Results 1 to 2 of 2

Thread: Ubuntu server 10.04 and tranparent squid: can share eth0, can't share ppp0

  1. #1
    Join Date
    Sep 2011
    Beans
    5

    Angry Ubuntu server 10.04 and tranparent squid: can share eth0, can't share ppp0

    Ubuntu 10.04 server, squid 3.2.
    Internet is incoming on eth0 or ppp0, given away via wan0.
    Port 80 is redirected to 3128.
    wan0 is local wireless network, 192.168.13.0, interface IP is fixed to 192.168.13.1
    external network - eth0 or ppp0 - are dhcp.


    On eth0 it works smoothly. But once I replace eth0 with ppp0, machine still works as gateway, but pot 80 requests are gone into void.

    Please please please help! I've been digging through this for 3 days now, and I'm desparate.


    iptables-save:

    Code:
    # Generated by iptables-save v1.4.4 on Wed Mar 21 05:02:41 2012
    *mangle
    :PREROUTING ACCEPT [425:53881]
    :INPUT ACCEPT [170:14702]
    :FORWARD ACCEPT [213:36719]
    :OUTPUT ACCEPT [95:12714]
    :POSTROUTING ACCEPT [308:49433]
    COMMIT
    # Completed on Wed Mar 21 05:02:41 2012
    # Generated by iptables-save v1.4.4 on Wed Mar 21 05:02:41 2012
    *nat
    :PREROUTING ACCEPT [48:3100]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [6:411]
    -A PREROUTING -i wlan0 -p udp -m udp --dport 53 -j DNAT --to-destination 217.118.66.243:53
    -A PREROUTING -i wlan0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 217.118.66.243:53
    -A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.13.1:3128
    -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    -A POSTROUTING -o ppp0 -j MASQUERADE
    COMMIT
    # Completed on Wed Mar 21 05:02:41 2012
    # Generated by iptables-save v1.4.4 on Wed Mar 21 05:02:41 2012
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [102:26110]
    :OUTPUT ACCEPT [12:795]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i wlan0 -j ACCEPT
    -A INPUT -j LOG
    -A INPUT -j DROP
    -A FORWARD -i wlan0 -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -o wlan0 -j ACCEPT
    COMMIT
    squid.conf
    Code:
    cache deny all
    
    acl localnet src 192.168.13.0/24	# RFC1918 possible internal network
    
    acl SSL_ports port 443
    acl Safe_ports port 80		# http
    acl Safe_ports port 21		# ftp
    #acl Safe_ports port 777		# multiling http
    acl CONNECT method CONNECT
    
    # Only allow cachemgr access from localhost
    http_access allow localhost manager
    http_access deny manager
    
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
    
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
    
    
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    http_access allow localnet
    http_access allow localhost
    
    # And finally deny all other access to this proxy
    #http_access deny all
    http_access allow all
    
    # Squid normally listens to port 3128
    http_port 192.168.13.1:3128 transparent
    
    # Leave coredumps in the first cache dir
    coredump_dir /usr/local/var/cache/squid
    ifconfig:
    Code:
    eth0      Link encap:Ethernet  HWaddr 50:af:73:12:5e:9c
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
              Interrupt:26 Base address:0x6000
    
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:110 errors:0 dropped:0 overruns:0 frame:0
              TX packets:110 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:11996 (11.9 KB)  TX bytes:11996 (11.9 KB)
    
    mon.wlan0 Link encap:UNSPEC  HWaddr 00-1C-7B-A0-89-02-30-30-00-00-00-00-00-00-00-00
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:31 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:2538 (2.5 KB)  TX bytes:0 (0.0 B)
    
    ppp0      Link encap:Point-to-Point Protocol
              inet addr:172.20.10.224  P-t-P:10.64.64.64  Mask:255.255.255.255
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX packets:130 errors:0 dropped:0 overruns:0 frame:0
              TX packets:158 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:3
              RX bytes:29303 (29.3 KB)  TX bytes:13859 (13.8 KB)
    
    wlan0     Link encap:Ethernet  HWaddr 00:1c:7b:a0:89:02
              inet addr:192.168.13.1  Bcast:192.168.13.255  Mask:255.255.255.0
              inet6 addr: fe80::21c:7bff:fea0:8902/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:416 errors:0 dropped:0 overruns:0 frame:0
              TX packets:371 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:40176 (40.1 KB)  TX bytes:66983 (66.9 KB)
    ppp0 is created by wvdial, wlan0 is used by hostapd for access point mode wifi.

    Once again, when eth0 is passed as WAN_iface (external network) to the script below, everything is perfect.

    The script that resolves DNS, gateway, IP and mask and builds iptables (above was result of this):
    Code:
    #! /bin/sh
    
    # LAN_iface WAN_iface
    
    LAN_iface=$1
    WAN_iface=$2
    
    re_addr="[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*"
    re_inet="inet addr: *$re_addr"
    re_mask="mask: *$re_addr"
    
    echo LAN iface: $LAN_iface
    echo WAN iface: $WAN_iface
    
    LAN_ip=$(ifconfig $LAN_iface | grep -o -i "$re_inet" | grep -o "$re_addr")
    ifconfig $LAN_iface | grep -o -i "$re_inet"
    
    LAN_mask=$(ifconfig $LAN_iface | grep -o -i "$re_mask" | grep -o "$re_addr")
    ifconfig $LAN_iface | grep -o -i "$re_mask"
    
    LAN_net="$LAN_ip/$LAN_mask"
    
    ifconfig_WAN=$(ifconfig $WAN_iface)
    
    WAN_ip=$(ifconfig $WAN_iface | grep -o -i "$re_inet" | grep -o "$re_addr")
    WAN_mask=$(ifconfig $WAN_iface | grep -o -i "$re_mask" | grep -o "$re_addr")
    
    WAN_net="$WAN_ip/$WAN_mask"
    
    echo LAN: $LAN_iface : $LAN_net
    echo WAN: $WAN_iface : $WAN_net
    
    DNS_ip=$(cat /etc/resolv.conf | grep -o $re_addr -m 1)
    echo DNS: $DNS_ip
    
    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    # Load IPTABLES modules for NAT and IP conntrack support
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    # For win xp ftp client
    #modprobe ip_nat_ftp
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    echo prepared to forward packets
    
    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    echo forward part1
    
    # Allow UDP, DNS and Passive FTP
    iptables -A INPUT -i $WAN_iface -m state --state ESTABLISHED,RELATED -j ACCEPT
    # set this system as a router for Rest of LAN
    iptables --table nat --append POSTROUTING --out-interface $WAN_iface -j MASQUERADE
    iptables --append FORWARD --in-interface $LAN_iface -j ACCEPT
    # unlimited access to LAN
    iptables -A INPUT -i $LAN_iface -j ACCEPT
    iptables -A OUTPUT -o $LAN_iface -j ACCEPT
    
    echo forward part2
    
    echo iptables -t nat -A PREROUTING -i $LAN_iface -p udp --dport 53 -j DNAT --to $DNS_ip:53
    iptables -t nat -A PREROUTING -i $LAN_iface -p udp --dport 53 -j DNAT --to $DNS_ip:53
    
    echo iptables -t nat -A PREROUTING -i $LAN_iface -p tcp --dport 53 -j DNAT --to $DNS_ip:53
    iptables -t nat -A PREROUTING -i $LAN_iface -p tcp --dport 53 -j DNAT --to $DNS_ip:53
    
    echo setting up http redir
    
    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -i $LAN_iface -p tcp --dport 80 -j DNAT --to $LAN_ip:3128
    
    # if it is same system
    #iptables -t nat -A PREROUTING -i $WAN_iface -p tcp --dport 80 -j REDIRECT --to-port 3128
    
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP

    Please, please, please, find a flaw in my setup.

  2. #2
    Join Date
    Sep 2011
    Beans
    5

    Re: Ubuntu server 10.04 and tranparent squid: can share eth0, can't share ppp0

    Is it OK if I repost it to Networking and Wifi also?

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •