Re: [squid-users] client ip's

From: Amos Jeffries <squid3@dont-contact.us>
Date: Thu, 03 Apr 2008 18:08:16 +1300

Jorge Bastos wrote:
> The rule I use to redirect traffic from 80 to 8080 is:
> I must remember, this was working before 3.0 stable1 or stable2 (not using
> stable2), I just saw this was happening now.

What version did you upgrade from?

>
> iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j DNAT
> --to-destination 192.168.1.1:8080
>

If squid is running on this same box I would recommend the REDIRECT
target instead of DNAT. It's less work for the kernel.

The other possible issue is that you have your redirection rule at the
start of the NAT tables. The matching rule to allow squid traffic out is
near the end.

Even if you keep DNAT, they should be in this order:

# allow squid traffic out okay.
iptables -t nat _A PREROUTING -s 192.168.1.1 -p tcp --dport 80 -j ACCEPT
# redirect all other web traffic into squid.
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j
REDIRECT --to-port 8080

>
> cisne:~# iptables-save -t nat
> # Generated by iptables-save v1.4.0 on Wed Apr 2 17:12:25 2008
> *nat
> :PREROUTING ACCEPT [35:1650]
> :POSTROUTING ACCEPT [10307:1367320]
> :OUTPUT ACCEPT [66427:4357431]
> -A PREROUTING -d 193.164.158.105/32 -j DROP
> -A PREROUTING -i eth1 -p tcp -m tcp --dport 5111 -j DNAT --to-destination
> 192.168.1.11:5900
> -A PREROUTING -i eth1 -p tcp -m tcp --dport 5901 -j DNAT --to-destination
> 192.168.1.2:5900
> -A PREROUTING -i eth1 -p tcp -m tcp --dport 5969 -j DNAT --to-destination
> 192.168.1.3:5900
> -A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination
> 192.168.1.204:3389
> -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 192.168.1.1:8080
> -A PREROUTING -p gre -j ACCEPT
> -A PREROUTING -p icmp -j ACCEPT
> -A PREROUTING -p ah -j ACCEPT
> -A PREROUTING -p udp -m udp --dport 53 -j ACCEPT
> -A PREROUTING -p udp -m udp --dport 500 -j ACCEPT
> -A PREROUTING -p udp -m udp --dport 1723 -j ACCEPT
> -A PREROUTING -p udp -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 20 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 21 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 23 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 25 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 43 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 79 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 123 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 143 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 443 -j ACCEPT
> -A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 444 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 1723 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 1863 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 3306 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 3389 -j ACCEPT
> -A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 5000 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 5190 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 5900 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 5901 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 6667 -j ACCEPT
> -A PREROUTING -s 192.168.1.0/24 -d 192.168.1.206/32 -p tcp -m tcp --dport
> 8888 -j ACCEPT
> -A PREROUTING -d 192.168.1.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT
> -A PREROUTING -i eth1 -p tcp -m tcp --dport 30106 -j DNAT --to-destination
> 192.168.1.224:30106
> -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 62500:63500
> --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
> -A PREROUTING -j DROP
> -A POSTROUTING -o eth1 -j MASQUERADE
> COMMIT
> # Completed on Wed Apr 2 17:12:26 2008
>
> -----Original Message-----
> From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
> Sent: quarta-feira, 2 de Abril de 2008 11:42
> To: Jorge Bastos
> Cc: squid-users@squid-cache.org
> Subject: RE: [squid-users] client ip's
>
> WHat do your iptables NAT rules look like?
>
> iptables-save -t nat
>
> ons 2008-04-02 klockan 09:18 +0100 skrev Jorge Bastos:
>> Transparent proxy
>>
>> Squid running on: 8080
>> And I forward 80 => 8080 (squid) => web
>>
>> My iptables rules are intact, I believe it was from 3.0 stable 1 or 2 that
>> this started to happen.
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
>>> Sent: quarta-feira, 2 de Abril de 2008 0:12
>>> To: Jorge Bastos
>>> Cc: squid-users@squid-cache.org
>>> Subject: RE: [squid-users] client ip's
>>>
>>> tis 2008-04-01 klockan 12:29 +0100 skrev Jorge Bastos:
>>>> No, just squid himself.
>>> As a plain proxy, or playing with NAT?
>>>
>>> Regards
>>> Henrik
>
>

-- 
Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Received on Wed Apr 02 2008 - 23:08:07 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT