iptables & squid

iptables & squid

[Daniel Ivanov]

I could finally manage to bump packets from a bsd box to my squid and 
thanks to ipfw they come un-rewritten in the form
{internal_net_ip} -> {destination_ip}
This is ok. I set a simple redirect rule in the prerouting:
iptables -t nat -A PREROUTING -p tcp --dport 80 -s internal_net/mask -j 
REDIRECT --to-ports 80

Packets jump to my proxy and pass through.
But i get them returned in the form:
{squid_box} -> {ip_from_internal_network}
 This way they are impossible for shaping. How would i make such a packet
{destination_ip} -> {internal_net_ip}
by means of iptables.

Would a DNAT do the trick and will it be hit if a have a REDIRECT target 
already in the PREROUTING.
Otherwise the REDIRECT is also available in the OUTPUT chain of the nat 
table.

Re: iptables & squid

[Henrik Nordstrom]

On Sat, 15 Oct 2005, Daniel Ivanov wrote:

> I could finally manage to bump packets from a bsd box to my squid and thanks 
> to ipfw they come un-rewritten in the form
> {internal_net_ip} -> {destination_ip}
> This is ok. I set a simple redirect rule in the prerouting:
> iptables -t nat -A PREROUTING -p tcp --dport 80 -s internal_net/mask -j 
> REDIRECT --to-ports 80
>
> Packets jump to my proxy and pass through.
> But i get them returned in the form:
> {squid_box} -> {ip_from_internal_network}

Only locally on the Squid/iptables server. On the network the packets MUST 
be

   {destination_ip} -> {internal_net_ip}

If not the client won't accept the connection (wrong sender).

> Would a DNAT do the trick and will it be hit if a have a REDIRECT target 
> already in the PREROUTING.
> Otherwise the REDIRECT is also available in the OUTPUT chain of the nat 
> table.

Return traffic in response to connections which was intercepted by 
REDIRECT is implicitly SNAT:ed in POSTROUTING, and the original 
{destination_ip} should be visible to tc and external traffic shapers just 
as it is when routing the traffic.


I don't quite get what your problem is.


Traffic from the proxy to the requested web site will be

   {squid_box} -> {destination_ip}

In theory it is possible to use TPROXY to have the proxy use the original 
client source IP when making the connection to the requested web site, but 
this has very strict requirements on your network layout (the return 
traffic MUST pass via the proxy server, even if the destination ip of the 
return traffic is the original client)

Regards
Henrik

Iptables, squid

[alok pathak]

Hi all,

The problem with me:
1. I want my users to access the internet(but bandwith must be limited
to each of them say 64kbps).
2. I configured delay pools in squid for this.
3. I also don't want to specify proxy settings on each users computer.
4. I also want to let my users use Yahoo WebCam, Bittorrent clients
etc, but without proxy settings.
5. I configured transparent proxy, but able to impose bandwidth limit
on http traffic only (port 80)
Can I use something other than squid?
Please help.
Thanks,
Alok Pathak

Re: Iptables, squid

[piraguasu]

Hi alok pathak

I think you can use iproute2 suite and iptables, but you should read
documentations about iproute2, you can set up rules and routes to
control traffic with them and iptables, also have "tc" which is a
traffic-control tool from iproute2.

Find http://www.lartc.org/lartc.html by Bert Hubert and then chat on it.

I hope you understand me and find utility in this e-mail

Gerardo
> Hi all,
>
> The problem with me:
> 1. I want my users to access the internet(but bandwith must be limited
> to each of them say 64kbps).
> 2. I configured delay pools in squid for this.
> 3. I also don't want to specify proxy settings on each users computer.
> 4. I also want to let my users use Yahoo WebCam, Bittorrent clients
> etc, but without proxy settings.
> 5. I configured transparent proxy, but able to impose bandwidth limit
> on http traffic only (port 80)
> Can I use something other than squid?
> Please help.
> Thanks,
> Alok Pathak
>
>

iptables+squid

[it clown]

Hi All,

I want to run squid on the same box as iptables.I need to
setup the client pc's that they have to go through the
proxy to get to the internet... port 3128.They must not be
able to by pass the proxy to get internet access.What rule
do i need to add to iptables to only allow squid to have
internet access?

