1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IPtables Transparent Proxy

Discussion in 'Linux / Unix Discussion' started by jackd, Dec 26, 2007.

  1. jackd

    jackd Megabyte Poster

    555
    7
    64
    Currently ive got my internet traffic redirected into my proxy by using this iptables rule
    Code:
    -A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 3128
    This is working fine but i want to redirect all traffic into the proxy not just port 80 but i need some exceptions for that because oviously you cant transparently redirect encrypted traffic so i tried this rule:
    Code:
    -A PREROUTING -p tcp -m tcp -i eth1 ! --dport 443,22 -j REDIRECT --to-ports 3128
    The rule works when theres just 443 in the ! --dports bit but when i add 443 & 22 i get a error, ive also tried seperating the ports by a space but that doesnt work because its not supposed to be set out like that. So any ideas how i could have multiple ports that dont go through the proxy using iptables

    Jack
     
  2. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Just make two rules, one for https and the other for ssh. The only way more than 1 port is used is to use a range of ports, and that's not what you're looking to do. Here's a link to some documentation.

    http://iptables-tutorial.frozentux.net/chunkyhtml/x2436.html
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  3. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Yeps - Freddie's right. If you wanted to, for instance, bypass 21, 22 and 23 you could go about doing it that way, but you'll need separate lines for non-consecutive ports. Also, it'll be excellent preparation work for you when you step into the 'real world' (though I know that's quite a way away for you Jack - seeing as you've got at least another five years of lazing around (sorry) 'studying' before you have to go out and earn your keep :) - all firewall rulesets are easier to understand when there is a specific entry/ACL/rule defined for particular traffic
     
    Certifications: A few
    WIP: None - f*** 'em
  4. jackd

    jackd Megabyte Poster

    555
    7
    64
    Right so do i want multiple lines like this:
    Code:
    -A PREROUTING -p tcp -m tcp ! --dport 22 -j REDIRECT --to-ports 3128
    
    Each with a different port that i want to stop going through the proxy

    @zebulebu
    Yes my lazing (if thats a word) is very important
     
  5. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    LOL - don't I know it! I only wish my nephews had the common sense you seem to have at 13 - I can't get them to understand the absolute basics of computers cos they're too busy playing wrestling games on them!

    I've not used IPTables for a long time, so Freddie or one of the other linux bods should be able to confirm this for sure, but as far as I remember it you just add extra lines depending on what you want to proxy. incidentally, what are you running this on - an IPTables-compatible router or a dedicated FW box?
     
    Certifications: A few
    WIP: None - f*** 'em
  6. jackd

    jackd Megabyte Poster

    555
    7
    64
    Its running on ubuntu server which is basically the same as the standard debian install both have no GUI or anything just a standard linux box ive got running with squid to block ads, and the cache web pages!
     
  7. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Yup. That's what you want. If you wanted to do a consecutive range of ports you would do it like this: -A PREROUTING -p tcp -m tcp ! --dport 22:32 -j REDIRECT --to-ports 3128

    The above would affect the range of ports from 22 through 32.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  8. jackd

    jackd Megabyte Poster

    555
    7
    64
    Ive just tried the using the rules

    Code:
    -A PREROUTING -p tcp -m tcp -i eth1 ! --dport 22 -j REDIRECT --to-ports 3128
    -A PREROUTING -p tcp -m tcp -i eth1 ! --dport 443 -j REDIRECT --to-ports 3128
    -A PREROUTING -p tcp -m tcp -i eth1 ! --dport 10000 -j REDIRECT --to-ports 3128
    -A PREROUTING -p tcp -m tcp -j ACCEPT
    But it doesnt seem to work as i cant access https sites correctly?

    Any ideas?
     
  9. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Are ssh and webmin working correctly?
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  10. jackd

    jackd Megabyte Poster

    555
    7
    64
    Nope webmin doesnt seem to work,ssh doesnt work either.
    Note that webmin is accessed using ssh at https://servername:10000

    Jack
     
  11. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    It seems as if things have changed with squid configuration in the last couple of releases, especially with transparent proxying. I'd recommend that you go to the squid site and take a look at their latest documentation for the version you have. They also have some example configs and a user guide that is pretty good.

    You could have squid itself mis-configured as the docs say that now it's much easier to configure it now than it used to be. The example rules they show for are very simple too.

    http://www.squid-cache.org/
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  12. jackd

    jackd Megabyte Poster

    555
    7
    64
    Why would that make any difference, surely you still cant proxy encrypted traffic transparently or else that would be a man-in-the-middle attack. The squid configuration is working correctly.
     
  13. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    If you will take a look at the documentation it would help. I can't see your entire configuration, don't know what version you're using, etc.... Read the docs and see if you're configured correctly. I'm basically shooting in the dark at this right now as I know so little about your setup. Going to the documentation from the squid project for the version of squid you have will be the most accurate information you can get.

    The squid documentation says they have changed the way they do things in this area, so go look at it. It makes no sense that https will work when only one rule is being used, but won't work when multiple rules are in force. That's why I'm saying go take a look and make sure you're configured the way they say you should be. They know far more about this than I do.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  14. jackd

    jackd Megabyte Poster

    555
    7
    64
    Ill give you a little background info for a better idea of my setup
    The machine is running Ubuntu Server 7.10 squid version is 2.6, everything on my squid setup should be working fine if i set the proxy manually in the clients then everything is fine even https works as it should, but oviously i dont want to setup the clients manually i'd just like it to be transparent.

    Heres the nat iptable on my /etc/iptables.up.rules
    Code:
    *nat
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -j MASQUERADE
    #-A PREROUTING -p tcp -m tcp -i eth1 ! --dport 22 -j REDIRECT --to-ports 3128
    #-A PREROUTING -p tcp -m tcp -i eth1 ! --dport 443 -j REDIRECT --to-ports 3128
    #-A PREROUTING -p tcp -m tcp -i eth1 ! --dport 10000 -j REDIRECT --to-ports 3128
    -A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 3128
    -A PREROUTING -p tcp -m tcp -j ACCEPT
    You can see the rules that i tried commented out. I cant fit my whole squid config file on here so is accessable via my webserver here
     
  15. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Jackd,

    How many changes have you made to your squid.conf file? Highlight the changes you've made for me in it. I'm not going to read all 91 pages of the example conf file you are using because I just don't have the time. If you want my help you'll have to highlight all the things you have changed.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  16. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Jack - forgive me for stating the obvious, but are the lines for ports 22,443 and 10000 still commented out in your live config?
     
    Certifications: A few
    WIP: None - f*** 'em
  17. jackd

    jackd Megabyte Poster

    555
    7
    64
    They are currently because they arent working, ive just commented them out so i dont have to recreate them all again if i need to change something. Sorry about that i was going to put it in my last post but must of forgot sorry. I needed to comment them out because some people still need to use the internet

    Jack
     

Share This Page

Loading...