Fedora Linux Support Community & Resources Center
  #1  
Old 11th May 2012, 01:22 AM
macktruck Offline
Registered User
 
Join Date: May 2010
Posts: 10
linuxfirefox
[SOLVED]iptable NAT (local)port forwarding

Well, for starters I'm not much of a networking guy.. I'm just trying to setup a proxy server for URL blacklisting(Squid/squid guard)

Which only works when the browser is setup, but for security purposes, I can't do with that.
I've attempted system-config-firewall port forwarding, it didn't yield any results.. Essentially, I tried:

interface(wlan0), port 80 forwarding to..
192.168.0.1(LAN) 3128, which failed so then I tried 127.0.0.1, then I just checkmarked local-forwarding...didn't work. I've tried masquerading the interface(wlan0, then wlan+)...Various permutations(also with the various NAT configurations)

Anyway, I then tried several different NAT configurations(from various squid/squidGuard tutorials), but I think they don't work because of my router(it's set to NAPT, and I'm afraid to try and switch it to NAT because I don't want to mess up anyone else's setup).


..and that's the story thus far. I'm at a bit of a loss right now :\




extra specs: f16, 32-bit..3.4+ kernel..

edit:OH! and I already tried ip_forward/port_forward..it's set to 1, trust me I've checked that multiple times(due to desperation)

Last edited by macktruck; 15th May 2012 at 07:32 PM.
Reply With Quote
  #2  
Old 11th May 2012, 05:00 PM
macktruck Offline
Registered User
 
Join Date: May 2010
Posts: 10
linuxfirefox
Re: iptable NAT (local)port forwarding

A little follow-up for my fellow man..


after a great deal of googling, I stumbled upon the correct IPtables settings that work on the system with Squid(so it's proxied on that system as well). I modified them a little bit, and added the SSL port

iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 443 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 443 -j REDIRECT --to-ports 3128
iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 3128


(YOURINTERFACE being whatever interface you have..I have wlan0, you may have eth0 or eth1, etc)

use your choice method for storing, be it iptables saving or using this in the gdm xsession file, or w/e.
Reply With Quote
  #3  
Old 11th May 2012, 05:27 PM
William Haller Online
Registered User
 
Join Date: Jul 2005
Age: 54
Posts: 1,084
linuxchrome
Re: iptable NAT (local)port forwarding

We run a transparent proxy at work. In our case, we run

internet <- squid <- DG <- squid <- transparent intercept on system GW <- internal network.

We do our big squid buffering on the closest squid instance after DG buffering and a smaller cache on the squid on the other side of DG. It's all run on a separate box which is nice since we can turn off the intercepts to make DG changes or updates and then re-enable them.

/sbin/iptables -t nat -A PREROUTING -s internal_network_address_block -d our_external_network_address_block -p tcp --dport 80 -j ACCEPT

The above routes anything going to our own website directly there and not through squid. You can also add direct access to any internal web server instances and ACCEPT those immediately without redirection if you want. If there are some servers that you never want to go through DG (an example might be an internal server that hosts your companies antivirus host, you can insert rules for particular hosts to always be allowed to go out directly as well.) Then, to route your traffic out through DG/squid use:

/sbin/iptables -t nat -A PREROUTING -s internal_network_address_block -p tcp --dport 80 -j DNAT --to proxy_server:8081

where internal_network_address_block is something like 192.168.00/16 or 10.0.0.0/8 or something like that depending on your configuration and external_network_address_block is your range of real world addresses from your ISP, and proxy_server is the IP address of your dedicated proxy server.
Reply With Quote
  #4  
Old 12th May 2012, 12:14 AM
macktruck Offline
Registered User
 
Join Date: May 2010
Posts: 10
windows_7firefox
Re: iptable NAT (local)port forwarding

Thanks for that explanation, Squid's somewhat running right now, albeit in a very odd manner..
IE, it loads hulu but won't load google or youtube..and it arbitrarily goes slow(and it isn't the cache that makes it go fast, I've checked/cleared that at the peak periods). I'm guessing it can't be the interface, since the speeds are normal with Squid turned off.

I've tried DNAT as well as REDIRECT, and different nameservers(OpenDNS, google, the router's) for squid & the resolv. Played with the various cache configurations. Feh, perplexed but never beaten.

(also, squid is running as a transparent proxy)
Reply With Quote
  #5  
Old 12th May 2012, 03:02 AM
William Haller Online
Registered User
 
Join Date: Jul 2005
Age: 54
Posts: 1,084
linuxchrome
Re: iptable NAT (local)port forwarding

Are you running a separate box or running squid on the same box as the gateway? If running it on the gateway box, the rules are a bit different.

I must also say that we use fwbuilder to handler building our firewall rules. System config firewall may just be getting in the way. If not a external box (i.e. the router has its own firewall that is protecting your network), you might want to turn off the system firewall and experiment by hand. Or give fwbuilder a whirl - it's graphical and really nice in my opinion.

I suspect that the new dynamic firewall in F17 will lead to yet a new mess.
Reply With Quote
  #6  
Old 12th May 2012, 01:42 PM
macktruck Offline
Registered User
 
Join Date: May 2010
Posts: 10
linuxfirefox
Re: iptable NAT (local)port forwarding

Quote:
Originally Posted by William Haller View Post
Are you running a separate box or running squid on the same box as the gateway? If running it on the gateway box, the rules are a bit different.

I must also say that we use fwbuilder to handler building our firewall rules. System config firewall may just be getting in the way. If not a external box (i.e. the router has its own firewall that is protecting your network), you might want to turn off the system firewall and experiment by hand. Or give fwbuilder a whirl - it's graphical and really nice in my opinion.

I suspect that the new dynamic firewall in F17 will lead to yet a new mess.
Same box, what I'm essentially trying to do is stop roomies from looking up pr0n on this box because it's hooked up to the 44in. in the living room. The box is used for two separate things, generally: movies & web development. (unfortunately, configuring another box to go through squid on another box isn't an option)

So far, I think I've found a workaround - transparent makes it go really slow(IDK why, probably associated with the iptables settings I'm using), but if I remove the transparent from http_port in the configuration file, it works fine(although I have to configure firefox to use the proxy, but that's not an issue since without the firefox proxy configuration, you can't browse; squid simply gives an 'Invalid URL' error).
My only two issues left are SSL & auto-starting squid on-boot..Systemctl enable squid.service isn't working, chkconfig squid on fails as well. (It says in the boot log that it's starting/started up; but after I login, Squid is always off...maybe something else is turning squid off for some reason?)

Even putting Systemctl start squid.service at the beginning(then the end) of /etc/gdm/Xsession isn't working, so I'm almost at a loss in regards to that(I'm pretty sure it has to do with how yum compiled Squid, so I'm looking into that). As far as SSL goes, I'm looking at workaround options at this point.

Lol, ya I'm staying away from f17 for a while..I've figured out before that upgrading to a fresh release isn't a good idea.

Last edited by macktruck; 12th May 2012 at 01:55 PM.
Reply With Quote
  #7  
Old 12th May 2012, 06:25 PM
William Haller Online
Registered User
 
Join Date: Jul 2005
Age: 54
Posts: 1,084
linuxchrome
Re: iptable NAT (local)port forwarding

<p>Start squid up manually and see what diagnostic messages you get. There should be a squid link in the systemd startup directory created with the chkconfig squid on.</p>

<p>The SSL can't be transparently proxied at all. You can point your browsers directly at your squid instance and it will work, but transparent proxy is a case of man in the middle and it won't work.</p>

<p>You shouldn't be seeing any slowdown that is perceptible with squid. An htop might be useful to see where your speed is going. If you are seeing a slowdown, something on the network stack isn't configured properly. It might be worth seeing what DNS is being resolved with - perhaps squid is using a different source and it has to wait for that to fail to try again with a different nameserver.</p>
Reply With Quote
  #8  
Old 12th May 2012, 11:15 PM
macktruck Offline
Registered User
 
Join Date: May 2010
Posts: 10
linuxfirefox
Re: iptable NAT (local)port forwarding

Quote:
Originally Posted by William Haller View Post
<p>Start squid up manually and see what diagnostic messages you get. There should be a squid link in the systemd startup directory created with the chkconfig squid on.</p>
squid -k debug
produced nothing, I'm going to see if there maybe a confliction elsewhere..Idk.

