FedoraForum.org

FedoraForum.org (https://forums.fedoraforum.org/index.php)
-   Servers & Networking (https://forums.fedoraforum.org/forumdisplay.php?f=10)
-   -   iptable NAT (local)port forwarding (https://forums.fedoraforum.org/showthread.php?t=279672)

macktruck 11th May 2012 01:22 AM

[SOLVED]iptable NAT (local)port forwarding
 
Well, for starters I'm not much of a networking guy.. I'm just trying to setup a proxy server for URL blacklisting(Squid/squid guard)

Which only works when the browser is setup, but for security purposes, I can't do with that.
I've attempted system-config-firewall port forwarding, it didn't yield any results.. Essentially, I tried:

interface(wlan0), port 80 forwarding to..
192.168.0.1(LAN) 3128, which failed so then I tried 127.0.0.1, then I just checkmarked local-forwarding...didn't work. I've tried masquerading the interface(wlan0, then wlan+)...Various permutations(also with the various NAT configurations)

Anyway, I then tried several different NAT configurations(from various squid/squidGuard tutorials), but I think they don't work because of my router(it's set to NAPT, and I'm afraid to try and switch it to NAT because I don't want to mess up anyone else's setup).


..and that's the story thus far. I'm at a bit of a loss right now :\




extra specs: f16, 32-bit..3.4+ kernel..

edit:OH! and I already tried ip_forward/port_forward..it's set to 1, trust me I've checked that multiple times(due to desperation)

macktruck 11th May 2012 05:00 PM

Re: iptable NAT (local)port forwarding
 
A little follow-up for my fellow man..


after a great deal of googling, I stumbled upon the correct IPtables settings that work on the system with Squid(so it's proxied on that system as well). I modified them a little bit, and added the SSL port

iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 443 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 443 -j REDIRECT --to-ports 3128
iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 3128


(YOURINTERFACE being whatever interface you have..I have wlan0, you may have eth0 or eth1, etc)

use your choice method for storing, be it iptables saving or using this in the gdm xsession file, or w/e.

William Haller 11th May 2012 05:27 PM

Re: iptable NAT (local)port forwarding
 
We run a transparent proxy at work. In our case, we run

internet <- squid <- DG <- squid <- transparent intercept on system GW <- internal network.

We do our big squid buffering on the closest squid instance after DG buffering and a smaller cache on the squid on the other side of DG. It's all run on a separate box which is nice since we can turn off the intercepts to make DG changes or updates and then re-enable them.

/sbin/iptables -t nat -A PREROUTING -s internal_network_address_block -d our_external_network_address_block -p tcp --dport 80 -j ACCEPT

The above routes anything going to our own website directly there and not through squid. You can also add direct access to any internal web server instances and ACCEPT those immediately without redirection if you want. If there are some servers that you never want to go through DG (an example might be an internal server that hosts your companies antivirus host, you can insert rules for particular hosts to always be allowed to go out directly as well.) Then, to route your traffic out through DG/squid use:

/sbin/iptables -t nat -A PREROUTING -s internal_network_address_block -p tcp --dport 80 -j DNAT --to proxy_server:8081

where internal_network_address_block is something like 192.168.00/16 or 10.0.0.0/8 or something like that depending on your configuration and external_network_address_block is your range of real world addresses from your ISP, and proxy_server is the IP address of your dedicated proxy server.

macktruck 12th May 2012 12:14 AM

Re: iptable NAT (local)port forwarding
 
Thanks for that explanation, Squid's somewhat running right now, albeit in a very odd manner..
IE, it loads hulu but won't load google or youtube..and it arbitrarily goes slow(and it isn't the cache that makes it go fast, I've checked/cleared that at the peak periods). I'm guessing it can't be the interface, since the speeds are normal with Squid turned off.

I've tried DNAT as well as REDIRECT, and different nameservers(OpenDNS, google, the router's) for squid & the resolv. Played with the various cache configurations. Feh, perplexed but never beaten.

(also, squid is running as a transparent proxy)

William Haller 12th May 2012 03:02 AM

Re: iptable NAT (local)port forwarding
 
Are you running a separate box or running squid on the same box as the gateway? If running it on the gateway box, the rules are a bit different.

I must also say that we use fwbuilder to handler building our firewall rules. System config firewall may just be getting in the way. If not a external box (i.e. the router has its own firewall that is protecting your network), you might want to turn off the system firewall and experiment by hand. Or give fwbuilder a whirl - it's graphical and really nice in my opinion.

I suspect that the new dynamic firewall in F17 will lead to yet a new mess.

macktruck 12th May 2012 01:42 PM

Re: iptable NAT (local)port forwarding
 
Quote:

Originally Posted by William Haller (Post 1575824)
Are you running a separate box or running squid on the same box as the gateway? If running it on the gateway box, the rules are a bit different.

I must also say that we use fwbuilder to handler building our firewall rules. System config firewall may just be getting in the way. If not a external box (i.e. the router has its own firewall that is protecting your network), you might want to turn off the system firewall and experiment by hand. Or give fwbuilder a whirl - it's graphical and really nice in my opinion.

I suspect that the new dynamic firewall in F17 will lead to yet a new mess.

