Well, I volunteered myself to help my company find a free solution to monitor web traffic on the corporate network. I mentioned Squid, and they said "Sure, make it work."

Well I have managed to get it working if I input the proxy information client side, but I have yet to figure out how to get iptables configured properly to snag traffic to my internal facing interface and redirect it to squid.

Here is a picture of my small test setup here in the lab, and copies of my iptables and squid.conf. I have also tried taking the linksys router out of the loop, and connected directly to our .1 network, and still no transparent hijacking.

Any help in this matter is greatly appreciated, I don't have much hair left at this point. :)

http://jrodder.googlepages.com/Squid_Diagram.gif

^^^^^^^^^^^^^^^^

I just noticed I typed "subnet" instead of default gateway, but I am sure you caught that already. :)

I'm a bit confused by your explanation, you want the squid proxy to act as a transparent proxy for all outbound http traffic to the internet? If so, on the ubuntu box, this will add an iptables rule that will redirect all port 80 tcp traffic coming in over eth1 to the squid proxy on the same box:


iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

Yes, I had tried that, and I noticed the iptables I uploaded wasn't the current one I had been trying. Here is what I am currently using to no avail. And sorry if I wasn't being clear, I wish for the Ubuntu box to sit between the network and the internet, and hijack all the http 80 requests and have Squid handle them.

# Generated by iptables-save v1.3.6 on Fri Jun 15 15:52:02 2007
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Jun 15 15:52:02 2007
# Generated by iptables-save v1.3.6 on Fri Jun 15 15:52:02 2007
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Fri Jun 15 15:52:02 2007
# Generated by iptables-save v1.3.6 on Fri Jun 15 15:52:02 2007
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Forward HTTP connections to Squid proxy
-A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT
# Completed on Fri Jun 15 15:52:02 2007

And an easier to view squid.conf

http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl FFITest src 192.168.4.0/24
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow FFITest
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_group proxy
coredump_dir /var/spool/squid
visible_hostname 192.168.4.201

The redirect with iptables should work if the squid proxy is running on the same box, and the web traffic to and from the internet always gets routed though this box. The 'http_port 3128 transparent' is all that is needed for squid version >= 2.6 (which I see you have in your config file). So this looks OK. Absent some squid errors in your logs, I would assume a networking issue. Some questions:

-Consider the return path a packet will take from the server back to the client. Does it go direct, or does it always hit the proxy on eth0 first?

-Do you have IP forwarding enabled on the proxy?

Hmmm, maybe IP forwarding is my problem, as I have never set any such option if it is not a default somewhere. All the traffic does indeed flow through the Squid/IPtables box, as right now it is the only gateway to the rest of the internet. This is why I was thinking it's an iptables issue, if I manually enter all the proxy information in the browser on a client machine, everything works fine. Can you maybe provide information on where I need to look on how to enable IP forwarding?

Something I just noticed - from the diagram, it's not clear that the clients outbound traffic will hit the proxy (without manual browser configuration). What do the clients have as their default gateway?

You answered my question while I was posting. IP forwarding can be enabled with 'echo "1" > /proc/sys/net/ipv4/ip_forward' or 'sysctl -w net.ipv4.ip_forward=1'

Yes, I googled around after I responded to you initially, and came across the command to enable ip forwarding. It doesn't look like it worked. :( I am about to leave work for the weekend, maybe I can contact you through your website on monday and see if you are willing to help a n00b out some more? I am pretty sure this is some type of forwarding issue, I'd like to get it resolved so I can move on with cool stuff, like monitoring and reporting software. Thanks for all your time!

I have enabled ip_forward, I checked by looking at the file directly and it is now =1. Considering I am a complete newb with iptables and configuring them, and the fact that I am able to get everything working until I try and do it transparently, I am thinking that this must be some sort of issue with getting the traffic routed properly.

I have scoured the net looking for help, but due to the varied configurations of machines, networks and squid/iptables/ipchains combinations, I wasn't able to find anything that directly helps me. Maybe my issue is understanding the traffic flow. If I am getting this correctly, here is what is *supposed* to happen with my setup:

client makes http:80 request, that NIC is using eth1 of the proxy machine as a default gateway, and request is made without any client side proxy configuration -> proxy snatches :80 request to it's eth1 interface, redirects that to port 3128, and request is made to the web through eth0

Are there any good references that simply diagram proper information flow to help me assess what I need to be doing differently?

You can try a couple more things:

- Change the 'http_port 3128 transparent' to 'http_port 192.168.4.201:3128 transparent'. This specifies use of just that interface for the proxy.
- Add 'always_direct allow all' to your squid config, this forces squid to go direct to the target web site, while still allowing local caching.

If this does not work, I would start looking in your squid logs for errors and trying to trace the flow of traffic from a client, both out- and in-bound.

