr 14, 2005 9:04 pm Post subject: |
|
|
| Casper Gasper wrote: | | If you're getting error messages in your squid logs, that shows you that the iptables redirection to port 3128 is working, it's just your proxy is not setup for transparent proxying. There are a few changes you need to make to squid.conf -- can't remember what, but this is a faq. |
Yes, I agree. Documentation for Squid isn't very good, but I'll look around.
| Casper Gasper wrote: | | I would recommend you restrict access to your proxy, even if it is behind a nat-ed router. |
Right, I'll do that when I get it to work.
Thanks again.
_________________
Excelsior! |
|
| Back to top |
|
|
|
Networking & Security
