Problem configuring IPTABLES for SQUID transparent proxy

popacio · #1 8th March 2008, 08:19 PM

Newbie alert here!

I use FEDORA CORE 8 (Werewolf) i386 default install (with SELinux disabled).

I followed a guide to set up a squid proxy for a small network. Squid works ok but I cannot set up transparent mode.
I cannot set the necessary rule in IPTABLES so the WinXP workstations connected to the FEDORA 8 server could browse the web transparently. I found somwhere (e.g.http://www.fedoraguide.info/index.php/Main_Page ) that i need to modify IPTABLES with the following rule:

iptables -t nat -A PREROUTING -p tcp --dport 80 -s 192.168.1.0/24 -d 192.168.1.0/24 -j REDIRECT --to 3128 (my network address is however 192.168.0.0/24)

when restarting IPTABLES I get the following ERROR:

[root@apollo sysconfig]# /etc/init.d/iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: iptables-restore v1.3.8: Line 33 seems to have a -t table option.
Error occurred at line: 33
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Here is my IPTABLES file:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FORWARD -p icmp --icmp-type any -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 192.168.0.0/24 -d 192.168.0.0/24 -j REDIRECT --to 3128
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 312
COMMIT

I've searched the net for a solution to no avail.
Please help me if you know where is the problem. Thank you.

nucleo · #2 8th March 2008, 11:35 PM

It is not necessary to edit file /etc/sysconfig/iptables.
You can instead execute from command line

Code:

iptables -t nat -A PREROUTING -p tcp --dport 80 -s 192.168.0.0/24 -d 192.168.0.0/24 -j REDIRECT --to 3128

and then execute

Code:

service iptables save

popacio · #3 10th March 2008, 05:25 PM

Thank you for your reply. It is probably a newbie error but i wonder why nobody bothered to say that was a command for terminal

...
Still, i managed to introduce those rules but squid refuses to work transparently. Perhaps you would be so nice to look at my iptables file and give me a hint.

eth0 is connected to my local network
eth1 is connected to my internet router

# Generated by iptables-save v1.3.8 on Mon Mar 10 18:17:02 2008
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [3:228]
:OUTPUT ACCEPT [3:228]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Mon Mar 10 18:17:02 2008
# Generated by iptables-save v1.3.8 on Mon Mar 10 18:17:02 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27:2197]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Mar 10 18:17:02 2008

Thank you again.

nucleo · #4 11th March 2008, 01:29 AM

This rule must be enough to web access from computers connected to eth0 (from network 192.168.0.0/24)

Quote:

-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128

Also it is necessary to write in squid.conf

Quote:

http_port 192.168.0.1:3128 transparent
acl our_networks src 192.168.0.0/24
http_access allow our_networks

and of course to enable forwarding

Quote:

echo 1 > /proc/sys/net/ipv4/ip_forward

or write in /etc/sysctl.conf

Quote:

net.ipv4.ip_forward = 1

and execute once

Code:

sysctl -p

popacio · #5 11th March 2008, 07:08 PM

Thank you, nucleo.
I double checked everything. It was all there as you said. (I didn't knew about forwarding but yet it was correctly configured). But it's not working transparently anyway. Any ideas? It's frustrating... On my Win machine I would have done it in 5 min. Here I'm struggling for 2 weeks with no avail.
Thank you for your help.

nucleo · #6 12th March 2008, 01:50 AM

You can try this

Code:

iptables -nv -t nat -L PREROUTING

if there are zero pkts and bytes then the packets do not pass through the rule

Code:

Chain PREROUTING (policy ACCEPT 149K packets, 16M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:192.168.0.1:3128

If there are nonzero pkts and bytes see contents of log-files in /var/log/squid/

popacio · #7 17th March 2008, 06:36 PM

Thank you. there are zero pkts and bytes. What should i do?

nucleo · #8 18th March 2008, 10:35 AM

What default gateway on WinXP workstations?

Try this test on WinXP workstation in command line

Code:

telnet fedoraforum.org 80

at the same time on linux

Code:

tcpdump -i eth0 host IP_OF_WINXP

What the result will be?

popacio · #9 20th March 2008, 03:10 AM

Quote:

Originally Posted by nucleo

What default gateway on WinXP workstations?

Try this test on WinXP workstation in command line

Code:

telnet fedoraforum.org 80

at the same time on linux

Code:

tcpdump -i eth0 host IP_OF_WINXP

What the result will be?

if i understand your question well my gateway (on the XP workstations) is 192.168.0.1 (i've also tried adding on the workstations my provider's DNS server although i rather didn't do that!?!? No luck even like that.) It must be correct since SQUID does works but not transparently!
By now i dumped squid altogether because i simply do not have weeks for troubleshooting and i had to finish the work on time. I am REALLY disappointed with Fedora by now. Far too cumbersome and complex. Squid also.
I found a workaround by using FIRESTARTER (a windows-like firewall solution for linux with graphical interface and ease of use). Unfortunately it uses MASQUERADING and it's not what i wanted because i am not able to filter the traffic and limit internet access. Worked like i charm from first time. And no terminal commands also (That alone must be a first for me in Fedora. Man, i hate how every time you do something in Linux, no matter how simple, you eventually end up writing cryptical commands in Terminal! That is ridiculous for a simple user by today standards and SQUID really abuses that.)
I would like a solution to my problem for the future but unfortuntely i am not able to answer to your last question. If you could give me a help or a complete and detailed "how to" guide for setting a transparent SQUID proxy, I'd be much obliged. Thank you again for your patience.

popacio · #10 20th March 2008, 03:10 AM

Quote:

Originally Posted by nucleo

What default gateway on WinXP workstations?

Try this test on WinXP workstation in command line

Code:

telnet fedoraforum.org 80

at the same time on linux

Code:

tcpdump -i eth0 host IP_OF_WINXP

What the result will be?

if i understand your question well my gateway (on the XP workstations) is 192.168.0.1 (i've also tried adding on the workstations my provider's DNS server although i rather didn't do that!?!? No luck even like that.) It must be correct since SQUID does works but not transparently!
By now i dumped squid altogether because i simply do not have weeks for troubleshooting and i had to finish the work on time. I am REALLY disappointed with Fedora by now. Far too cumbersome and complex. Squid also.
I found a workaround by using FIRESTARTER (a windows-like firewall solution for linux with graphical interface and ease of use). Unfortunately it uses MASQUERADING and it's not what i wanted because i am not able to filter the traffic and limit internet access. Worked like i charm from first time. And no terminal commands also (That alone must be a first for me in Fedora. Man, i hate how every time you do something in Linux, no matter how simple, you eventually end up writing cryptical commands in Terminal! That is ridiculous for a simple user by today standards and SQUID really abuses that.)
I would like a solution to my problem for the future but unfortunately i am not able to answer to your last question. If you could give me a help or a complete and detailed "how to" guide for setting a transparent SQUID proxy, I'd be much obliged. Thank you again for your patience.

nucleo · #11 20th March 2008, 07:22 AM

If the only problem is in access to DNS from WinXP and you did not want to do NAT for all traffic you can do it only for DNS requests

Code:

iptables -t nat -A POSTROUTING -p udp --dport 53 -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp --dport 53 -j MASQUERADE

and this instead of -A FORWARD -i eth0 -j ACCEPT

Code:

iptables -A  FORWARD -i eth0 -o eth1 -p tcp --dport 53 -j ACCEPT
iptables -A  FORWARD -i eth0 -o eth1 -p udp --dport 53 -j ACCEPT

Iptables-tutorial: http://iptables-tutorial.frozentux.net/

popacio · #12 20th March 2008, 11:10 PM

No, i wasn't trying to translate just the DNS requests. I don't want to complicate things further. I was just trying to make squid work transparently. I would have settled for any solution that worked. As I was saying i quit using squid for that reason.

Now about the link you sent me. Thank you for all the time you took writing me back and please don't take this the wrong way. But the net is full of this kind of "guides" in html text with 100x chapters and pretentious language. They might be complete but it wasn't what I wanted. I was looking for a "Tutorial" or a "How to do" guide that was simple as my task was, and also complete and functional.
The resource that you pointed out will take me about 2 weeks just for reading and i doubt i will understand half of it. I told you i was a newbie as far as Linux goes. But, somehow i don't think that was the problem. It is also unproductive to read that much just to accomplish a very simple task every time you have a problem. That's why i'm disappointed with linux. There should be simpler guides (and there are) but none worked for me.

Anyways, thanks for your effort. I have dropped squid altogether and solved the problem in other way from the windows XP workstations. For future reference, if anyone wants a simple internet filtering engine (block internet access based on web adresses) on a networked computer this can be made in UNDER 5 MINUTES with Windows SteadyState from Microsoft (freeware). It doesn't have all the features of a proxy server (e.g. web caching) but it does this job simple and well and many other useful things that might come in handy for a windows network administrator.

tacom6 · #13 5th April 2008, 02:43 PM

Quote:

Originally Posted by popacio

No, i wasn't trying to translate just the DNS requests. I don't want to complicate things further. I was just trying to make squid work transparently. I would have settled for any solution that worked. As I was saying i quit using squid for that reason.

Now about the link you sent me. Thank you for all the time you took writing me back and please don't take this the wrong way. But the net is full of this kind of "guides" in html text with 100x chapters and pretentious language. They might be complete but it wasn't what I wanted. I was looking for a "Tutorial" or a "How to do" guide that was simple as my task was, and also complete and functional.
The resource that you pointed out will take me about 2 weeks just for reading and i doubt i will understand half of it. I told you i was a newbie as far as Linux goes. But, somehow i don't think that was the problem. It is also unproductive to read that much just to accomplish a very simple task every time you have a problem. That's why i'm disappointed with linux. There should be simpler guides (and there are) but none worked for me.

Anyways, thanks for your effort. I have dropped squid altogether and solved the problem in other way from the windows XP workstations. For future reference, if anyone wants a simple internet filtering engine (block internet access based on web adresses) on a networked computer this can be made in UNDER 5 MINUTES with Windows SteadyState from Microsoft (freeware). It doesn't have all the features of a proxy server (e.g. web caching) but it does this job simple and well and many other useful things that might come in handy for a windows network administrator.

I feel ya. I am in between being a newbie and a power user of linux OS. It is hard to just jump onto linux and set something up that you wish. Simply because you need to get to know the os a little bit more. I remember a time when I could not use a text editor to edit my config files on the server.

Little by little you learn and things become more clear.

Besides I have learned that understanding how TCP/IP works, is very much necessary. I am at a stage when I am amazed and excited about how much is possible in linux as far as networking is concerned!

Never give up!