Iptable rules for squid on centos 7
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I have two interfaces in my proxy server eth0 and eth1. where eth0 connects to local (private) network wile eth1 connects to internet.My squid version is 3.3.8 and centos 7 is my OS. I have to configure transparent proxy. I know that for it there should be a single change like
http_port 8080 intercept
I have done this but still I could not access internet and there is no infomation in squid access.log file. But When I enable proxy on client, there squid log start to populate.
I think I am missing some iptable rules. What should be those rules so that my client can access internet via proxy (transparent mode).
I have applied two rules
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
After apply given two rules, I got following in tcpdum
15:56:53.858317 ARP, Request who-has localhost.localdomain tell 192.168.57.100, length 46
15:56:53.858330 ARP, Reply localhost.localdomain is-at 0a:00:27:00:00:01 (oui Unknown), length 28
15:56:53.859825 IP 192.168.57.100.55833 > localhost.localdomain.domain: 17156+ A? www.google.com. (32)
15:56:53.859866 IP localhost.localdomain > 192.168.57.100: ICMP localhost.localdomain udp port domain unreachable, length 68
15:56:53.860006 IP 192.168.57.100.55833 > localhost.localdomain.domain: 56135+ AAAA? www.google.com. (32)
centos iptables squid
asked Apr 26 '16 at 12:39
Shafiq
163211
add a comment |Â
up vote
0
down vote
favorite
I have two interfaces in my proxy server eth0 and eth1. where eth0 connects to local (private) network wile eth1 connects to internet.My squid version is 3.3.8 and centos 7 is my OS. I have to configure transparent proxy. I know that for it there should be a single change like
http_port 8080 intercept
I have done this but still I could not access internet and there is no infomation in squid access.log file. But When I enable proxy on client, there squid log start to populate.
I think I am missing some iptable rules. What should be those rules so that my client can access internet via proxy (transparent mode).
I have applied two rules
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
After apply given two rules, I got following in tcpdum
15:56:53.858317 ARP, Request who-has localhost.localdomain tell 192.168.57.100, length 46
15:56:53.858330 ARP, Reply localhost.localdomain is-at 0a:00:27:00:00:01 (oui Unknown), length 28
15:56:53.859825 IP 192.168.57.100.55833 > localhost.localdomain.domain: 17156+ A? www.google.com. (32)
15:56:53.859866 IP localhost.localdomain > 192.168.57.100: ICMP localhost.localdomain udp port domain unreachable, length 68
15:56:53.860006 IP 192.168.57.100.55833 > localhost.localdomain.domain: 56135+ AAAA? www.google.com. (32)
centos iptables squid
asked Apr 26 '16 at 12:39
Shafiq
163211
Who is the router of your network? the squid box? A modem? A Linux server? A Cisco? A firewall? What brand?
– Rui F Ribeiro
Apr 26 '16 at 12:46
Our proxy server is under the umbrella of another proxy/router server.
– Shafiq
Apr 27 '16 at 6:14
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have two interfaces in my proxy server eth0 and eth1. where eth0 connects to local (private) network wile eth1 connects to internet.My squid version is 3.3.8 and centos 7 is my OS. I have to configure transparent proxy. I know that for it there should be a single change like
http_port 8080 intercept
I have done this but still I could not access internet and there is no infomation in squid access.log file. But When I enable proxy on client, there squid log start to populate.
I think I am missing some iptable rules. What should be those rules so that my client can access internet via proxy (transparent mode).
I have applied two rules
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
After apply given two rules, I got following in tcpdum
15:56:53.858317 ARP, Request who-has localhost.localdomain tell 192.168.57.100, length 46
15:56:53.858330 ARP, Reply localhost.localdomain is-at 0a:00:27:00:00:01 (oui Unknown), length 28
15:56:53.859825 IP 192.168.57.100.55833 > localhost.localdomain.domain: 17156+ A? www.google.com. (32)
15:56:53.859866 IP localhost.localdomain > 192.168.57.100: ICMP localhost.localdomain udp port domain unreachable, length 68
15:56:53.860006 IP 192.168.57.100.55833 > localhost.localdomain.domain: 56135+ AAAA? www.google.com. (32)
centos iptables squid
asked Apr 26 '16 at 12:39
Shafiq
163211
I have two interfaces in my proxy server eth0 and eth1. where eth0 connects to local (private) network wile eth1 connects to internet.My squid version is 3.3.8 and centos 7 is my OS. I have to configure transparent proxy. I know that for it there should be a single change like
http_port 8080 intercept
I have done this but still I could not access internet and there is no infomation in squid access.log file. But When I enable proxy on client, there squid log start to populate.
I think I am missing some iptable rules. What should be those rules so that my client can access internet via proxy (transparent mode).
