PDA

View Full Version : [SOLVED] Transparent proxy server



supan00b
April 10th, 2012, 12:06 PM
Hi,

I am new to linux and would like to setup a transparent proxy server.

I have googled and i have tried to set it up by myself, however,
I seem to be doing it wrong :(

here is my squid.config (I am using squid3)



acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl lan src 192.168.1.1-192.168.1.254
acl blockedsites url_regex -i "/etc/squid3/blockedsites"
acl dontcache url_regex -i "/etc/squid3/dontcache"
acl dontblock url_regex -i "/etc/squid3/dontblock"

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow dontblock
http_access deny blockedsites
http_access allow lan
http_access allow localhost
http_access deny all
http_port 3128 transparent
http_port 80 vhost
hierarchy_stoplist cgi-bin ?
cache_dir ufs /var/spool/squid3 2000 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
request_body_max_size 500 MBcache_effective_user administrator
cache_effective_group root


I then added

iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

but it does not seem to be working.
I only have one network card eth0
and my proxy servers address is 192.168.1.200 and my routers address is 192.168.1.254

thanks in advance.

SeijiSensei
April 10th, 2012, 03:14 PM
Try making the proxy server the default gateway on your client. In the arrangement you have now, the outbound traffic goes to the router and is sent directly to the Internet. You may need to enable packet forwarding in /etc/sysctl.conf on the proxy server; I don't know if that applies to machines with just one NIC. I only build proxy servers with two NIC cards, one pointing to the internal LAN network and the other to the external network and Internet. Then I make the proxy server the default gateway.

Your router should allow you to change the default gateway it hands out in reply to DHCP requests. If you can't do that, you'll probably need to use static IP assignments on the clients, or set up dhcpd on the proxy server and disable it on the router.

supan00b
April 11th, 2012, 01:37 PM
Hi I have set my default gateway to 192.168.1.200 I am still getting "Internet Explorer cannot display the webpage"

I then added the net.ipv4.ip_forward=1 and net.ipv6.conf.all.forwarding=1 to the /etc/sysctl.conf

Still have the same problem, i had it working briefly yesterday managed to google but when i clicked on the link it stopped working.

supan00b
April 11th, 2012, 01:43 PM
/etc/iptables.up.rules


# Generated by iptables-save v1.4.10 on Tue Apr 10 10:38:30 2012
*mangle
: PREROUTING ACCEPT [546:32435]
: INPUT ACCEPT [542:32307]
: FORWARD ACCEPT [14:1235]
: OUTPUT ACCEPT [588:173040]
: POSTROUTING ACCEPT [603:174307]
COMMIT
# Completed on Tue Apr 10 10:38:30 2012
# Generated by iptables-save v1.4.10 on Tue Apr 10 10:38:30 2012
*nat
: PREROUTING ACCEPT [3:167]
: INPUT ACCEPT [3:167]
: OUTPUT ACCEPT [0:0]
: POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT

if i go to internet explorer and add a proxy settings 192.168.1.200:80/3128 i can browse no problem, but if i remove these settings i am back to page cannot be displayed

SeijiSensei
April 11th, 2012, 02:06 PM
Try removing "-i eth0" or, if that doesn't help, replace it with "-i eth0 -o eth0" since you have only one interface.

If you have a spare network card, I'd consider adding a second interface to this box with one card pointing to your internal network and the other pointing to the router. You'll have to change the IP subnets for one or the other, and either install dhcpd on the proxy server to hand out addresses or use a static IP on your client.

You did reboot after changing /etc/sysctl.conf, I assume?

supan00b
April 11th, 2012, 02:43 PM
ye i did restart sorry forgot to add that.

I tried without the "-i eth0" not work, when i tried to add the "-i eth0 -o eth0 i got this error.

iptables -t nat -I PREROUTING 1 -i eth0 -o eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables v1.4.4: Can't use -o with PREROUTING

SeijiSensei
April 11th, 2012, 02:59 PM
Well, I'm out of ideas because, as I say, I've never tried to implement this on a proxy with just one NIC.

iponeverything
April 11th, 2012, 03:02 PM
Set your proxy server not to listen to or send ICMP redirects.

if your primary router supports it, WCCP is good clean solution to the problem.

supan00b
April 11th, 2012, 03:11 PM
ok i am going to add a network card to this machine
what do i do then?

iponeverything
April 11th, 2012, 03:16 PM
ok i am going to add a network card to this machine
what do i do then?

http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables

supan00b
April 11th, 2012, 08:49 PM
so now that i have installed a additional network card i have to redo the server from scratch?? surely not?
the proxy server is working all i need to do is get the iptables/portforwarding working correctly.


Is this the only way i can do this now?

SeijiSensei
April 11th, 2012, 10:49 PM
so now that i have installed a additional network card i have to redo the server from scratch?? surely not?

If the Internet facing interface is eth0 with address 192.168.1.10, then add this rule to iptables:


iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.10

If eth1 faces the Internet replace eth0 with eth1 and set the --to entry to the matching IP address.

The proxy should have a route to the default gateway that points to your router, but it probably has that already if you can use the proxy from behind the server.

newbie-user
April 11th, 2012, 11:06 PM
Here's my iptables with eth0 as the external NIC and eth1 as the internal NIC. I think you need to add masquerading to yours. Also, I don't have the port 80 vhost line in my squid.conf (I don't know if that makes any difference).


# Generated by iptables-save v1.4.4 on Sun Mar 25 00:59:06 2012
*nat
:PREROUTING ACCEPT [269:27947]
:POSTROUTING ACCEPT [27:1842]
:OUTPUT ACCEPT [21:1418]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 172.25.0.0/21 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Mar 25 00:59:06 2012
# Generated by iptables-save v1.4.4 on Sun Mar 25 00:59:06 2012
*filter
:INPUT ACCEPT [174:44247]
:FORWARD ACCEPT [190:19150]
:OUTPUT ACCEPT [3812:271768]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sun Mar 25 00:59:06 2012
# Generated by iptables-save v1.4.4 on Sun Mar 25 00:59:06 2012
*mangle
:PREROUTING ACCEPT [75435:92605434]
:INPUT ACCEPT [31172:44716208]
:FORWARD ACCEPT [44241:47887457]
:OUTPUT ACCEPT [3813:271868]
:POSTROUTING ACCEPT [48054:48159325]
COMMIT
# Completed on Sun Mar 25 00:59:06 2012

Lol at the smilies. How do you set it so the post doesn't automatically do smilies?

SeijiSensei
April 11th, 2012, 11:10 PM
MASQUERADE and SNAT have essentially the same effect. I've used both.

I'm not sure why you have all those ACCEPT rules since your default INPUT policy is also ACCEPT. If you make the default policy DROP, then you need ACCEPT rules for the services you wish to permit, as well as for things like ESTABLISHED,RELATED traffic. On any Internet-facing machine, the default should definitely be DROP.

In the OP's case, the proxy server is behind a masquerading router, so having a policy of ACCEPT is fine as long as he/she can trust the users on the LAN.

newbie-user
April 11th, 2012, 11:20 PM
MASQUERADE and SNAT have essentially the same effect. I've used both.

I'm not sure why you have all those ACCEPT rules since your default INPUT policy is also ACCEPT. If you make the default policy DROP, then you need ACCEPT rules for the services you wish to permit, as well as for things like ESTABLISHED,RELATED traffic. On any Internet-facing machine, the default should definitely be DROP.

In the OP's case, the proxy server is behind a masquerading router, so having a policy of ACCEPT is fine as long as he/she can trust the users on the LAN.

I thought "-A INPUT -i eth0 -j DROP" drops everything not previously allowed?

SeijiSensei
April 12th, 2012, 12:56 AM
Yes, that's another alternative. I missed that line in your configuration.

The FORWARD rules might be redundant given the policy.

If you run "iptables -L -nv" you'll see counts of the number of times each rule has been hit. If you find ones with zero packets, either you've never had any traffic that matched that rule, or the rule isn't being matched because rules above it have already taken effect. That's a good method for evaluating a ruleset, though you need to let the machine run a while to get a good sample of traffic.

If you're curious to see what you're blocking, you can add this rule above the DROP rule to log packets that will be dropped:



iptables -A INPUT -i eth0 -j LOG
iptables -A INPUT -i eth0 -j DROP


The LOG target doesn't intercept the packets; it just writes entries to syslog. The matching packets will still be dropped by the following rule.

To get rid of the smilies, you need to click the Advanced button in the composer and check the "disable smilies" box. Unfortunately there's no global option to disable them, nor is there a global option to disable adding markup to URLs. However if you put the text inside
tags, there won't be any smilies.

supan00b
April 13th, 2012, 09:09 AM
OK i have install the additional network card, eth0=lan internal(192.168.1.200) eth1=internet external(192.168.1.250).

I added

iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.1.250

and it still does not work any ideas?

supan00b
April 13th, 2012, 09:57 AM
/etc/network/interfaces



# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.200
netmask 255.255.255.0

auto eth1
iface eth1 inet static
address 192.168.1.250
netmask 255.255.255.0
gateway 192.168.1.254


/etc/iptables.up.rules


# Generated by iptables-save v1.4.4 on Fri Apr 13 09:25:10 2012
*mangle
:PREROUTING ACCEPT [137:14208]
:INPUT ACCEPT [88:9088]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [78:31671]
:POSTROUTING ACCEPT [78:31671]
COMMIT
# Completed on Fri Apr 13 09:25:10 2012
# Generated by iptables-save v1.4.4 on Fri Apr 13 09:25:10 2012
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.250
COMMIT
# Completed on Fri Apr 13 09:25:10 2012
# Generated by iptables-save v1.4.4 on Fri Apr 13 09:25:10 2012


/etc/sysctl.conf


#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 4 4 1 7

################################################## ############3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.conf.all.forwarding=1

################################################## #################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Ignore ICMP broadcasts
#net.ipv4.icmp_echo_ignore_broadcasts = 1
#
# Ignore bogus ICMP errors
#net.ipv4.icmp_ignore_bogus_error_responses = 1
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1




/etc/rc.local


#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

exit 0


Only things i have added to squid3 are



http_access allow lan
http_access deny all
http_port 3128 transparent
http_port 80 vhost
acl lan src 192.168.1.1-192.168.2.0

darkod
April 13th, 2012, 02:00 PM
OK i have install the additional network card, eth0=lan internal(192.168.1.200) eth1=internet external(192.168.1.250).

I added


and it still does not work any ideas?

I don't think you can set it like this. There is no point having IPs from the same subnet on both interfaces.

Your interface towards your router would have the 192.168.1.200 for example, but your interface towards your home network something like 10.0.0.1. And then that will be the gateway for the machines on your home network.

supan00b
April 13th, 2012, 09:35 PM
problem solved seems to have been something in squid3.
I will go through the config and let u know where i went wrong.
Thanks for all the help guys.

newbie-user
April 14th, 2012, 03:10 PM
Just a few things to point out...

First, you need to enable forwarding in /etc/sysctl.conf. Uncomment the line "#net.ipv4.ip_forward=1".

Second, as darkod pointed out, your NICs are on the same subnet. Your external NIC should have a dynamic ip address provided by your ISP. So for your external interface, comment out all the static ip stuff and change the line "iface eth1 inet static" to "iface eth1 inet dhcp" unless you have a static ip from your ISP.

Third, this is related to the second point, you'll have to edit your iptables.up.rules file and change the SNAT line to account for your correct external ip address. If you have a dynamic ip as your external ip, then use the masquerade line from the iptables.rules file I posted earlier.

Fourth, squid reads rules from top to bottom, so you need to put your acl above your http_access rule. Also, fix your acl to read "acl lan src 192.168.1.1 192.168.1.254". With a subnet of 255.255.255.0, you can't have more than 253 usable ip addresses in the range.

supan00b
April 16th, 2012, 06:52 AM
I seemed to have set it to AUTHORIZE somehow no idea how that happend.

Internet is working perfectly through the transparent proxy and i can restrict and view the log files as well.

However, I am unable to check mail through the proxy server is this a proxy setting?

supan00b
April 16th, 2012, 12:40 PM
I tried the following


# Generated by iptables-save v1.4.4 on Mon Apr 16 13:30:33 2012
*mangle
:PREROUTING ACCEPT [385:36575]
:INPUT ACCEPT [276:25605]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [149:44467]
:POSTROUTING ACCEPT [149:44467]
COMMIT
# Completed on Mon Apr 16 13:30:33 2012
# Generated by iptables-save v1.4.4 on Mon Apr 16 13:30:33 2012
*nat
:PREROUTING ACCEPT [142:15765]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -d 192.168.1.254/32 -p tcp -m tcp --dport 110 -j MASQUERADE
COMMIT
# Completed on Mon Apr 16 13:30:33 2012
# Generated by iptables-save v1.4.4 on Mon Apr 16 13:30:33 2012
*filter
:INPUT ACCEPT [276:25605]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [149:44467]
-A FORWARD -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Mon Apr 16 13:30:33 2012

and

echo 1 > /proc/sys/net/ipv4/ip_forward

which seemed to solve my problem, however now it seems to be bypassing my proxy server, seems to ignore proxy server completely.

newbie-user
April 16th, 2012, 04:43 PM
The masquerade line is not correct. That line should read:

-A POSTROUTING -s [your internal network CIDR] -o [external interface] -j MASQUERADE

Masquerading means that your gateway server makes all outgoing requests look like the server itself is making those requests.

Also, you don't need to set forwarding rules for ports pop3 and smtp unless you are hosting a mail server within your internal lan.

supan00b
April 16th, 2012, 05:16 PM
so if my eth0 address is 192.168.1.200 it should read

-A POSTROUTING -s 192.168.1.200/32 -o eth0 -j MASQUERADE


-A POSTROUTING -d 192.168.1.254/32 -p tcp -m tcp --dport 110 -j MASQUERADE

is that correct?

SeijiSensei
April 16th, 2012, 05:25 PM
I'd use a subnet declaration rather than specifying a host. Replace "-s 192.168.1.200/32" with "-s 192.168.1.0/24". That way if you connect another client machine with a different address in the subnet, the same rule will apply.

A more generic rule would be


iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j MASQUERADE

which masquerades all traffic arriving on the LAN-facing interface.

More generally, your Squid proxy is only handling web requests. It plays no role in connections to other services like mail. That's why you need to masquerade the outbound connections so client machines can talk to remote servers on ports like 25 (SMTP) or 143 (IMAP).

supan00b
April 16th, 2012, 08:15 PM
Thanks guys for all your help its working perfectly.