I appreciate your response yet again. I have tried both of those, and to no avail. I have set up all the logging, and am trying to see how I can find where the problem is. Debug log shows everything *should* be loaded fine, listening for connections. All I have to do to make the system work is to enter the proxy settings manually in the client, and all is well. Pretty frustrating! :)

2007/06/20 13:46:14| Starting Squid Cache version 2.6.STABLE5 for i386-debian-linux-gnu...
2007/06/20 13:46:14| Process ID 7533
2007/06/20 13:46:14| With 1024 file descriptors available
2007/06/20 13:46:14| Using epoll for the IO loop
2007/06/20 13:46:14| Performing DNS Tests...
2007/06/20 13:46:14| Successful DNS name lookup tests...
2007/06/20 13:46:14| DNS Socket created at 0.0.0.0, port 32778, FD 5
2007/06/20 13:46:14| Adding domain FFI from /etc/resolv.conf
2007/06/20 13:46:14| Adding nameserver 192.168.1.9 from /etc/resolv.conf
2007/06/20 13:46:14| Adding nameserver 192.168.3.9 from /etc/resolv.conf
2007/06/20 13:46:14| Adding nameserver 192.168.1.8 from /etc/resolv.conf
2007/06/20 13:46:14| Referer logging is disabled.
2007/06/20 13:46:14| Unlinkd pipe opened on FD 11
2007/06/20 13:46:14| Swap maxSize 102400 KB, estimated 7876 objects
2007/06/20 13:46:14| Target number of buckets: 393
2007/06/20 13:46:14| Using 8192 Store buckets
2007/06/20 13:46:14| Max Mem size: 8192 KB
2007/06/20 13:46:14| Max Swap size: 102400 KB
2007/06/20 13:46:14| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2007/06/20 13:46:14| Rebuilding storage in /var/spool/squid (CLEAN)
2007/06/20 13:46:14| Using Least Load store dir selection
2007/06/20 13:46:14| Set Current Directory to /var/spool/squid
2007/06/20 13:46:14| Loaded Icons.
2007/06/20 13:46:14| Accepting transparently proxied HTTP connections at 192.168.4.201, port 3128, FD 13.
2007/06/20 13:46:14| Accepting ICP messages at 0.0.0.0 , port 3130, FD 14.
2007/06/20 13:46:14| HTCP Disabled.
2007/06/20 13:46:14| WCCP Disabled.
2007/06/20 13:46:14| Ready to serve requests.
2007/06/20 13:46:14| Done reading /var/spool/squid swaplog (0 entries)
2007/06/20 13:46:14| Finished rebuilding storage from disk.
2007/06/20 13:46:14| 0 Entries scanned
2007/06/20 13:46:14| 0 Invalid entries.
2007/06/20 13:46:14| 0 With invalid flags.
2007/06/20 13:46:14| 0 Objects loaded.
2007/06/20 13:46:14| 0 Objects expired.
2007/06/20 13:46:14| 0 Objects cancelled.
2007/06/20 13:46:14| 0 Duplicate URLs purged.
2007/06/20 13:46:14| 0 Swapfile clashes avoided.
2007/06/20 13:46:14| Took 0.5 seconds ( 0.0 objects/sec).
2007/06/20 13:46:14| Beginning Validation Procedure
2007/06/20 13:46:14| Completed Validation Procedure
2007/06/20 13:46:14| Validated 0 Entries
2007/06/20 13:46:14| store_swap_size = 0k
2007/06/20 13:46:15| storeLateRelease: released 0 objects

I am going to keep trying some other things. Silly question, but I noticed I cannot ping through the proxy to the router, even if iptables is totally cleared. Either ICMP is not allowed at some lower level, or I don't have routing enabled properly.

Debug log shows everything *should* be loaded fine, listening for connections.


You should also tail the log file(s) during a connection attempt.


I am going to keep trying some other things. Silly question, but I noticed I cannot ping through the proxy to the router, even if iptables is totally cleared. Either ICMP is not allowed at some lower level, or I don't have routing enabled properly.


Yes, you should be able to do this if IP forwarding is enabled and iptables is cleared with default accept policies on all the chains ('iptables -L -nv' and 'iptables -t nat -L -nv' to verify). My guess is the return traffic from the router is not going to the proxy, but direct to the client, or somewhere else. The first would be the case if the router was also plugged into your LAN switch. If that were the case, you could probably get this to work by unplugging the router from the LAN switch (and adding a route for 192.168.4.0/24 via the proxy's eth0 IP address ), or re-writing the source IP address of requests to the proxy, so the replies came back to it direct, rather than the client:


iptables -t nat -A POSTROUTING -o eth0 -s 192.168.4.0/24 --dport 80 -j SNAT --to 192.168.4.201


...but it's probably best to fix your routing issues. Running a tcpdump on the proxy's eth0 will tell you what is leaving and what is coming back, watch it during a connection attempt. Something like this:


tcpdump -i eth0 -n host <ip address of source>


will show you traffic with a source and destination of the target host, so it will catch the outbound and return traffic (try it without any iptables filter or NAT rules ).

Wow, now we're getting somewhere. I knew this had roots in my ignorance. :) I have since I last posted moved this box to the server room, and hooked it directly to the internet with an external IP. I realized something else, the transparent proxy works, but only when I input a website's IP on the client machine, and not trying to resolve it via DNS. You have given me some ammo on how to analyze the traffic on an interface, I am going to do some more homework. I'll let you know, and this thread hopefully will help someone else down the road.

Well, I am seriously stumped now. Everything is working, with settings that I believe I have tried 100 times over. The only difference is I am using the ISP DNS entries, and the external IP to get out. That *shouldn't* make a difference, but whatever. I was browsing transparently no problem today, and doing a tcpdump on both interfaces, and it all looks great! I can finally get this darn thing running and start seeing who is looking at youtube all day. :)