Same box, what I'm essentially trying to do is stop roomies from looking up pr0n on this box because it's hooked up to the 44in. in the living room. The box is used for two separate things, generally: movies & web development. (unfortunately, configuring another box to go through squid on another box isn't an option)

So far, I think I've found a workaround - transparent makes it go really slow(IDK why, probably associated with the iptables settings I'm using), but if I remove the transparent from http_port in the configuration file, it works fine(although I have to configure firefox to use the proxy, but that's not an issue since without the firefox proxy configuration, you can't browse; squid simply gives an 'Invalid URL' error).
My only two issues left are SSL & auto-starting squid on-boot..Systemctl enable squid.service isn't working, chkconfig squid on fails as well. (It says in the boot log that it's starting/started up; but after I login, Squid is always off...maybe something else is turning squid off for some reason?)

Even putting Systemctl start squid.service at the beginning(then the end) of /etc/gdm/Xsession isn't working, so I'm almost at a loss in regards to that(I'm pretty sure it has to do with how yum compiled Squid, so I'm looking into that). As far as SSL goes, I'm looking at workaround options at this point.

Lol, ya I'm staying away from f17 for a while..I've figured out before that upgrading to a fresh release isn't a good idea.

William Haller 12th May 2012 06:25 PM

Re: iptable NAT (local)port forwarding
 
<p>Start squid up manually and see what diagnostic messages you get. There should be a squid link in the systemd startup directory created with the chkconfig squid on.</p>

<p>The SSL can't be transparently proxied at all. You can point your browsers directly at your squid instance and it will work, but transparent proxy is a case of man in the middle and it won't work.</p>

<p>You shouldn't be seeing any slowdown that is perceptible with squid. An htop might be useful to see where your speed is going. If you are seeing a slowdown, something on the network stack isn't configured properly. It might be worth seeing what DNS is being resolved with - perhaps squid is using a different source and it has to wait for that to fail to try again with a different nameserver.</p>

macktruck 12th May 2012 11:15 PM

Re: iptable NAT (local)port forwarding
 
Quote:

Originally Posted by William Haller (Post 1575915)
<p>Start squid up manually and see what diagnostic messages you get. There should be a squid link in the systemd startup directory created with the chkconfig squid on.</p>

squid -k debug
produced nothing, I'm going to see if there maybe a confliction elsewhere..Idk.

Quote:

Originally Posted by William Haller (Post 1575915)
<p>The SSL can't be transparently proxied at all. You can point your browsers directly at your squid instance and it will work, but transparent proxy is a case of man in the middle and it won't work.</p>

True, I guess squid doesn't proxy SSL like it does normal web browsing, it can handle it though.

http://blog.davidvassallo.me/2011/03...-interception/

[/QUOTE]

Quote:

Originally Posted by William Haller (Post 1575915)
<p>You shouldn't be seeing any slowdown that is perceptible with squid. An htop might be useful to see where your speed is going. If you are seeing a slowdown, something on the network stack isn't configured properly. It might be worth seeing what DNS is being resolved with - perhaps squid is using a different source and it has to wait for that to fail to try again with a different nameserver.</p>

Will look into htop, and I'm unsure, I've used dns_nameservers to point towards google's ns, opendns, and my routers'...yet it still goes slow on 'transparent'. I think it has to do with my iptables settings, they're very poor because I'm not use to iptables statements.

But right now, regular HTTP is okay because it doesn't work without the browser being properly set - which means noone can can simply untick 'manual proxy' on Firefox and go on their way.

The primary issue right now is the fact they can untick manual proxy and use an https proxy to bypass squid, which I don't want. Https squidGuard filtering works as it should, when the manual proxy is configured.


What I need now is a way to prevent https outside of the manual proxy, but I can't redirect 443 like I did port 80, otherwise it does a loop and returns nothing..(when manually configured, Squid seems to intercept port 443 to create its own SSL session w/ the target website, then you create an SSL session with squid, so it still needs to output port 443, rather than redirect..otherwise, loop. God I hope that made sense)

This is what I'm using for iptables local redirection

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 3130


In case I butchered that explanation, here's a pseudo statement of what I'd like to occur when https is used (either via iptables or some other means)

443 OUTPUT > FILTER THROUGH 3130 > FINAL OUTPUT 443

since this is all done locally.. I don't think preroute or postroute would work, but yeah I'm completely lost on how to achieve the above statement at the moment.

macktruck 15th May 2012 07:34 PM

Re: iptable NAT (local)port forwarding
 
something came up so I wasn't able to followup or anything, but thanks for helping me William, I was wrong about the cause, it turns out network manager was setting my router as the DNS, and that wasn't working out too well. So I changed the DNS to google's manually on wlan0 and it works now(still can't get transparent to work, but this will definitely do.)

Thanks again



edit: Also, I have c-icap installed with a squidGuard plugin(clamav/clamd I believe). The reason Squid wasn't starting at boot was because c-icap was starting with squidGuard..the squidGuard service needs to be disabled, otherwise it breaks squid.(I have no idea why)

William Haller 15th May 2012 07:47 PM

Re: iptable NAT (local)port forwarding
 
Welcome. If you try to get transparent on a single box working again, just redirect the port or use 127.0.01 as the redirected destination along with port. We do test at times with a squid on the local box, so I know it works with a fwbuilder firewall. May well just be a firewall issue there as well.


All times are GMT +1. The time now is 12:49 PM.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2017, vBulletin Solutions Inc.