FedoraForum.org - Fedora Support Forums and Community
Results 1 to 10 of 10
  1. #1
    Join Date
    May 2010
    Posts
    10

    [SOLVED]iptable NAT (local)port forwarding

    Well, for starters I'm not much of a networking guy.. I'm just trying to setup a proxy server for URL blacklisting(Squid/squid guard)

    Which only works when the browser is setup, but for security purposes, I can't do with that.
    I've attempted system-config-firewall port forwarding, it didn't yield any results.. Essentially, I tried:

    interface(wlan0), port 80 forwarding to..
    192.168.0.1(LAN) 3128, which failed so then I tried 127.0.0.1, then I just checkmarked local-forwarding...didn't work. I've tried masquerading the interface(wlan0, then wlan+)...Various permutations(also with the various NAT configurations)

    Anyway, I then tried several different NAT configurations(from various squid/squidGuard tutorials), but I think they don't work because of my router(it's set to NAPT, and I'm afraid to try and switch it to NAT because I don't want to mess up anyone else's setup).


    ..and that's the story thus far. I'm at a bit of a loss right now :\




    extra specs: f16, 32-bit..3.4+ kernel..

    edit:OH! and I already tried ip_forward/port_forward..it's set to 1, trust me I've checked that multiple times(due to desperation)
    Last edited by macktruck; 15th May 2012 at 07:32 PM.

  2. #2
    Join Date
    May 2010
    Posts
    10

    Re: iptable NAT (local)port forwarding

    A little follow-up for my fellow man..


    after a great deal of googling, I stumbled upon the correct IPtables settings that work on the system with Squid(so it's proxied on that system as well). I modified them a little bit, and added the SSL port

    iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
    iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 443 -m owner --uid-owner squid -j ACCEPT
    iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
    iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 80 -j REDIRECT --to-ports 3128
    iptables -t nat -A OUTPUT -o YOURINTERFACE -p tcp --dport 443 -j REDIRECT --to-ports 3128
    iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 3128


    (YOURINTERFACE being whatever interface you have..I have wlan0, you may have eth0 or eth1, etc)

    use your choice method for storing, be it iptables saving or using this in the gdm xsession file, or w/e.

  3. #3
    Join Date
    Jul 2005
    Age
    57
    Posts
    1,184

    Re: iptable NAT (local)port forwarding

    We run a transparent proxy at work. In our case, we run

    internet <- squid <- DG <- squid <- transparent intercept on system GW <- internal network.

    We do our big squid buffering on the closest squid instance after DG buffering and a smaller cache on the squid on the other side of DG. It's all run on a separate box which is nice since we can turn off the intercepts to make DG changes or updates and then re-enable them.

    /sbin/iptables -t nat -A PREROUTING -s internal_network_address_block -d our_external_network_address_block -p tcp --dport 80 -j ACCEPT

    The above routes anything going to our own website directly there and not through squid. You can also add direct access to any internal web server instances and ACCEPT those immediately without redirection if you want. If there are some servers that you never want to go through DG (an example might be an internal server that hosts your companies antivirus host, you can insert rules for particular hosts to always be allowed to go out directly as well.) Then, to route your traffic out through DG/squid use:

    /sbin/iptables -t nat -A PREROUTING -s internal_network_address_block -p tcp --dport 80 -j DNAT --to proxy_server:8081

    where internal_network_address_block is something like 192.168.00/16 or 10.0.0.0/8 or something like that depending on your configuration and external_network_address_block is your range of real world addresses from your ISP, and proxy_server is the IP address of your dedicated proxy server.

  4. #4
    Join Date
    May 2010
    Posts
    10

    Re: iptable NAT (local)port forwarding

    Thanks for that explanation, Squid's somewhat running right now, albeit in a very odd manner..
    IE, it loads hulu but won't load google or youtube..and it arbitrarily goes slow(and it isn't the cache that makes it go fast, I've checked/cleared that at the peak periods). I'm guessing it can't be the interface, since the speeds are normal with Squid turned off.

