Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Transparent Proxy Server - Error when redirecting port 80 to port 3128 on the Squid Machine

Posted on 2004-11-21
8
Medium Priority
?
11,445 Views
Last Modified: 2010-03-18
I have SQUID and IPTABLES running on a machine.  Squid works quite nicely when I tell my web-browser to use the SQUID machines IP address and port.

When I realized I would have to change every workstation on the network and people could still sneak into the setting and remove the proxy settings, it was suggested that I use Transparent Proxying and redirect all of the port 80 destined traffic to port 3128 on the Squid machine.

WHen I add the line:  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128, all webbrowsers on the network return the following screen from the SQUID machine.

ERROR
The requested URL could not be retrieved

--------------------------------------------------------------------------------

While trying to retrieve the URL: /

The following error was encountered:

Invalid URL
Some aspect of the requested URL is incorrect. Possible problems:

Missing or incorrect access protocol (should be `http://'' or similar)
Missing hostname
Illegal double-escape in the URL-Path
Illegal character in hostname; underscores are not allowed
Your cache administrator is root.



--------------------------------------------------------------------------------

Generated Sun, 21 Nov 2004 17:42:43 GMT by alcatraz (squid/2.5.STABLE5)

*******************************************************

It appears that somehow during the translation the URL goes missing, by looking at the "WHILE TRYING TO RETRIEVE THE URL : /"  If I hover my mouse over the / in that message, it shows me the URL of the site I typed into the address line of the browser.

Anyhow, could the problem also stem from NAT being done later down the line at my border router to the internet?  I doubt it, it seems like a squid problem.

Any suggestions?  I have read some documents that talked about compiling a Kernal with certain options.

I'm running FEDORA 2, which has the 2.6 kernal and I of course installed with the normal procedure with ISO cd-images.  I scared to recompile a kernal.

Thanks,

Deeky
0
Comment
Question by:deeky
  • 4
  • 2
7 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12639662
Where are you applying the iptables rule? On the Squid box or the gateway router?

To work the transparent proxy rule must be applied on the default gateway for the local LAN. If that system is not the box running Squid the rule must do a redirect to the port 3128 on the SQUID machines IP. However if you are using the Squid box as a default gateway then it needs to be NAT'ing the local network.
0
 

Author Comment

by:deeky
ID: 12639818
The Squid Box is my Gateway Router which is also running Iptables.  (this is all one machine I call a firewall).  It has 4 NICS, 1 to internet router, 1 to PRIVATE LAN, 1 to PUBLIC WIRELESS, 1 to WEB/MAIL server.  I'm only concentrating on two NICS, the one between the Internet Router and the Firewall, and the one between the PRIVATE LAN and the firewall.

I'm trying to get all internet traffic on the PRIVATE LAN, which is going to the firewall anyway because it is the default gateway, to use the SQUID port 3128 instead of the standard port 80.

Somehow, my redirect is not working properly because squid WORKS if i point each of my client browsers to the Firewall at port 3128.  The redirect is doing something because I get the above error generated by squid, so it is moving the packet to port 3128.  Is there another port needed to be open for a reply connection?

Deeky
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12639931
Is the box NAT'ing the interior IP's?

Could I see the iptables commands you use to set up the firewall?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:deeky
ID: 12639995
No, the only other NAT'ing is done on a Cisco 1720 on the border between us and the internet.

Here are the IPTABLES:

# Generated by iptables-save v1.2.9 on Wed Nov 17 20:12:27 2004
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Redirect PRIVATE LAN to PROXY SERVER for port 80 Traffic
-A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Wed Nov 17 20:12:27 2004
# Generated by iptables-save v1.2.9 on Wed Nov 17 20:12:27 2004
*mangle
:PREROUTING ACCEPT [18829:9159599]
:INPUT ACCEPT [8426:862853]
:FORWARD ACCEPT [10401:8296650]
:OUTPUT ACCEPT [8500:860136]
:POSTROUTING ACCEPT [18747:9144950]
COMMIT
# Completed on Wed Nov 17 20:12:27 2004
# Generated by iptables-save v1.2.9 on Wed Nov 17 20:12:27 2004
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A FORWARD -o eth1 -j LOG  --log-level debug --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth1 -j LOG  --log-level debug --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth1 -j LOG  --log-level debug --log-prefix BANDWIDTH_OUT:
-A INPUT -i eth1 -j LOG  --log-level debug --log-prefix BANDWIDTH_IN:
-A INPUT -i lo -j ACCEPT
# Allow Web Traffic Established Back into FIREWALL
-A INPUT -m state -i eth1 --state ESTABLISHED,RELATED -j ACCEPT
# Allow LAN access to Internet
-A FORWARD -m state -s 192.168.1.0/255.255.255.0 -i eth0 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state -i eth1 -o eth0 --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Output Packets from FIREWALL MACHINE (SQUID)
-A OUTPUT -m state -o eth1 --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow Email Server Access to INTERNET Outgoing
-A FORWARD -m state -s 192.168.50.5/255.255.255.0 -i eth2 -o eth1 --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow Mailserver Internet Access INCOMING
-A FORWARD -m state -i eth1 -o eth2 --state ESTABLISHED,RELATED -j ACCEPT
# Allow Border Router To Send SYSLOG to Zeus on Private Lan
-A FORWARD -p udp -m udp -s 192.168.100.2 -d 192.168.1.5 -i eth1 -o eth0 --dport 514 -j ACCEPT
# Allow DNS Queries to ZEUS
-A FORWARD -p udp -m udp -m multiport --ports 53 -j ACCEPT
# Allow DNS Replies from ZEUS
-A INPUT -p udp -m udp -m multiport -s 192.168.1.5/255.255.255.0 -d 192.168.1.1/255.255.255.0 -i eth0 --ports 53 -j ACCEPT
# Allow Firewall to transmit DNS request to ZEUS
-A OUTPUT -p udp -m udp -m multiport -s 192.168.1.1/255.255.255.0 -d 192.168.1.5/255.255.255.0 -o eth0 --ports 53 -j ACCEPT
# Accept SQUID requests from PRIVATE LAN
-A INPUT -p tcp -m tcp -m state -s 192.168.1.0/255.255.255.0 -i eth0 --dport 3128 --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Permit SQUID function
-A OUTPUT -m state -o eth0 --state ESTABLISHED,RELATED -j ACCEPT
COMMIT

Deeky
0
 

Author Comment

by:deeky
ID: 12640453
Hello:

I eliminated the firewall from the equation, so I realized I needed to focus more on the squid configuration.

I figured out the problem.  I had missed these four key lines in the squid.conf file.  Apparently they make the difference.  They were:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

they need to all be on

I learned this from several other posts in the forum, but I didn't think they applied to my situation.  Apparently they do.

Since I solved my problem, now I have a related question, can somebody tell me what these 4 lines are doing?

Strange, without them, like I stated before the web-browser on the client side would not "pick up" a URL.  What is accel doing?  Sounds like it makes it faster?

Thanks,

Deeky

0
 

Author Comment

by:deeky
ID: 12668908
I haven't heard anything for a few days.  I found the answer to this question elsewhere.  How do I handle this situation?  The comment I posted is was my solution to this particular problem, and I suppose it should remain in the archives for others.

How do I close this question?

Deeky
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 14557553
Closed, 200 points refunded.
modulo
Community Support Moderator
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question