Quote:
Originally Posted by William Haller View Post
<p>The SSL can't be transparently proxied at all. You can point your browsers directly at your squid instance and it will work, but transparent proxy is a case of man in the middle and it won't work.</p>
True, I guess squid doesn't proxy SSL like it does normal web browsing, it can handle it though.

http://blog.davidvassallo.me/2011/03...-interception/

[/QUOTE]

Quote:
Originally Posted by William Haller View Post
<p>You shouldn't be seeing any slowdown that is perceptible with squid. An htop might be useful to see where your speed is going. If you are seeing a slowdown, something on the network stack isn't configured properly. It might be worth seeing what DNS is being resolved with - perhaps squid is using a different source and it has to wait for that to fail to try again with a different nameserver.</p>
Will look into htop, and I'm unsure, I've used dns_nameservers to point towards google's ns, opendns, and my routers'...yet it still goes slow on 'transparent'. I think it has to do with my iptables settings, they're very poor because I'm not use to iptables statements.

But right now, regular HTTP is okay because it doesn't work without the browser being properly set - which means noone can can simply untick 'manual proxy' on Firefox and go on their way.

The primary issue right now is the fact they can untick manual proxy and use an https proxy to bypass squid, which I don't want. Https squidGuard filtering works as it should, when the manual proxy is configured.


What I need now is a way to prevent https outside of the manual proxy, but I can't redirect 443 like I did port 80, otherwise it does a loop and returns nothing..(when manually configured, Squid seems to intercept port 443 to create its own SSL session w/ the target website, then you create an SSL session with squid, so it still needs to output port 443, rather than redirect..otherwise, loop. God I hope that made sense)

This is what I'm using for iptables local redirection

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 3130


In case I butchered that explanation, here's a pseudo statement of what I'd like to occur when https is used (either via iptables or some other means)

443 OUTPUT > FILTER THROUGH 3130 > FINAL OUTPUT 443

since this is all done locally.. I don't think preroute or postroute would work, but yeah I'm completely lost on how to achieve the above statement at the moment.

Last edited by macktruck; 13th May 2012 at 01:07 AM.
Reply With Quote
  #9  
Old 15th May 2012, 07:34 PM
macktruck Offline
Registered User
 
Join Date: May 2010
Posts: 10
linuxfirefox
Re: iptable NAT (local)port forwarding

something came up so I wasn't able to followup or anything, but thanks for helping me William, I was wrong about the cause, it turns out network manager was setting my router as the DNS, and that wasn't working out too well. So I changed the DNS to google's manually on wlan0 and it works now(still can't get transparent to work, but this will definitely do.)

Thanks again



edit: Also, I have c-icap installed with a squidGuard plugin(clamav/clamd I believe). The reason Squid wasn't starting at boot was because c-icap was starting with squidGuard..the squidGuard service needs to be disabled, otherwise it breaks squid.(I have no idea why)

Last edited by macktruck; 15th May 2012 at 07:45 PM.
Reply With Quote
  #10  
Old 15th May 2012, 07:47 PM
William Haller Online
Registered User
 
Join Date: Jul 2005
Age: 54
Posts: 1,084
linuxchrome
Re: iptable NAT (local)port forwarding

Welcome. If you try to get transparent on a single box working again, just redirect the port or use 127.0.01 as the redirected destination along with port. We do test at times with a squid on the local box, so I know it works with a fwbuilder firewall. May well just be a firewall issue there as well.
Reply With Quote
Reply

Tags
forwarding, iptable, localport, nat

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
is there a way to cancel openssh local port forwarding on the fly? timliim Servers & Networking 0 29th November 2011 05:01 AM
Firewall Rule (Iptable) For Port Forwarding buffet1150 Using Fedora 0 9th January 2010 03:29 AM
Local Port Forwarding without SSHing? daviddoria Servers & Networking 8 17th January 2008 10:57 PM
SSHD not port forwarding and cannot ping local interfaces SlipperyDuck Servers & Networking 4 4th July 2007 08:25 AM
port forwarding, not forwarding?!!! Stranger Servers & Networking 2 29th September 2005 07:53 AM


Current GMT-time: 19:52 (Tuesday, 21-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Faisalabad Travel Photos - Nidadavole Travel Photos - Gadhinglaj