    I've tried DNAT as well as REDIRECT, and different nameservers(OpenDNS, google, the router's) for squid & the resolv. Played with the various cache configurations. Feh, perplexed but never beaten.

    (also, squid is running as a transparent proxy)

  5. #5
    Join Date
    Jul 2005
    Age
    57
    Posts
    1,184

    Re: iptable NAT (local)port forwarding

    Are you running a separate box or running squid on the same box as the gateway? If running it on the gateway box, the rules are a bit different.

    I must also say that we use fwbuilder to handler building our firewall rules. System config firewall may just be getting in the way. If not a external box (i.e. the router has its own firewall that is protecting your network), you might want to turn off the system firewall and experiment by hand. Or give fwbuilder a whirl - it's graphical and really nice in my opinion.

    I suspect that the new dynamic firewall in F17 will lead to yet a new mess.

  6. #6
    Join Date
    May 2010
    Posts
    10

    Re: iptable NAT (local)port forwarding

    Quote Originally Posted by William Haller
    Are you running a separate box or running squid on the same box as the gateway? If running it on the gateway box, the rules are a bit different.

    I must also say that we use fwbuilder to handler building our firewall rules. System config firewall may just be getting in the way. If not a external box (i.e. the router has its own firewall that is protecting your network), you might want to turn off the system firewall and experiment by hand. Or give fwbuilder a whirl - it's graphical and really nice in my opinion.

    I suspect that the new dynamic firewall in F17 will lead to yet a new mess.
    Same box, what I'm essentially trying to do is stop roomies from looking up pr0n on this box because it's hooked up to the 44in. in the living room. The box is used for two separate things, generally: movies & web development. (unfortunately, configuring another box to go through squid on another box isn't an option)

    So far, I think I've found a workaround - transparent makes it go really slow(IDK why, probably associated with the iptables settings I'm using), but if I remove the transparent from http_port in the configuration file, it works fine(although I have to configure firefox to use the proxy, but that's not an issue since without the firefox proxy configuration, you can't browse; squid simply gives an 'Invalid URL' error).
    My only two issues left are SSL & auto-starting squid on-boot..Systemctl enable squid.service isn't working, chkconfig squid on fails as well. (It says in the boot log that it's starting/started up; but after I login, Squid is always off...maybe something else is turning squid off for some reason?)

    Even putting Systemctl start squid.service at the beginning(then the end) of /etc/gdm/Xsession isn't working, so I'm almost at a loss in regards to that(I'm pretty sure it has to do with how yum compiled Squid, so I'm looking into that). As far as SSL goes, I'm looking at workaround options at this point.

    Lol, ya I'm staying away from f17 for a while..I've figured out before that upgrading to a fresh release isn't a good idea.
    Last edited by macktruck; 12th May 2012 at 01:55 PM.

  7. #7
    Join Date
    Jul 2005
    Age
    57
    Posts
    1,184

    Re: iptable NAT (local)port forwarding

    <p>Start squid up manually and see what diagnostic messages you get. There should be a squid link in the systemd startup directory created with the chkconfig squid on.</p>

    <p>The SSL can't be transparently proxied at all. You can point your browsers directly at your squid instance and it will work, but transparent proxy is a case of man in the middle and it won't work.</p>

    <p>You shouldn't be seeing any slowdown that is perceptible with squid. An htop might be useful to see where your speed is going. If you are seeing a slowdown, something on the network stack isn't configured properly. It might be worth seeing what DNS is being resolved with - perhaps squid is using a different source and it has to wait for that to fail to try again with a different nameserver.</p>

  8. #8
    Join Date
    May 2010
    Posts
    10

    Re: iptable NAT (local)port forwarding

    Quote Originally Posted by William Haller
    <p>Start squid up manually and see what diagnostic messages you get. There should be a squid link in the systemd startup directory created with the chkconfig squid on.</p>
    squid -k debug
    produced nothing, I'm going to see if there maybe a confliction elsewhere..Idk.

