IPtables Transparent Proxy

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Currently ive got my internet traffic redirected into my proxy by using this iptables rule

Code:

-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 3128

This is working fine but i want to redirect all traffic into the proxy not just port 80 but i need some exceptions for that because oviously you cant transparently redirect encrypted traffic so i tried this rule:

Code:

-A PREROUTING -p tcp -m tcp -i eth1 ! --dport 443,22 -j REDIRECT --to-ports 3128

The rule works when theres just 443 in the ! --dports bit but when i add 443 & 22 i get a error, ive also tried seperating the ports by a space but that doesnt work because its not supposed to be set out like that. So any ideas how i could have multiple ports that dont go through the proxy using iptables

Jack

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Just make two rules, one for https and the other for ssh. The only way more than 1 port is used is to use a range of ports, and that's not what you're looking to do. Here's a link to some documentation.

http://iptables-tutorial.frozentux.net/chunkyhtml/x2436.html

 

Yeps - Freddie's right. If you wanted to, for instance, bypass 21, 22 and 23 you could go about doing it that way, but you'll need separate lines for non-consecutive ports. Also, it'll be excellent preparation work for you when you step into the 'real world' (though I know that's quite a way away for you Jack - seeing as you've got at least another five years of lazing around (sorry) 'studying' before you have to go out and earn your keep - all firewall rulesets are easier to understand when there is a specific entry/ACL/rule defined for particular traffic

 

Right so do i want multiple lines like this:

Code:

-A PREROUTING -p tcp -m tcp ! --dport 22 -j REDIRECT --to-ports 3128

Each with a different port that i want to stop going through the proxy

@zebulebu
Yes my lazing (if thats a word) is very important

 

LOL - don't I know it! I only wish my nephews had the common sense you seem to have at 13 - I can't get them to understand the absolute basics of computers cos they're too busy playing wrestling games on them!

I've not used IPTables for a long time, so Freddie or one of the other linux bods should be able to confirm this for sure, but as far as I remember it you just add extra lines depending on what you want to proxy. incidentally, what are you running this on - an IPTables-compatible router or a dedicated FW box?

 

Its running on ubuntu server which is basically the same as the standard debian install both have no GUI or anything just a standard linux box ive got running with squid to block ads, and the cache web pages!

 

Yup. That's what you want. If you wanted to do a consecutive range of ports you would do it like this: -A PREROUTING -p tcp -m tcp ! --dport 22:32 -j REDIRECT --to-ports 3128

The above would affect the range of ports from 22 through 32.

 

Ive just tried the using the rules

Code:

-A PREROUTING -p tcp -m tcp -i eth1 ! --dport 22 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp -i eth1 ! --dport 443 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp -i eth1 ! --dport 10000 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp -j ACCEPT

But it doesnt seem to work as i cant access https sites correctly?

Any ideas?

 

Are ssh and webmin working correctly?

 

Nope webmin doesnt seem to work,ssh doesnt work either.
Note that webmin is accessed using ssh at https://servername:10000

Jack

 

It seems as if things have changed with squid configuration in the last couple of releases, especially with transparent proxying. I'd recommend that you go to the squid site and take a look at their latest documentation for the version you have. They also have some example configs and a user guide that is pretty good.

You could have squid itself mis-configured as the docs say that now it's much easier to configure it now than it used to be. The example rules they show for are very simple too.

http://www.squid-cache.org/

 

Why would that make any difference, surely you still cant proxy encrypted traffic transparently or else that would be a man-in-the-middle attack. The squid configuration is working correctly.

 

If you will take a look at the documentation it would help. I can't see your entire configuration, don't know what version you're using, etc.... Read the docs and see if you're configured correctly. I'm basically shooting in the dark at this right now as I know so little about your setup. Going to the documentation from the squid project for the version of squid you have will be the most accurate information you can get.

The squid documentation says they have changed the way they do things in this area, so go look at it. It makes no sense that https will work when only one rule is being used, but won't work when multiple rules are in force. That's why I'm saying go take a look and make sure you're configured the way they say you should be. They know far more about this than I do.

 

Ill give you a little background info for a better idea of my setup
The machine is running Ubuntu Server 7.10 squid version is 2.6, everything on my squid setup should be working fine if i set the proxy manually in the clients then everything is fine even https works as it should, but oviously i dont want to setup the clients manually i'd just like it to be transparent.

Heres the nat iptable on my /etc/iptables.up.rules

Code:

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
#-A PREROUTING -p tcp -m tcp -i eth1 ! --dport 22 -j REDIRECT --to-ports 3128
#-A PREROUTING -p tcp -m tcp -i eth1 ! --dport 443 -j REDIRECT --to-ports 3128
#-A PREROUTING -p tcp -m tcp -i eth1 ! --dport 10000 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp -j ACCEPT

You can see the rules that i tried commented out. I cant fit my whole squid config file on here so is accessable via my webserver here

 

Jackd,

How many changes have you made to your squid.conf file? Highlight the changes you've made for me in it. I'm not going to read all 91 pages of the example conf file you are using because I just don't have the time. If you want my help you'll have to highlight all the things you have changed.

 

Jack - forgive me for stating the obvious, but are the lines for ports 22,443 and 10000 still commented out in your live config?

 

They are currently because they arent working, ive just commented them out so i dont have to recreate them all again if i need to change something. Sorry about that i was going to put it in my last post but must of forgot sorry. I needed to comment them out because some people still need to use the internet

Jack