[squid-users] HELP WITH IPTABLES !! from A.C.A.R.A\ on 2005-08-31 (squid-users)

From: A.C.A.R.A\ <dmantelli@dont-contact.us>
Date: Wed, 31 Aug 2005 15:40:01 -0300

Hi my name is Damian, I am from Argentina and I am a member of mailing list
of SQUID users.
I want that all the traffic of my local net goes across my SQUID proxy
server. I want to say that all the packages will be forwarded to the port
3128 of my Squid Server.
maybe you can help me.

Here it is an example of my current Net in my office

-->LocalNet 192.168.0.1/27----ETH0--> (SQUID 192.168.0.28:3128 SERVER)<--
ETH1 -->INTERNET

I have ready set up a couple of rules with Iptables, but I can?t understand
what I am doing wrong.

I want that HTTP, HTTPS, MSN, POP3, SMTP all of these ports, and others
without much importance will be forwarded across my Squid proxy server.

Here are the rules.

#|/bin/sh

#Cargamos los Modulos de Kernel necesarios:
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_LOG
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

#Habilitamos el reenvio de direcciones IP

#if [ -e /proc/sys/net/ipv4/ip_forward ]; then
# echo 0 > /proc/sys/net/ipv4/ip_forward
#fi

echo "1" > /proc/sys/net/ipv4/ip_forward

# Estableciendo politica de reenvio del enmascaramiento
/sbin/iptables -t filter -P FORWARD DROP

# Reenvio de trafico interno-externo y externo-interno
/sbin/iptables -t filter -A FORWARD -d 0/0 -s 192.168.0.0/255.255.255.0 -o
eth0 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -d 192.168.0.0/255.255.255.0 -j ACCEPT

#Enmascaramiento del todo el trafico saliente, NOTA: la salida a internet es
por la interfaz eth1
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

#No Enmascaramos trafico Externo
/sbin/iptables -t nat -A POSTROUTING -o eth1 -d 0/0 -j ACCEPT

#Permitir al trafico de la red interna ir a donde sea
/sbin/iptables -t filter -A INPUT -s 192.168.0.0/255.255.255.0 -d 0/0 -j
ACCEPT
/sbin/iptables -t filter -A OUTPUT -s 192.168.0.0/255.255.255.0 -d 0/0 -j
ACCEPT
/sbin/iptables -t filter -A OUTPUT -p icmp -s 192.168.0.0/255.255.255.0 -d
0/0 -j ACCEPT

#Re-direccionamiento hacia el puerto 3128 (Donde escucha el SQUID las
peticiones)
#Para cualquier peticion originada desde la red local hacia servicios que
utilicen protocolos
#HTTP, HTTPS, FTP. Pueden anadirse mas re-direccionamientos a discrecion del
administrador
#Nota: Recordamos que la red local se accede con la interfaz eth0

#HTTP
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 3128

#POP3
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j
REDIRECT --to-port 3128

#SMTP
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j
REDIRECT --to-port 3128

#HTTPS
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j
REDIRECT --to-port 3128

#MSN
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1863 -j
REDIRECT --to-port 3128

#FTP
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20 -j
REDIRECT --to-port 3128
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j
REDIRECT --to-port 3128

#END OF THE RULES

And here it is an example of my squid.conf file
____________________________________________________________________________
____________________

http_port 3128
icp_port 0

#no_cache deny QUERY
cache_mem 16 MB
cache_dir ufs /var/spool/squid 700 16 256
redirect_rewrites_host_header off
dns_nameservers 192.168.0.2
icon_directory /usr/share/squid/icons
cache_replacement_policy GDSF

#Habilitacion de Puertos seguros
acl SSL_ports port 443 8443 563 777
acl Safe_ports port 25 80 110 443 563 777 1863 210 119 70 21 1025-65535
acl CONNECT method CONNECT

#Autentificacion de usuario para salida http
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/.password
auth_param basic children 5
auth_param basic realm ACARA Proxy Server - TODO ACCESO A LA RED QUEDA
REGISTRADO

# Uncommented by GH 24/09/03 for password authentication and blocking exe
zip gz bz2 mp3 mpg mpeg ram rpm avi plus more
acl password proxy_auth REQUIRED
acl download urlpath_regex -i "/etc/squid/downloadeny.txt"

# GH 24/09/03
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl redlocal src "/etc/squid/redlocal"

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
# acl our_networks src 192.168.1.0/24 192.168.2.0/24
# http_access allow our_networks
# Used to block downloads and allow other users - GH 07/01/03

http_access allow password
http_access allow localhost
http_access allow redlocal
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny download
http_access deny all

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

#cache control
acl NOCACHE urlpath_regex -i \.php
no_cache deny NOCACHE

cache_mgr dmantelli@acara.org.ar
cache_effective_user squid
cache_effective_group squid
log_icp_queries off

buffered_logs on

#END OF SQUID.CONF FILE
____________________________________________________________________________
________________________________________

Pardon for the inconveniences.

Thanks you very much for your help.

Damian Mantelli
ARGENTINA
Received on Wed Aug 31 2005 - 12:39:33 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Sep 01 2005 - 12:00:03 MDT