    Quote Originally Posted by William Haller
    <p>The SSL can't be transparently proxied at all. You can point your browsers directly at your squid instance and it will work, but transparent proxy is a case of man in the middle and it won't work.</p>
    True, I guess squid doesn't proxy SSL like it does normal web browsing, it can handle it though.

    http://blog.davidvassallo.me/2011/03...-interception/

    [/QUOTE]

    Quote Originally Posted by William Haller
    <p>You shouldn't be seeing any slowdown that is perceptible with squid. An htop might be useful to see where your speed is going. If you are seeing a slowdown, something on the network stack isn't configured properly. It might be worth seeing what DNS is being resolved with - perhaps squid is using a different source and it has to wait for that to fail to try again with a different nameserver.</p>
    Will look into htop, and I'm unsure, I've used dns_nameservers to point towards google's ns, opendns, and my routers'...yet it still goes slow on 'transparent'. I think it has to do with my iptables settings, they're very poor because I'm not use to iptables statements.

    But right now, regular HTTP is okay because it doesn't work without the browser being properly set - which means noone can can simply untick 'manual proxy' on Firefox and go on their way.

    The primary issue right now is the fact they can untick manual proxy and use an https proxy to bypass squid, which I don't want. Https squidGuard filtering works as it should, when the manual proxy is configured.


    What I need now is a way to prevent https outside of the manual proxy, but I can't redirect 443 like I did port 80, otherwise it does a loop and returns nothing..(when manually configured, Squid seems to intercept port 443 to create its own SSL session w/ the target website, then you create an SSL session with squid, so it still needs to output port 443, rather than redirect..otherwise, loop. God I hope that made sense)

    This is what I'm using for iptables local redirection

    iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128
    iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 3130


    In case I butchered that explanation, here's a pseudo statement of what I'd like to occur when https is used (either via iptables or some other means)

    443 OUTPUT > FILTER THROUGH 3130 > FINAL OUTPUT 443

    since this is all done locally.. I don't think preroute or postroute would work, but yeah I'm completely lost on how to achieve the above statement at the moment.
    Last edited by macktruck; 13th May 2012 at 01:07 AM.

  9. #9
    Join Date
    May 2010
    Posts
    10

    Re: iptable NAT (local)port forwarding

    something came up so I wasn't able to followup or anything, but thanks for helping me William, I was wrong about the cause, it turns out network manager was setting my router as the DNS, and that wasn't working out too well. So I changed the DNS to google's manually on wlan0 and it works now(still can't get transparent to work, but this will definitely do.)

    Thanks again



    edit: Also, I have c-icap installed with a squidGuard plugin(clamav/clamd I believe). The reason Squid wasn't starting at boot was because c-icap was starting with squidGuard..the squidGuard service needs to be disabled, otherwise it breaks squid.(I have no idea why)
    Last edited by macktruck; 15th May 2012 at 07:45 PM.

  10. #10
    Join Date
    Jul 2005
    Age
    57
    Posts
    1,184

    Re: iptable NAT (local)port forwarding

    Welcome. If you try to get transparent on a single box working again, just redirect the port or use 127.0.01 as the redirected destination along with port. We do test at times with a squid on the local box, so I know it works with a fwbuilder firewall. May well just be a firewall issue there as well.

Similar Threads

  1. Replies: 0
    Last Post: 29th November 2011, 06:01 AM
  2. Firewall Rule (Iptable) For Port Forwarding
    By buffet1150 in forum Using Fedora
    Replies: 0
    Last Post: 9th January 2010, 04:29 AM
  3. Local Port Forwarding without SSHing?
    By daviddoria in forum Servers & Networking
    Replies: 8
    Last Post: 17th January 2008, 11:57 PM
  4. SSHD not port forwarding and cannot ping local interfaces
    By SlipperyDuck in forum Servers & Networking
    Replies: 4
    Last Post: 4th July 2007, 08:25 AM
  5. port forwarding, not forwarding?!!!
    By Stranger in forum Servers & Networking
    Replies: 2
    Last Post: 29th September 2005, 07:53 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •