+ Post New Thread
Results 1 to 10 of 10
Internet Related/Filtering/Firewall Thread, Transparent Squid in Technical; I am using Ubuntu, with Squid (Ver.2.7 STABLE 9) and Dansguardian to provide internet filtering. However I need it to ...
  1. #1

    Join Date
    Sep 2012
    Posts
    13
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Transparent Squid

    I am using Ubuntu, with Squid (Ver.2.7 STABLE 9) and Dansguardian to provide internet filtering.

    However I need it to work Transparent, so that users don't have to specify port information etc.

    I have completed the following:


    1. Changed the squid config to: http_port 3128 transparent
    2. Added the following rule to IPtables: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


    This will work on port 80, but the strange thing is, I have to specify port 80, otherwise no internet connection can be obtained

    As my knowledge in Linux is limited, I am now stuck ? Is there something missing ?

    Can somebody help me?

    Thanks

  2. #2

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    151
    is your squid box the Default Route for outgoing connections from the LAN?

    Rob

  3. #3
    grant_girdwood's Avatar
    Join Date
    Jun 2012
    Location
    Bloxx HQ
    Posts
    56
    Thank Post
    3
    Thanked 11 Times in 10 Posts
    Rep Power
    7
    Quote Originally Posted by davephs View Post
    I am using Ubuntu, with Squid (Ver.2.7 STABLE 9) and Dansguardian to provide internet filtering.

    However I need it to work Transparent, so that users don't have to specify port information etc.

    I have completed the following:


    1. Changed the squid config to: http_port 3128 transparent
    2. Added the following rule to IPtables: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


    This will work on port 80, but the strange thing is, I have to specify port 80, otherwise no internet connection can be obtained

    As my knowledge in Linux is limited, I am now stuck ? Is there something missing ?

    Can somebody help me?

    Thanks
    Where does the appliance sit within your network - have you placed the linux box inline?

  4. #4

    Join Date
    Sep 2012
    Posts
    13
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    The ubuntu box is on a virtual machine - it has two network cards one internal and one external (Bound to a public IP address)

    I have given it a subnet mask of 255.255.0.0 - and a IP of 192.168.1.1 and I can ping it from another pc in the same subnet. So communication is ok . I can go online if I specify 192.168.1.1 port 8080 in the proxy server settings, but if i set the default gateaway to 192.168.1.1 and no proxy info- I cant go online ? _ So i guess either the transparent bit isnt working ? Or the iptables bit is messed up ?

    oh, and it even works if i set the proxy info to 192.168.1.1 port 80 - i always thought port 80 was transparent ?
    Last edited by davephs; 26th September 2012 at 09:27 AM.

  5. #5
    grant_girdwood's Avatar
    Join Date
    Jun 2012
    Location
    Bloxx HQ
    Posts
    56
    Thank Post
    3
    Thanked 11 Times in 10 Posts
    Rep Power
    7
    Quote Originally Posted by davephs View Post
    The ubuntu box is on a virtual machine - it has two network cards one internal and one external (Bound to a public IP address)

    I have given it a subnet mask of 255.255.0.0 - and a IP of 192.168.1.1 and I can ping it from another pc in the same subnet. So communication is ok . I can go online if I specify 192.168.1.1 port 8080 in the proxy server settings, but if i set the default gateaway to 192.168.1.1 and no proxy info- I cant go online ? _ So i guess either the transparent bit isnt working ? Or the iptables bit is messed up ?

    oh, and it even works if i set the proxy info to 192.168.1.1 port 80 - i always thought port 80 was transparent ?
    You'll need to ensure the Ubuntu box is configured to do IP Forwarding.

    echo 1 > /proc/sys/net/ipv4/ip_forward
    Add the line "net.ipv4.ip_forward = 1″ to /etc/sysctl.conf

    Can you paste the result of "iptables-save"?

  6. #6

    Join Date
    Sep 2012
    Posts
    13
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I have completed the instructions provided - it did sound promising, unfortunately it hasn't worked. I still cannot access the internet unless the port and IP information is manually entered (I am starting to think about forgetting about it altogether, and using .pac files instead (But i dont know if they work with IPADS)

    The output of iptables-save (Below)

    Thanks

    # Generated by iptables-save v1.4.10 on Wed Sep 26 15:09:44 2012
    *nat
    :PREROUTING ACCEPT [1192:106550]
    :INPUT ACCEPT [279:34464]
    :OUTPUT ACCEPT [60:3608]
    :POSTROUTING ACCEPT [60:3608]
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8080
    COMMIT
    # Completed on Wed Sep 26 15:09:44 2012
    # Generated by iptables-save v1.4.10 on Wed Sep 26 15:09:44 2012
    *filter
    :INPUT DROP [1604:671191]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [77:4086]
    :ufw-after-forward - [0:0]
    :ufw-after-input - [0:0]
    :ufw-after-logging-forward - [0:0]
    :ufw-after-logging-input - [0:0]
    :ufw-after-logging-output - [0:0]
    :ufw-after-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-before-input - [0:0]
    :ufw-before-logging-forward - [0:0]
    :ufw-before-logging-input - [0:0]
    :ufw-before-logging-output - [0:0]
    :ufw-before-output - [0:0]
    :ufw-logging-allow - [0:0]
    :ufw-logging-deny - [0:0]
    :ufw-not-local - [0:0]
    :ufw-reject-forward - [0:0]
    :ufw-reject-input - [0:0]
    :ufw-reject-output - [0:0]
    :ufw-skip-to-policy-forward - [0:0]
    :ufw-skip-to-policy-input - [0:0]
    :ufw-skip-to-policy-output - [0:0]
    :ufw-track-input - [0:0]
    :ufw-track-output - [0:0]
    :ufw-user-forward - [0:0]
    :ufw-user-input - [0:0]
    :ufw-user-limit - [0:0]
    :ufw-user-limit-accept - [0:0]
    :ufw-user-logging-forward - [0:0]
    :ufw-user-logging-input - [0:0]
    :ufw-user-logging-output - [0:0]
    :ufw-user-output - [0:0]
    -A INPUT -j ufw-before-logging-input
    -A INPUT -j ufw-before-input
    -A INPUT -j ufw-after-input
    -A INPUT -j ufw-after-logging-input
    -A INPUT -j ufw-reject-input
    -A INPUT -j ufw-track-input
    -A FORWARD -j ufw-before-logging-forward
    -A FORWARD -j ufw-before-forward
    -A FORWARD -j ufw-after-forward
    -A FORWARD -j ufw-after-logging-forward
    -A FORWARD -j ufw-reject-forward
    -A OUTPUT -j ufw-before-logging-output
    -A OUTPUT -j ufw-before-output
    -A OUTPUT -j ufw-after-output
    -A OUTPUT -j ufw-after-logging-output
    -A OUTPUT -j ufw-reject-output
    -A OUTPUT -j ufw-track-output
    -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
    -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
    -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-before-forward -j ufw-user-forward
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m state --state INVALID -j ufw-logging-deny
    -A ufw-before-input -m state --state INVALID -j DROP
    -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
    -A ufw-before-input -j ufw-not-local
    -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
    -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
    -A ufw-before-input -j ufw-user-input
    -A ufw-before-output -o lo -j ACCEPT
    -A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -j ufw-user-output
    -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
    -A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
    -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP
    -A ufw-skip-to-policy-forward -j DROP
    -A ufw-skip-to-policy-input -j DROP
    -A ufw-skip-to-policy-output -j ACCEPT
    -A ufw-track-output -p tcp -m state --state NEW -j ACCEPT
    -A ufw-track-output -p udp -m state --state NEW -j ACCEPT
    -A ufw-user-input -i eth0 -j ACCEPT
    -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
    -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
    -A ufw-user-limit-accept -j ACCEPT
    COMMIT
    # Completed on Wed Sep 26 15:09:44 2012

  7. #7
    grant_girdwood's Avatar
    Join Date
    Jun 2012
    Location
    Bloxx HQ
    Posts
    56
    Thank Post
    3
    Thanked 11 Times in 10 Posts
    Rep Power
    7
    Quote Originally Posted by davephs View Post

    # Generated by iptables-save v1.4.10 on Wed Sep 26 15:09:44 2012
    *nat
    :PREROUTING ACCEPT [1192:106550]
    :INPUT ACCEPT [279:34464]
    :OUTPUT ACCEPT [60:3608]
    :POSTROUTING ACCEPT [60:3608]
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8080
    COMMIT
    Not 100% sure on the rest of your iptables rules however the above should redirect to the proxy port 8080 for HTTP traffic.

    You're next step would be to run wiresharks on the client device and tracing what is going on when the unit is configured to be your client DGW

  8. #8
    grant_girdwood's Avatar
    Join Date
    Jun 2012
    Location
    Bloxx HQ
    Posts
    56
    Thank Post
    3
    Thanked 11 Times in 10 Posts
    Rep Power
    7
    actually just spotted your issue.... i think

    You've set squid to be transparent for port 3128...you need to have your iptables lift port 80 traffic to port 3128

    make sure squid is listening on port 3128 (netstat -lptn)

  9. #9

    Join Date
    Sep 2012
    Posts
    13
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Thank you for your help.. its finally working, the pc I was using to test the connectivity for some reason wont work but everybody can use the ubuntu box now as the default gateway. The ip forwarding must have been the issue!

  10. #10
    grant_girdwood's Avatar
    Join Date
    Jun 2012
    Location
    Bloxx HQ
    Posts
    56
    Thank Post
    3
    Thanked 11 Times in 10 Posts
    Rep Power
    7
    Quote Originally Posted by davephs View Post
    Thank you for your help.. its finally working, the pc I was using to test the connectivity for some reason wont work but everybody can use the ubuntu box now as the default gateway. The ip forwarding must have been the issue!
    happy days!! have fun!



SHARE:
+ Post New Thread

Similar Threads

  1. Transparent Squid Proxy - Upstream Connection to LEA - Lincolnshire
    By smarties11 in forum Internet Related/Filtering/Firewall
    Replies: 3
    Last Post: 26th September 2012, 01:44 PM
  2. Squid transparent proxying
    By MK-2 in forum *nix
    Replies: 46
    Last Post: 4th June 2008, 12:26 PM
  3. Transparent squid + local IP addresses
    By jonathan.lees in forum *nix
    Replies: 1
    Last Post: 2nd December 2007, 02:20 AM
  4. Squid Transparent
    By Jackd in forum *nix
    Replies: 5
    Last Post: 10th October 2007, 03:12 PM
  5. Squid Transparent Proxy.
    By Jackd in forum Network and Classroom Management
    Replies: 2
    Last Post: 25th July 2007, 07:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •