[SOLVED] Squid proxy with IPTables. No success.
by jmgibson1981 from LinuxQuestions.org on (#5A38Q)
Currently testing building a custom router. I've investigated OPNsense, and PFsense. Both far more than I need. I've succeeded at getting a basic router ip tables ruleset going.
Code:router_setup_func() {
for interface in $(find /sys/class/net/ -maxdepth 1) ; do
ifname=$(basename "$interface")
case "$ifname" in
net|lo|veth*)
continue
;;
*)
ifip=$(ip addr | grep 'inet ' | grep "$ifname" | awk '{print $2}' \
| cut -d\/ -f 1)
if [ ! -z "$ifip" ] ; then
case "$ifip" in
192.168.*.*|172.17.*.*)
MODIFIEDIP=$(echo "$ifip" | rev | cut -d"." -f2- | rev).0/24
route add -net "$MODIFIEDIP" dev "$ifname"
;;
*)
iptables -t nat -A POSTROUTING -o "$ifname" -j MASQUERADE
;;
esac
fi
;;
esac
done
}I have been trying with zero success to get this to forward to a squid proxy on the same host as the router. Ultimately I'd rather it go to another ip on my lan but for now this is testing purposes. Here is my squid.conf
Code:acl mylan src 192.168.0.0/24
acl docker src 172.17.0.0/24
acl SSL_ports port 443
acl Safe_ports port 631 # print server
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow mylan
http_access allow docker
http_access deny all
http_port 3128
maximum_object_size 500 MB
cache_dir ufs /var/spool/squid 7500 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
refresh_all_ims onI've tried both intercept and transparent on the http_port line with no success. Squid fails to start altogether with intercept on the line. I've now spent the better half of my day bouncing around on googling "squid transparent proxy with ip tables" or some variation. I've have no idea how many different iptables lines I've tried. And all I end up with on my vm running through this router on trying to do an apt update is this.
Code:Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal/InRelease Connection failed [IP: 91.189.88.142 80]It works perfectly until I activate my squid iptables rules. I'm lost, tired, frustrated. I've got to be missing something I just don't know what.
Code:router_setup_func() {
for interface in $(find /sys/class/net/ -maxdepth 1) ; do
ifname=$(basename "$interface")
case "$ifname" in
net|lo|veth*)
continue
;;
*)
ifip=$(ip addr | grep 'inet ' | grep "$ifname" | awk '{print $2}' \
| cut -d\/ -f 1)
if [ ! -z "$ifip" ] ; then
case "$ifip" in
192.168.*.*|172.17.*.*)
MODIFIEDIP=$(echo "$ifip" | rev | cut -d"." -f2- | rev).0/24
route add -net "$MODIFIEDIP" dev "$ifname"
;;
*)
iptables -t nat -A POSTROUTING -o "$ifname" -j MASQUERADE
;;
esac
fi
;;
esac
done
}I have been trying with zero success to get this to forward to a squid proxy on the same host as the router. Ultimately I'd rather it go to another ip on my lan but for now this is testing purposes. Here is my squid.conf
Code:acl mylan src 192.168.0.0/24
acl docker src 172.17.0.0/24
acl SSL_ports port 443
acl Safe_ports port 631 # print server
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow mylan
http_access allow docker
http_access deny all
http_port 3128
maximum_object_size 500 MB
cache_dir ufs /var/spool/squid 7500 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
refresh_all_ims onI've tried both intercept and transparent on the http_port line with no success. Squid fails to start altogether with intercept on the line. I've now spent the better half of my day bouncing around on googling "squid transparent proxy with ip tables" or some variation. I've have no idea how many different iptables lines I've tried. And all I end up with on my vm running through this router on trying to do an apt update is this.
Code:Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal/InRelease Connection failed [IP: 91.189.88.142 80]It works perfectly until I activate my squid iptables rules. I'm lost, tired, frustrated. I've got to be missing something I just don't know what.