Results 1 to 9 of 9

Thread: Transparent proxy with Squid3 is not running when both NIC are UP Ubuntu 12.04

  1. #1
    Join Date
    Oct 2013
    Beans
    6

    Transparent proxy with Squid3 is not running when both NIC are UP Ubuntu 12.04

    Hi I am new (beginner) to the Ubuntu and Entire Linux.

    I have installed ubuntu desktop 12.04 LTS on a PC with 2 NIC

    I have installed and configured LTSP server with thin clients and it's working well.
    Following is working well
    LTSP server with thin clients
    DHCP server
    Apache web server
    Apache Tomcat server

    All above is working well. LTSP and DHCP is configured on eth1 (2nd NIC - 192.168.2.1)
    eth0 (1st NIC - 192.168.1.13) is connected to ADSL modem with always on broadband connection.




    I have also installed Squid3 and it's working well when eth1 is taken DOWN.
    What I want to do is, I want to configure squid with transparent proxy to prevent the users to view / browse unwanted websites.
    As this is experiment, I don't want to put 2 different servers therefore I am trying to make it in single.

    Right now I am not able to browse internet when both NIC are UP. but if I take eth1 DOWN, then I can browse the internet along with RULES configured in squid.conf.

    Now I want to work with both NIC as NIC1 (eth0) is used for internet input and NIC2 is serving as LTSP server / DHCP server / Web server / Tomcat server and I also want to filter my internet connection through the same.

    Below is content of configuration files you may require for analyze why this combination is not working.


    -----------------------------Files ------------------------------------------------


    ----/etc/network/interfaces-----------------------------------------------------------

    auto lo
    iface lo inet loopback
    auto eth0
    iface eth0 inet static
    address 192.168.1.13
    netmask 255.255.255.0
    network 192.168.1.0
    broadcast 192.168.1.255
    gateway 192.168.1.1

    post-up iptables-restore < /etc/iptables.up.rules

    auto eth1
    iface eth1 inet static
    address 192.168.2.1
    netmask 255.255.255.0
    network 192.168.2.0
    broadcast 192.168.2.255



    ------------/etc/rc.local--------------------------------------------------------------
    #!/bin/sh -e
    #
    # rc.local
    #
    # This script is executed at the end of each multiuser runlevel.
    # Make sure that the script will "exit 0" on success or any other
    # value on error.
    #
    # In order to enable or disable this script just change the execution
    # bits.
    #
    # By default this script does nothing.

    iptables -t nat -A POSTROUTING -s 192.168.2.0/24 –o eth0 -j MASQUERADE
    exit 0



    --------------------/etc/iptables.up.rules------------------------------------------------------------------

    *nat

    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.1:3128
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
    COMMIT
    # Generated by webmin
    *filter
    :ufw-user-limit-accept - [0:0]
    :INPUT ACCEPT [0:0]
    :ufw-after-input - [0:0]
    :ufw-track-input - [0:0]
    :ufw-before-output - [0:0]
    :ufw-user-limit - [0:0]
    :ufw-before-logging-output - [0:0]
    :ufw-after-forward - [0:0]
    :FORWARD DROP [0:0]
    :ufw-skip-to-policy-input - [0:0]
    :ufw-logging-deny - [0:0]
    :ufw-after-logging-forward - [0:0]
    :ufw-reject-output - [0:0]
    :ufw-reject-input - [0:0]
    :ufw-after-logging-output - [0:0]
    :ufw-after-logging-input - [0:0]
    :ufw-not-local - [0:0]
    :ufw-before-logging-forward - [0:0]
    :ufw-skip-to-policy-forward - [0:0]
    :ufw-track-output - [0:0]
    :ufw-skip-to-policy-output - [0:0]
    :ufw-after-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-logging-allow - [0:0]
    :ufw-user-logging-output - [0:0]
    :ufw-user-input - [0:0]
    :ufw-before-input - [0:0]
    :ufw-user-logging-forward - [0:0]
    :ufw-user-logging-input - [0:0]
    :ufw-reject-forward - [0:0]
    :ufw-user-forward - [0:0]
    :OUTPUT ACCEPT [0:0]
    :ufw-user-output - [0:0]
    :ufw-before-logging-input - [0:0]
    -A INPUT -j ufw-before-logging-input
    -A INPUT -j ufw-before-input
    -A INPUT -j ufw-after-input
    -A INPUT -j ufw-after-logging-input
    -A INPUT -j ufw-reject-input
    -A INPUT -j ufw-track-input
    -A FORWARD -j ufw-before-logging-forward
    -A FORWARD -j ufw-before-forward
    -A FORWARD -j ufw-after-forward
    -A FORWARD -j ufw-after-logging-forward
    -A FORWARD -j ufw-reject-forward
    -A OUTPUT -j ufw-before-logging-output
    -A OUTPUT -j ufw-before-output
    -A OUTPUT -j ufw-after-output
    -A OUTPUT -j ufw-after-logging-output
    -A OUTPUT -j ufw-reject-output
    -A OUTPUT -j ufw-track-output
    -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
    -A ufw-after-input -m addrtype -j ufw-skip-to-policy-input --dst-type BROADCAST
    -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-before-forward -j ufw-user-forward
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m state --state INVALID -j ufw-logging-deny
    -A ufw-before-input -m state --state INVALID -j DROP
    -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-input -p udp -m udp --dport 68 --sport 67 -j ACCEPT
    -A ufw-before-input -j ufw-not-local
    -A ufw-before-input -p udp -m udp -d 224.0.0.251/32 --dport 5353 -j ACCEPT
    -A ufw-before-input -p udp -m udp -d 239.255.255.250/32 --dport 1900 -j ACCEPT
    -A ufw-before-input -j ufw-user-input
    -A ufw-before-output -o lo -j ACCEPT
    -A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -j ufw-user-output
    -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
    -A ufw-logging-deny -m state -m limit --limit 3/min --limit-burst 10 --state INVALID -j RETURN
    -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-not-local -m addrtype -j RETURN --dst-type LOCAL
    -A ufw-not-local -m addrtype -j RETURN --dst-type MULTICAST
    -A ufw-not-local -m addrtype -j RETURN --dst-type BROADCAST
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP
    -A ufw-skip-to-policy-forward -j DROP
    -A ufw-skip-to-policy-input -j ACCEPT
    -A ufw-skip-to-policy-output -j ACCEPT
    -A ufw-track-input -p tcp -m state --state NEW -j ACCEPT
    -A ufw-track-input -p udp -m state --state NEW -j ACCEPT
    -A ufw-track-output -p tcp -m state --state NEW -j ACCEPT
    -A ufw-track-output -p udp -m state --state NEW -j ACCEPT
    -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
    -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
    -A ufw-user-limit-accept -j ACCEPT
    COMMIT
    # Completed
    # Generated by webmin
    *mangle
    :FORWARD ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT
    # Completed


    ----/etc/exports------------------------------------------------------

    # /etc/exports: the access control list for filesystems which may be exported
    # to NFS clients. See exports(5).
    #
    # Example for NFSv2 and NFSv3:
    # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
    #
    # Example for NFSv4:
    # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
    # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
    #

    /nfsroot 192.168.2.*(rw,no_root_squash,async,insecure)




    ------------/etc/default/isc-dhcp-server----------------------------------------------------
    # Defaults for dhcp initscript
    # sourced by /etc/init.d/dhcp
    # installed at /etc/default/isc-dhcp-server by the maintainer scripts

    #
    # This is a POSIX shell fragment
    #

    # On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
    # Separate multiple interfaces with spaces, e.g. "eth0 eth1".
    INTERFACES="eth1"




    ----------/etc/ltsp/dhcpd.conf--------------------------------------------------------

    #
    # Default LTSP dhcpd.conf config file.
    #

    authoritative;

    subnet 192.168.2.0 netmask 255.255.255.0 {
    range 192.168.2.120 192.168.2.160;
    option domain-name "example.com";
    option broadcast-address 192.168.2.255;
    next-server 192.168.2.1;
    # get-lease-hostnames true;
    option subnet-mask 255.255.255.0;
    option root-path "/opt/ltsp/i386";
    if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
    filename "/ltsp/i386/pxelinux.0";
    } else {
    filename "/ltsp/i386/nbi.img";
    }
    }



    ----------------------/etc/squid3/squid.conf--------------------------------------------------------------

    http_port 3128 transparent
    acl LAN src 192.168.2.0/24
    acl localnet src 127.0.0.1/255.255.255.255


    acl blocked_websites dstdomain .msn.com .yahoo.com .facebook.com .twitter.com


    http_access deny blocked_websites

    http_access allow LAN
    http_access allow localnet



    cache_dir ufs /var/spool/squid3 20000 16 256


    --------------------/etc/dhcp/dhcpd.conf------------------------------------------------------------------
    ddns-update-style none;
    default-lease-time 600;
    max-lease-time 7200;
    allow booting;
    allow bootp;

    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.2.255;
    option routers 192.168.2.1;
    option domain-name-servers 8.8.8.8, 8.8.4.4;

    subnet 192.168.2.0 netmask 255.255.255.0 {
    range 192.168.2.120 192.168.2.160;
    next-server 192.168.2.1;

    filename "/pxelinux.0";
    }

    # option definitions common to all supported networks...
    #option domain-name "example.org";
    #option domain-name-servers ns1.example.org, ns2.example.org;



    # If this DHCP server is the official DHCP server for the local
    # network, the authoritative directive should be uncommented.
    #authoritative;

    # Use this to send dhcp log messages to a different log file (you also
    # have to hack syslog.conf to complete the redirection).
    log-facility local7;

    # No service will be given on this subnet, but declaring it helps the
    # DHCP server to understand the network topology.

    #subnet 10.152.187.0 netmask 255.255.255.0 {
    #}

    # This is a very basic subnet declaration.

    #subnet 10.254.239.0 netmask 255.255.255.224 {
    # range 10.254.239.10 10.254.239.20;
    # option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
    #}

    # This declaration allows BOOTP clients to get dynamic addresses,
    # which we don't really recommend.

    #subnet 10.254.239.32 netmask 255.255.255.224 {
    # range dynamic-bootp 10.254.239.40 10.254.239.60;
    # option broadcast-address 10.254.239.31;
    # option routers rtr-239-32-1.example.org;
    #}

    # A slightly different configuration for an internal subnet.
    #subnet 10.5.5.0 netmask 255.255.255.224 {
    # range 10.5.5.26 10.5.5.30;
    # option domain-name-servers ns1.internal.example.org;
    # option domain-name "internal.example.org";
    # option routers 10.5.5.1;
    # option broadcast-address 10.5.5.31;
    # default-lease-time 600;
    # max-lease-time 7200;
    #}

    # Hosts which require special configuration options can be listed in
    # host statements. If no address is specified, the address will be
    # allocated dynamically (if possible), but the host-specific information
    # will still come from the host declaration.

    #host passacaglia {
    # hardware ethernet 0:0:c0:5d:bd:95;
    # filename "vmunix.passacaglia";
    # server-name "toccata.fugue.com";
    #}

    # Fixed IP addresses can also be specified for hosts. These addresses
    # should not also be listed as being available for dynamic assignment.
    # Hosts for which fixed IP addresses have been specified can boot using
    # BOOTP or DHCP. Hosts for which no fixed address is specified can only
    # be booted with DHCP, unless there is an address range on the subnet
    # to which a BOOTP client is connected which has the dynamic-bootp flag
    # set.
    #host fantasia {
    # hardware ethernet 08:00:07:26:c0:a5;
    # fixed-address fantasia.fugue.com;
    #}

    # You can declare a class of clients and then do address allocation
    # based on that. The example below shows a case where all clients
    # in a certain class get addresses on the 10.17.224/24 subnet, and all
    # other clients get addresses on the 10.0.29/24 subnet.

    #class "foo" {
    # match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
    #}

    #shared-network 224-29 {
    # subnet 10.17.224.0 netmask 255.255.255.0 {
    # option routers rtr-224.example.org;
    # }
    # subnet 10.0.29.0 netmask 255.255.255.0 {
    # option routers rtr-29.example.org;
    # }
    # pool {
    # allow members of "foo";
    # range 10.17.224.10 10.17.224.250;
    # }
    # pool {
    # deny members of "foo";
    # range 10.0.29.10 10.0.29.230;
    # }
    #}


    ------------/etc/dhcp3/dhcpd.conf-------------------------------------------------------------------
    ddns-update-style none;
    default-lease-time 600;
    max-lease-time 7200;
    allow booting;
    allow bootp;

    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.2.255;
    option routers 192.168.2.1;
    option domain-name-servers 8.8.8.8, 8.8.4.4;


    subnet 192.168.2.0 netmask 255.255.255.0 {
    range 192.168.2.120 192.168.2.160;
    next-server 192.168.2.1;

    filename "/tftpboot/pxelinux.0";
    }

    # option definitions common to all supported networks...
    option domain-name "example.org";
    option domain-name-servers ns1.example.org, ns2.example.org;



    # If this DHCP server is the official DHCP server for the local
    # network, the authoritative directive should be uncommented.
    #authoritative;

    # Use this to send dhcp log messages to a different log file (you also
    # have to hack syslog.conf to complete the redirection).
    log-facility local7;

    # No service will be given on this subnet, but declaring it helps the
    # DHCP server to understand the network topology.

    #subnet 10.152.187.0 netmask 255.255.255.0 {
    #}

    # This is a very basic subnet declaration.

    #subnet 10.254.239.0 netmask 255.255.255.224 {
    # range 10.254.239.10 10.254.239.20;
    # option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
    #}

    # This declaration allows BOOTP clients to get dynamic addresses,
    # which we don't really recommend.

    #subnet 10.254.239.32 netmask 255.255.255.224 {
    # range dynamic-bootp 10.254.239.40 10.254.239.60;
    # option broadcast-address 10.254.239.31;
    # option routers rtr-239-32-1.example.org;
    #}

    # A slightly different configuration for an internal subnet.
    #subnet 10.5.5.0 netmask 255.255.255.224 {
    # range 10.5.5.26 10.5.5.30;
    # option domain-name-servers ns1.internal.example.org;
    # option domain-name "internal.example.org";
    # option routers 10.5.5.1;
    # option broadcast-address 10.5.5.31;
    # default-lease-time 600;
    # max-lease-time 7200;
    #}

    # Hosts which require special configuration options can be listed in
    # host statements. If no address is specified, the address will be
    # allocated dynamically (if possible), but the host-specific information
    # will still come from the host declaration.

    #host passacaglia {
    # hardware ethernet 0:0:c0:5d:bd:95;
    # filename "vmunix.passacaglia";
    # server-name "toccata.fugue.com";
    #}

    # Fixed IP addresses can also be specified for hosts. These addresses
    # should not also be listed as being available for dynamic assignment.
    # Hosts for which fixed IP addresses have been specified can boot using
    # BOOTP or DHCP. Hosts for which no fixed address is specified can only
    # be booted with DHCP, unless there is an address range on the subnet
    # to which a BOOTP client is connected which has the dynamic-bootp flag
    # set.
    #host fantasia {
    # hardware ethernet 08:00:07:26:c0:a5;
    # fixed-address fantasia.fugue.com;
    #}

    # You can declare a class of clients and then do address allocation
    # based on that. The example below shows a case where all clients
    # in a certain class get addresses on the 10.17.224/24 subnet, and all
    # other clients get addresses on the 10.0.29/24 subnet.

    #class "foo" {
    # match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
    #}

    #shared-network 224-29 {
    # subnet 10.17.224.0 netmask 255.255.255.0 {
    # option routers rtr-224.example.org;
    # }
    # subnet 10.0.29.0 netmask 255.255.255.0 {
    # option routers rtr-29.example.org;
    # }
    # pool {
    # allow members of "foo";
    # range 10.17.224.10 10.17.224.250;
    # }
    # pool {
    # deny members of "foo";
    # range 10.0.29.10 10.0.29.230;
    # }
    #}



    -----------/tftpboot/pxelinux.cfg/default-----------------------------------------------------
    DEFAULT linux
    LABEL linux
    KERNEL vmlinuz-3.5.0-41-generic
    APPEND root=/dev/nfs initrd=initrd.img-3.5.0-41-generic nfsroot=192.168.2.1:/nfsroot ip=dhcp rw
    Last edited by Rajesh_Kumar; October 15th, 2013 at 03:43 AM. Reason: I dont want smilies

  2. #2
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    9,041
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Transparent proxy with Squid3 is not running when both NIC are UP Ubuntu 12.04

    The first PREROUTING rule grabs all the outbound HTTP traffic; none of it will hit the rule with the REDIRECT target. You don't need the first rule if Squid is running on the same machine, just the second rule.

    Comment out the first PREROUTING rule and see if that works.

    However in an LTSP installation, aren't all the clients actually running sessions on the server? If so, I don't think any HTTP traffic will arrive on eth1. If removing the first PREROUTING rule doesn't help, try removing the "-i eth1" parameter as well and let the server send all port 80 traffic to the proxy. I've never used LTSP, so I don't think I can give you more help than that.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #3
    Join Date
    Oct 2013
    Beans
    6

    Re: Transparent proxy with Squid3 is not running when both NIC are UP Ubuntu 12.04

    Thanks for suggestion. Will try it now and let you know.

  4. #4
    Join Date
    Oct 2013
    Beans
    6

    Re: Transparent proxy with Squid3 is not running when both NIC are UP Ubuntu 12.04

    Sorry man it didn't worked.

  5. #5
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    9,041
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Transparent proxy with Squid3 is not running when both NIC are UP Ubuntu 12.04

    Did you try removing "-i eth1" as well? As I said, in an LTSP setting, I don't think there will be any HTTP traffic arriving on that interface.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  6. #6
    Join Date
    Oct 2013
    Beans
    6

    Re: Transparent proxy with Squid3 is not running when both NIC are UP Ubuntu 12.04

    I tried all combinations you suggested here.
    But at the end the result I get is If both NIC are up, everything runs fine WITHOUT internet.
    If I take down eth1, INTERNET with squid rules runs fine.

    Following is output of route command when both NIC up

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    default vqos1.local 0.0.0.0 UG 0 0 0 eth1
    default 192.168.1.1 0.0.0.0 UG 100 0 0 eth0
    link-local * 255.255.0.0 U 1000 0 0 eth1
    192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
    192.168.2.0 * 255.255.255.0 U 1 0 0 eth1

    and following is output when eth1 is DOWN

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
    default 192.168.1.1 0.0.0.0 UG 100 0 0 eth0
    192.168.1.0 * 255.255.255.0 U 0 0 0 eth0

  7. #7
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    9,041
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Transparent proxy with Squid3 is not running when both NIC are UP Ubuntu 12.04

    Why do you have two default routes? Did you specify a gateway for eth1? The only gateway this machine should have is the upstream router that connects to the Internet. There should not be a gateway for eth1 unless all the machines connecting via that interface are themselves behind another router.

    It looks like the offending code is the "option routers" directive in /etc/dhcp3/dhcpd.conf. The machines in 192.168.2.0/24 do not need a gateway in order to talk to the server. Since they all share the same subnet, they discover the other machines in the network via broadcasts.

    I think you need to ask this question on an LTSP board where people might have more experience with problem.
    Last edited by SeijiSensei; October 16th, 2013 at 04:17 PM.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  8. #8
    Join Date
    Oct 2013
    Beans
    6

    Re: Transparent proxy with Squid3 is not running when both NIC are UP Ubuntu 12.04

    Thanks for the suggestion. I will remove the option routers statement and then will check.

  9. #9
    Join Date
    Oct 2013
    Beans
    6

    Re: Transparent proxy with Squid3 is not running when both NIC are UP Ubuntu 12.04

    it's not working though.
    I am unable to understand from where it initiates to make eth1 as default?
    I think all problem is in routing / nat
    And I am far away from it's deep knoledge.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •