Solved

Redirect traffic to squid with iptables on the same machine

Posted on 2013-01-30
4
1,027 Views
Last Modified: 2013-01-30
I have set up squid (v.3.2.6) to block distractions like Facebook, GMail, YouTube on a specific machine, which runs Arch Linux. This works fine, if I set the proxy settings for the browser to squid (localhost:3128).

Now I want to redirect all traffic to the squid proxy. This should be possible with iptables (v.1.4.16) NAT table, but the sample solutions I have found don’t work for me. This does nothing:
*nat
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT

Open in new window


I also set the squid port to:
http_port 3128 intercept

If I change the PREROUTING to OUTPUT the whole traffic seems to go over squid, but I get the error “The requested URL could not be retrieved”.

Just to clarify squid and iptables are on the same machine. Any suggestions?
0
Comment
Question by:Zibi92
  • 2
  • 2
4 Comments
 
LVL 19

Expert Comment

by:Barthax
Comment Utility
Do you have a prior rule which permits localhost (i.e., squid) to reach dport 80?   If not, then all your squid proxying will also be redirected back to itself.

Note that your description is a little light on which interface(s) this applies to and also how the Linux box sits in the network topology (is it the gateway?).
0
 

Author Comment

by:Zibi92
Comment Utility
I'm very new to networking (read some articles for the past 2 days), so I try to understand what you mean.

With prior rule do you mean a rule in iptables.rules? For testing purposes I allowed everything (I think):
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
#-A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] 
COMMIT

Open in new window


The linux box is connected over a LAN card (eth0) to a router, which is connected to the internet. (I hope you mean this with network topology)
0
 

Author Comment

by:Zibi92
Comment Utility
Ok I found something, that works:
*nat
-A OUTPUT -p tcp --dport 80 -m owner --gid-owner proxy -j ACCEPT
-A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT

Open in new window

But what is the difference between ":OUTPUT ACCEPT [0:0]" (which I thought accepts everything) and this specific rule (in line 2) that accepts the OUTPUT, if it comes from the proxy group?

Did I understand the picture in this tutorial right:
I have to use the OUTPUT chain in this case (instead of the PREROUTING chain), because the packet is locally generated and delivered.
0
 
LVL 19

Accepted Solution

by:
Barthax earned 500 total points
Comment Utility
The output from Squid (which is --gid-owner proxy) must be headed to the correct Internet port outside your building.  For example, Google's server is on ports 80 (HTTP) and 443 (HTTPS) so a Google request from your Squid (acting on behalf of your proxied client) must reach the destination with dport 80.  If your Squid's outbound packet is altered to port 3128, it will reach Google's servers and not be served by the HTTP server residing there.

You have the tutorial correct.  The localhost generates packets (rather than sending packets into the network card) and therefore has no associated input activity for a PREROUTING rule to occur.

Sorry for the confusion earlier - your original indicates the need to redirect all traffic through the Squid and so I had thought the machine was acting as a bridge between two segments.  I didn't realise you intended all traffic generated by the machine itself.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video discusses moving either the default database or any database to a new volume.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now