I have applied two rules
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
After apply given two rules, I got following in tcpdum
15:56:53.858317 ARP, Request who-has localhost.localdomain tell 192.168.57.100, length 46
15:56:53.858330 ARP, Reply localhost.localdomain is-at 0a:00:27:00:00:01 (oui Unknown), length 28
15:56:53.859825 IP 192.168.57.100.55833 > localhost.localdomain.domain: 17156+ A? www.google.com. (32)
15:56:53.859866 IP localhost.localdomain > 192.168.57.100: ICMP localhost.localdomain udp port domain unreachable, length 68
15:56:53.860006 IP 192.168.57.100.55833 > localhost.localdomain.domain: 56135+ AAAA? www.google.com. (32)
centos iptables squid
centos iptables squid
asked Apr 26 '16 at 12:39
Shafiq
163211
asked Apr 26 '16 at 12:39
Shafiq
163211
edited Apr 27 '16 at 10:59
asked Apr 26 '16 at 12:39
Shafiq
163211
asked Apr 26 '16 at 12:39
Shafiq
163211
asked Apr 26 '16 at 12:39
Shafiq
163211
163211
Who is the router of your network? the squid box? A modem? A Linux server? A Cisco? A firewall? What brand?
– Rui F Ribeiro
Apr 26 '16 at 12:46
Our proxy server is under the umbrella of another proxy/router server.
– Shafiq
Apr 27 '16 at 6:14
add a comment |Â
Who is the router of your network? the squid box? A modem? A Linux server? A Cisco? A firewall? What brand?
– Rui F Ribeiro
Apr 26 '16 at 12:46
Our proxy server is under the umbrella of another proxy/router server.
– Shafiq
Apr 27 '16 at 6:14
Who is the router of your network? the squid box? A modem? A Linux server? A Cisco? A firewall? What brand?
– Rui F Ribeiro
Apr 26 '16 at 12:46
Who is the router of your network? the squid box? A modem? A Linux server? A Cisco? A firewall? What brand?
– Rui F Ribeiro
Apr 26 '16 at 12:46
Our proxy server is under the umbrella of another proxy/router server.
– Shafiq
Apr 27 '16 at 6:14
Our proxy server is under the umbrella of another proxy/router server.
– Shafiq
Apr 27 '16 at 6:14
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
try this iptables rules:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
masquerade = allow private ip to access internet
--dport 80 -j redirect --to-port 8080 = any request from private ip that access web will be redirected to our proxy server at port 8080.
answered Apr 26 '16 at 13:03
Toro tero
112
If the squid box is the Internet router, the PREROUTING will feed the requests to squid. The OP is not explicit about that. The MASQUERADE is for routing the other traffic; for that it is also necessary to allow ip forwarding.
– Rui F Ribeiro
Apr 26 '16 at 13:14
well just make sure the client pc's gateway destinated to ip address of the proxy server (as long as he already set the proxy server's default route to the gateway of internet and can access the internet). i think it will work also even without ip public. Because that iptables rules masquerade ( change src nat ).
– Toro tero
Apr 26 '16 at 13:15
Internet does not route private IP addresses.
– Rui F Ribeiro
Apr 26 '16 at 13:16
I have updated my question after applying two iptable rule
– Shafiq
Apr 27 '16 at 10:59
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
try this iptables rules:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
masquerade = allow private ip to access internet
--dport 80 -j redirect --to-port 8080 = any request from private ip that access web will be redirected to our proxy server at port 8080.
answered Apr 26 '16 at 13:03
Toro tero
112
If the squid box is the Internet router, the PREROUTING will feed the requests to squid. The OP is not explicit about that. The MASQUERADE is for routing the other traffic; for that it is also necessary to allow ip forwarding.
– Rui F Ribeiro
Apr 26 '16 at 13:14
well just make sure the client pc's gateway destinated to ip address of the proxy server (as long as he already set the proxy server's default route to the gateway of internet and can access the internet). i think it will work also even without ip public. Because that iptables rules masquerade ( change src nat ).
– Toro tero
Apr 26 '16 at 13:15
Internet does not route private IP addresses.
– Rui F Ribeiro
Apr 26 '16 at 13:16
I have updated my question after applying two iptable rule
– Shafiq
Apr 27 '16 at 10:59
add a comment |Â
up vote
0
down vote
try this iptables rules:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
masquerade = allow private ip to access internet
--dport 80 -j redirect --to-port 8080 = any request from private ip that access web will be redirected to our proxy server at port 8080.
answered Apr 26 '16 at 13:03
Toro tero
112
If the squid box is the Internet router, the PREROUTING will feed the requests to squid. The OP is not explicit about that. The MASQUERADE is for routing the other traffic; for that it is also necessary to allow ip forwarding.
– Rui F Ribeiro
Apr 26 '16 at 13:14
well just make sure the client pc's gateway destinated to ip address of the proxy server (as long as he already set the proxy server's default route to the gateway of internet and can access the internet). i think it will work also even without ip public. Because that iptables rules masquerade ( change src nat ).
– Toro tero
Apr 26 '16 at 13:15
Internet does not route private IP addresses.
– Rui F Ribeiro
Apr 26 '16 at 13:16
I have updated my question after applying two iptable rule
– Shafiq
Apr 27 '16 at 10:59
add a comment |Â
up vote
0
down vote
up vote
0
down vote
try this iptables rules:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
masquerade = allow private ip to access internet
--dport 80 -j redirect --to-port 8080 = any request from private ip that access web will be redirected to our proxy server at port 8080.
answered Apr 26 '16 at 13:03
Toro tero
112
try this iptables rules:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
masquerade = allow private ip to access internet
--dport 80 -j redirect --to-port 8080 = any request from private ip that access web will be redirected to our proxy server at port 8080.
answered Apr 26 '16 at 13:03
Toro tero
112
answered Apr 26 '16 at 13:03
Toro tero
112
answered Apr 26 '16 at 13:03
Toro tero
112
answered Apr 26 '16 at 13:03
Toro tero
112
112
If the squid box is the Internet router, the PREROUTING will feed the requests to squid. The OP is not explicit about that. The MASQUERADE is for routing the other traffic; for that it is also necessary to allow ip forwarding.
– Rui F Ribeiro
Apr 26 '16 at 13:14
well just make sure the client pc's gateway destinated to ip address of the proxy server (as long as he already set the proxy server's default route to the gateway of internet and can access the internet). i think it will work also even without ip public. Because that iptables rules masquerade ( change src nat ).
– Toro tero
Apr 26 '16 at 13:15
Internet does not route private IP addresses.
– Rui F Ribeiro
Apr 26 '16 at 13:16
I have updated my question after applying two iptable rule
– Shafiq
Apr 27 '16 at 10:59
add a comment |Â
If the squid box is the Internet router, the PREROUTING will feed the requests to squid. The OP is not explicit about that. The MASQUERADE is for routing the other traffic; for that it is also necessary to allow ip forwarding.
– Rui F Ribeiro
Apr 26 '16 at 13:14
well just make sure the client pc's gateway destinated to ip address of the proxy server (as long as he already set the proxy server's default route to the gateway of internet and can access the internet). i think it will work also even without ip public. Because that iptables rules masquerade ( change src nat ).
– Toro tero
Apr 26 '16 at 13:15
Internet does not route private IP addresses.
– Rui F Ribeiro
Apr 26 '16 at 13:16
I have updated my question after applying two iptable rule
– Shafiq
Apr 27 '16 at 10:59
If the squid box is the Internet router, the PREROUTING will feed the requests to squid. The OP is not explicit about that. The MASQUERADE is for routing the other traffic; for that it is also necessary to allow ip forwarding.
– Rui F Ribeiro
Apr 26 '16 at 13:14
If the squid box is the Internet router, the PREROUTING will feed the requests to squid. The OP is not explicit about that. The MASQUERADE is for routing the other traffic; for that it is also necessary to allow ip forwarding.
– Rui F Ribeiro
Apr 26 '16 at 13:14
well just make sure the client pc's gateway destinated to ip address of the proxy server (as long as he already set the proxy server's default route to the gateway of internet and can access the internet). i think it will work also even without ip public. Because that iptables rules masquerade ( change src nat ).
– Toro tero
Apr 26 '16 at 13:15
well just make sure the client pc's gateway destinated to ip address of the proxy server (as long as he already set the proxy server's default route to the gateway of internet and can access the internet). i think it will work also even without ip public. Because that iptables rules masquerade ( change src nat ).
– Toro tero
Apr 26 '16 at 13:15
Internet does not route private IP addresses.
– Rui F Ribeiro
Apr 26 '16 at 13:16
Internet does not route private IP addresses.
– Rui F Ribeiro
Apr 26 '16 at 13:16
I have updated my question after applying two iptable rule
– Shafiq
Apr 27 '16 at 10:59
I have updated my question after applying two iptable rule
– Shafiq
Apr 27 '16 at 10:59
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f279171%2fiptable-rules-for-squid-on-centos-7%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Who is the router of your network? the squid box? A modem? A Linux server? A Cisco? A firewall? What brand?
– Rui F Ribeiro
Apr 26 '16 at 12:46
Our proxy server is under the umbrella of another proxy/router server.
– Shafiq
Apr 27 '16 at 6:14