I want to give the clients internet access through squid,
thanks.

Regards
_____________________________________________________________________
For super low premiums ,click here http://www.dialdirect.co.za/quote

iptables + squid

[it clown]

Hi All,

I want to run squid on the same box as iptables.I need to
setup the client pc's that they have to go through the
proxy to get to the internet... port 3128.They must not be
able to by pass the proxy to get internet access.What rule
do i need to add to iptables to only allow squid to have
internet access?

I want to give the clients internet access through squid,
thanks.

Regards
_____________________________________________________________________
For super low premiums ,click here http://www.dialdirect.co.za/quote

Re: iptables + squid

[Jason Opperisano]

On Sun, 2004-09-26 at 01:35, it clown wrote:
> Hi All,
> 
> I want to run squid on the same box as iptables.I need to
> setup the client pc's that they have to go through the
> proxy to get to the internet... port 3128.They must not be
> able to by pass the proxy to get internet access.What rule
> do i need to add to iptables to only allow squid to have
> internet access?
> 
> I want to give the clients internet access through squid,
> thanks.
> 
> Regards
> _____________________________________________________________________
> For super low premiums ,click here http://www.dialdirect.co.za/quote

# allow clients to connect to squid proxy
iptables -A INPUT -i $INSIDE_IF -p tcp --syn --dport 3128 -j ACCEPT

# allow squid to fetch web content
iptables -A OUTPUT -o $OUTSIDE_IF -p tcp --syn --dport 80 -j ACCEPT

of course--this assumes that you do not allow clients through the
FORWARD chain on port 80.

-j

disclaimer:  the rules contained in this message are meant to illustrate
the requested functionality only, and not intended as a recommendation
of best practices.  never execute any commands without fully
understanding the implications.

-- 
Jason Opperisano <opie@817west.com>

Re: iptables + squid

[Scott Mayo]

Jason Opperisano wrote:
> On Sun, 2004-09-26 at 01:35, it clown wrote:
> 
>>Hi All,
>>
>>I want to run squid on the same box as iptables.I need to
>>setup the client pc's that they have to go through the
>>proxy to get to the internet... port 3128.They must not be
>>able to by pass the proxy to get internet access.What rule
>>do i need to add to iptables to only allow squid to have
>>internet access?
>>
>>I want to give the clients internet access through squid,
>>thanks.
>>
>>Regards
>>_____________________________________________________________________
>>For super low premiums ,click here http://www.dialdirect.co.za/quote
> 
> 
> # allow clients to connect to squid proxy
> iptables -A INPUT -i $INSIDE_IF -p tcp --syn --dport 3128 -j ACCEPT
> 
> # allow squid to fetch web content
> iptables -A OUTPUT -o $OUTSIDE_IF -p tcp --syn --dport 80 -j ACCEPT
> 
> of course--this assumes that you do not allow clients through the
> FORWARD chain on port 80.
> 
> -j

I don't have my printout of the commands here and he might not want to 
do transparent proxying, but could he not also use the REDIRECT to send 
any info coming from the $INSIDE_IF that is destined from for port 80 to 
port 3128?  If transparent proxying is alright, then the admin would not 
have to worry about setting up all of the workstations to direct to port 
3128.  I am very new to IPTABLES, so I might be way off.

-- 
Scott Mayo
Technology Coordinator
Bloomfield Schools
PH: 573-568-4564
FA: 573-568-4565
Pager: 800-264-2535 X2549

WindowS
     LinUX!

Duct tape is like the force, it has a light side and a dark side and it
holds the universe together.

Re: iptables + squid

[Jose Maria Lopez]

El dom, 26 de 09 de 2004 a las 16:27, Jason Opperisano escribió:
> On Sun, 2004-09-26 at 01:35, it clown wrote:
> > Hi All,
> > 
> > I want to run squid on the same box as iptables.I need to
> > setup the client pc's that they have to go through the
> > proxy to get to the internet... port 3128.They must not be
> > able to by pass the proxy to get internet access.What rule
> > do i need to add to iptables to only allow squid to have
> > internet access?
> > 
> > I want to give the clients internet access through squid,
> > thanks.
> > 
> > Regards
> > _____________________________________________________________________
> > For super low premiums ,click here http://www.dialdirect.co.za/quote
> 
> # allow clients to connect to squid proxy
> iptables -A INPUT -i $INSIDE_IF -p tcp --syn --dport 3128 -j ACCEPT
> 
> # allow squid to fetch web content
> iptables -A OUTPUT -o $OUTSIDE_IF -p tcp --syn --dport 80 -j ACCEPT
> 
> of course--this assumes that you do not allow clients through the
> FORWARD chain on port 80.
> 
> -j

I'd like to add that if they need the transparent proxy feature they
need a rule like this:

iptables -t nat -A OUTPUT -A PREROUTING -i $INPUTIP -p tcp \
--dport 80 -j REDIRECT --to-ports 3128

and they need to have the squid proxy properly configured to allow
the transparent proxy feature.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: iptables + squid

[Jason Opperisano]

On Sun, 2004-09-26 at 16:33, Jose Maria Lopez wrote:
> El dom, 26 de 09 de 2004 a las 16:27, Jason Opperisano escribió:
> > On Sun, 2004-09-26 at 01:35, it clown wrote:
> > > Hi All,
> > > 
> > > I want to run squid on the same box as iptables.I need to
> > > setup the client pc's that they have to go through the
> > > proxy to get to the internet... port 3128.They must not be
> > > able to by pass the proxy to get internet access.What rule
> > > do i need to add to iptables to only allow squid to have
> > > internet access?
> > > 
> > > I want to give the clients internet access through squid,
> > > thanks.
> > > 
> > > Regards
> > > _____________________________________________________________________
> > > For super low premiums ,click here http://www.dialdirect.co.za/quote
> > 
> > # allow clients to connect to squid proxy
> > iptables -A INPUT -i $INSIDE_IF -p tcp --syn --dport 3128 -j ACCEPT
> > 
> > # allow squid to fetch web content
> > iptables -A OUTPUT -o $OUTSIDE_IF -p tcp --syn --dport 80 -j ACCEPT
> > 
> > of course--this assumes that you do not allow clients through the
> > FORWARD chain on port 80.
> > 
> > -j

quoting OP:

"I need to setup the client pc's that they have to go through the proxy
to get to the internet..."

implies he is not asking for transparent proxying.

> I'd like to add that if they need the transparent proxy feature they
> need a rule like this:
> 
> iptables -t nat -A OUTPUT -A PREROUTING -i $INPUTIP -p tcp \
> --dport 80 -j REDIRECT --to-ports 3128

even if he is asking for transparent proxying, the proper NAT rule would
be:

  iptables -t nat -A PREROUTING -i $INSIDE_IF -p tcp --syn --dport 80 \
    -j REDIRECT --to-port 3128

> and they need to have the squid proxy properly configured to allow
> the transparent proxy feature.

yes.

-j

disclaimer:  the rules contained in this message are meant to illustrate
the requested functionality only, and not intended as a recommendation
of best practices.  never execute any commands without fully
understanding the implications.

-- 
Jason Opperisano <opie@817west.com>

IPTables & Squid

[Daniel Camacho]

Hi all,

I'm new to this list and to IPtables. I recently installed a transparent 
proxy using Squid and IPtables. On one computer, I installed IPtables and 
forward all port 80 requests to the Squid server, which is running on a 
separate server. On that same computer I want to be able to filter certain 
connections from using the Squid. I know I can do this with Squid, but I 
want to know how to do it with IPtables. Does anyone know how may I go 
about doing this? Thanks.

Daniel

Here's the script I use:

192.168.0.1 = Squid server
192.168.0.25 = Netfilter Server

# start up filter rules for traffic redirection to Squid
iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.0.1 -p tcp --dport 80 -j 
DNAT --to 192.168.0.1:3128

# Add for 0 subnet
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d 192.168.0.1 -j 
SNAT --to 192.168.0.25
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.1 -i eth0 -o eth0 -p tcp 
--dport 3128 -j ACCEPT
#
# Add for 2 subnet
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -d 192.168.0.1 -j 
SNAT --to 192.168.0.25
iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.0.1 -i eth0 -o eth0 -p tcp 
--dport 3128 -j ACCEPT
#
# Add for 3 subnet
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.3.0/24 -d 192.168.0.1 -j 
SNAT --to 192.168.0.25
iptables -A FORWARD -s 192.168.3.0/24 -d 192.168.0.1 -i eth0 -o eth0 -p tcp 
--dport 3128 -j ACCEPT

Re: IPTables & Squid

[Philip Craig]

Daniel Camacho wrote:
 > I'm new to this list and to IPtables. I recently installed a transparent
 > proxy using Squid and IPtables. On one computer, I installed IPtables and
 > forward all port 80 requests to the Squid server, which is running on a
 > separate server. On that same computer I want to be able to filter certain
 > connections from using the Squid. I know I can do this with Squid, but I
 > want to know how to do it with IPtables. Does anyone know how may I go
 > about doing this? Thanks.

Do you want to just pass these connections through directly instead of
forwarding them to the Squid server, or do you want to drop them completely?

If you just want to pass them through, you need to stop them reaching the
DNAT rule.  You have already done this for the squid server itself, but
that method only allows you to pass through one IP address.  A more general
method is to add ACCEPT rules for each address (just repeat the first
rule for each address to pass through):

# start up filter rules for traffic redirection to Squid
iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.1 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128

If you want to drop the connections, then you need to put DROP or REJECT
rules in the FORWARD chain of the filter table.  Make sure you put them
before the rules ACCEPTing traffic from each subnet.

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances

Re: IPTables & Squid

[Daniel Camacho]

<BR>Hi Philip,<BR><BR>Thanks for the reply. I want to pass the connection
through and not go through the Squid server. Basically, my intention is to
filter certain customers from accessing the Squid server but still have
full connectivity. Thanks.<BR><BR>Daniel<BR><BR><BR>-----<BR>Philip Craig
said:<BR>&gt; Daniel Camacho wrote:<BR>&gt; &gt; I'm new to this list and
to IPtables. I recently installed a<BR>&gt; transparent<BR>&gt; &gt; proxy
using Squid and IPtables. On one computer, I installed IPtables<BR>&gt;
and<BR>&gt; &gt; forward all port 80 requests to the Squid server, which
is running on a<BR>&gt; &gt; separate server. On that same computer I want
to be able to filter<BR>&gt; certain<BR>&gt; &gt; connections from using
the Squid. I know I can do this with Squid, but<BR>&gt; I<BR>&gt; &gt;
want to know how to do it with IPtables. Does anyone know how may I
go<BR>&gt; &gt; about doing this? Thanks.<BR>&gt; <BR>&gt; Do you want to
just pass these connections through directly instead of<BR>&gt; forwarding
them to the Squid server, or do you want to drop them<BR>&gt;
completely?<BR>&gt; <BR>&gt; If you just want to pass them through, you
need to stop them reaching the<BR>&gt; DNAT rule. You have already done
this for the squid server itself, but<BR>&gt; that method only allows you
to pass through one IP address. A more<BR>&gt; general<BR>&gt; method is
to add ACCEPT rules for each address (just repeat the first<BR>&gt; rule
for each address to pass through):<BR>&gt; <BR>&gt; # start up filter
rules for traffic redirection to Squid<BR>&gt; iptables -t nat -A
PREROUTING -i eth0 -s 192.168.0.1 -p tcp --dport 80 -j<BR>&gt;
ACCEPT<BR>&gt; iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
DNAT --to<BR>&gt; 192.168.0.1:3128<BR>&gt; <BR>&gt; If you want to drop
the connections, then you need to put DROP or REJECT<BR>&gt; rules in the
FORWARD chain of the filter table. Make sure you put them<BR>&gt; before
the rules ACCEPTing traffic from each subnet.<BR>&gt; <BR>&gt; --<BR>&gt;
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com<BR>&gt;
SnapGear - Custom Embedded Solutions and Security Appliances<BR>&gt;
<BR>&gt; <BR>&gt; <BR>

Re: IPTables & Squid

[Arnt Karlsen]

On Sat, 2 Aug 2003 07:25:44 +1000 (ChST), 
"Daniel Camacho" <dcamacho@saipan.com> wrote in message 
<1102.202.128.1.252.1059773144.squirrel@mail.saipan.com>:

..Daniel, kindly _lose_ the html, as you can see, 
there _is_ a reason people drop out of threads.

> <BR>Hi Philip,<BR><BR>Thanks for the reply. I want to pass the
> connection through and not go through the Squid server. Basically, my
> intention is to filter certain customers from accessing the Squid
> server but still have full connectivity.
> Thanks.<BR><BR>Daniel<BR><BR><BR>-----<BR>Philip Craig said:<BR>&gt;
> Daniel Camacho wrote:<BR>&gt; &gt; I'm new to this list and to
> IPtables. I recently installed a<BR>&gt; transparent<BR>&gt; &gt;
> proxy using Squid and IPtables. On one computer, I installed
> IPtables<BR>&gt; and<BR>&gt; &gt; forward all port 80 requests to the
> Squid server, which is running on a<BR>&gt; &gt; separate server. On
> that same computer I want to be able to filter<BR>&gt; certain<BR>&gt;
> &gt; connections from using the Squid. I know I can do this with
> Squid, but<BR>&gt; I<BR>&gt; &gt; want to know how to do it with
> IPtables. Does anyone know how may I go<BR>&gt; &gt; about doing this?
> Thanks.<BR>&gt; <BR>&gt; Do you want to just pass these connections
> through directly instead of<BR>&gt; forwarding them to the Squid
> server, or do you want to drop them<BR>&gt; completely?<BR>&gt;
> <BR>&gt; If you just want to pass them through, you need to stop them
> reaching the<BR>&gt; DNAT rule. You have already done this for the
> squid server itself, but<BR>&gt; that method only allows you to pass
> through one IP address. A more<BR>&gt; general<BR>&gt; method is to
> add ACCEPT rules for each address (just repeat the first<BR>&gt; rule
> for each address to pass through):<BR>&gt; <BR>&gt; # start up filter
> rules for traffic redirection to Squid<BR>&gt; iptables -t nat -A
> PREROUTING -i eth0 -s 192.168.0.1 -p tcp --dport 80 -j<BR>&gt;
> ACCEPT<BR>&gt; iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80
> -j DNAT --to<BR>&gt; 192.168.0.1:3128<BR>&gt; <BR>&gt; If you want to
> drop the connections, then you need to put DROP or REJECT<BR>&gt;
> rules in the FORWARD chain of the filter table. Make sure you put
> them<BR>&gt; before the rules ACCEPTing traffic from each
> subnet.<BR>&gt; <BR>&gt; --<BR>&gt; Philip Craig -
> philipc@snapgear.com - http://www.SnapGear.com<BR>&gt; SnapGear -
> Custom Embedded Solutions and Security Appliances<BR>&gt; <BR>&gt;
> <BR>&gt; <BR>

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.