Iptable rules for squid on centos 7

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I have two interfaces in my proxy server eth0 and eth1. where eth0 connects to local (private) network wile eth1 connects to internet.My squid version is 3.3.8 and centos 7 is my OS. I have to configure transparent proxy. I know that for it there should be a single change like



http_port 8080 intercept


I have done this but still I could not access internet and there is no infomation in squid access.log file. But When I enable proxy on client, there squid log start to populate.



I think I am missing some iptable rules. What should be those rules so that my client can access internet via proxy (transparent mode).



I have applied two rules



iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


After apply given two rules, I got following in tcpdum



15:56:53.858317 ARP, Request who-has localhost.localdomain tell 192.168.57.100, length 46
15:56:53.858330 ARP, Reply localhost.localdomain is-at 0a:00:27:00:00:01 (oui Unknown), length 28
15:56:53.859825 IP 192.168.57.100.55833 > localhost.localdomain.domain: 17156+ A? www.google.com. (32)
15:56:53.859866 IP localhost.localdomain > 192.168.57.100: ICMP localhost.localdomain udp port domain unreachable, length 68
15:56:53.860006 IP 192.168.57.100.55833 > localhost.localdomain.domain: 56135+ AAAA? www.google.com. (32)









share|improve this question























  • Who is the router of your network? the squid box? A modem? A Linux server? A Cisco? A firewall? What brand?
    – Rui F Ribeiro
    Apr 26 '16 at 12:46











  • Our proxy server is under the umbrella of another proxy/router server.
    – Shafiq
    Apr 27 '16 at 6:14














up vote
0
down vote

favorite












I have two interfaces in my proxy server eth0 and eth1. where eth0 connects to local (private) network wile eth1 connects to internet.My squid version is 3.3.8 and centos 7 is my OS. I have to configure transparent proxy. I know that for it there should be a single change like



http_port 8080 intercept


I have done this but still I could not access internet and there is no infomation in squid access.log file. But When I enable proxy on client, there squid log start to populate.



I think I am missing some iptable rules. What should be those rules so that my client can access internet via proxy (transparent mode).



I have applied two rules



iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


After apply given two rules, I got following in tcpdum



15:56:53.858317 ARP, Request who-has localhost.localdomain tell 192.168.57.100, length 46
15:56:53.858330 ARP, Reply localhost.localdomain is-at 0a:00:27:00:00:01 (oui Unknown), length 28
15:56:53.859825 IP 192.168.57.100.55833 > localhost.localdomain.domain: 17156+ A? www.google.com. (32)
15:56:53.859866 IP localhost.localdomain > 192.168.57.100: ICMP localhost.localdomain udp port domain unreachable, length 68
15:56:53.860006 IP 192.168.57.100.55833 > localhost.localdomain.domain: 56135+ AAAA? www.google.com. (32)









share|improve this question























  • Who is the router of your network? the squid box? A modem? A Linux server? A Cisco? A firewall? What brand?
    – Rui F Ribeiro
    Apr 26 '16 at 12:46











  • Our proxy server is under the umbrella of another proxy/router server.
    – Shafiq
    Apr 27 '16 at 6:14












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I have two interfaces in my proxy server eth0 and eth1. where eth0 connects to local (private) network wile eth1 connects to internet.My squid version is 3.3.8 and centos 7 is my OS. I have to configure transparent proxy. I know that for it there should be a single change like



http_port 8080 intercept


I have done this but still I could not access internet and there is no infomation in squid access.log file. But When I enable proxy on client, there squid log start to populate.



I think I am missing some iptable rules. What should be those rules so that my client can access internet via proxy (transparent mode).



I have applied two rules



iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


After apply given two rules, I got following in tcpdum



15:56:53.858317 ARP, Request who-has localhost.localdomain tell 192.168.57.100, length 46
15:56:53.858330 ARP, Reply localhost.localdomain is-at 0a:00:27:00:00:01 (oui Unknown), length 28
15:56:53.859825 IP 192.168.57.100.55833 > localhost.localdomain.domain: 17156+ A? www.google.com. (32)
15:56:53.859866 IP localhost.localdomain > 192.168.57.100: ICMP localhost.localdomain udp port domain unreachable, length 68
15:56:53.860006 IP 192.168.57.100.55833 > localhost.localdomain.domain: 56135+ AAAA? www.google.com. (32)









share|improve this question















I have two interfaces in my proxy server eth0 and eth1. where eth0 connects to local (private) network wile eth1 connects to internet.My squid version is 3.3.8 and centos 7 is my OS. I have to configure transparent proxy. I know that for it there should be a single change like



http_port 8080 intercept


I have done this but still I could not access internet and there is no infomation in squid access.log file. But When I enable proxy on client, there squid log start to populate.



I think I am missing some iptable rules. What should be those rules so that my client can access internet via proxy (transparent mode).



I have applied two rules



iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


After apply given two rules, I got following in tcpdum



15:56:53.858317 ARP, Request who-has localhost.localdomain tell 192.168.57.100, length 46
15:56:53.858330 ARP, Reply localhost.localdomain is-at 0a:00:27:00:00:01 (oui Unknown), length 28
15:56:53.859825 IP 192.168.57.100.55833 > localhost.localdomain.domain: 17156+ A? www.google.com. (32)
15:56:53.859866 IP localhost.localdomain > 192.168.57.100: ICMP localhost.localdomain udp port domain unreachable, length 68
15:56:53.860006 IP 192.168.57.100.55833 > localhost.localdomain.domain: 56135+ AAAA? www.google.com. (32)






centos iptables squid






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 27 '16 at 10:59

























asked Apr 26 '16 at 12:39









Shafiq

163211




163211











  • Who is the router of your network? the squid box? A modem? A Linux server? A Cisco? A firewall? What brand?
    – Rui F Ribeiro
    Apr 26 '16 at 12:46











  • Our proxy server is under the umbrella of another proxy/router server.
    – Shafiq
    Apr 27 '16 at 6:14
















  • Who is the router of your network? the squid box? A modem? A Linux server? A Cisco? A firewall? What brand?
    – Rui F Ribeiro
    Apr 26 '16 at 12:46











  • Our proxy server is under the umbrella of another proxy/router server.
    – Shafiq
    Apr 27 '16 at 6:14















Who is the router of your network? the squid box? A modem? A Linux server? A Cisco? A firewall? What brand?
– Rui F Ribeiro
Apr 26 '16 at 12:46





Who is the router of your network? the squid box? A modem? A Linux server? A Cisco? A firewall? What brand?
– Rui F Ribeiro
Apr 26 '16 at 12:46













Our proxy server is under the umbrella of another proxy/router server.
– Shafiq
Apr 27 '16 at 6:14




Our proxy server is under the umbrella of another proxy/router server.
– Shafiq
Apr 27 '16 at 6:14










1 Answer
1






active

oldest

votes

















up vote
0
down vote













try this iptables rules:



iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


masquerade = allow private ip to access internet



--dport 80 -j redirect --to-port 8080 = any request from private ip that access web will be redirected to our proxy server at port 8080.






share|improve this answer




















  • If the squid box is the Internet router, the PREROUTING will feed the requests to squid. The OP is not explicit about that. The MASQUERADE is for routing the other traffic; for that it is also necessary to allow ip forwarding.
    – Rui F Ribeiro
    Apr 26 '16 at 13:14











  • well just make sure the client pc's gateway destinated to ip address of the proxy server (as long as he already set the proxy server's default route to the gateway of internet and can access the internet). i think it will work also even without ip public. Because that iptables rules masquerade ( change src nat ).
    – Toro tero
    Apr 26 '16 at 13:15










  • Internet does not route private IP addresses.
    – Rui F Ribeiro
    Apr 26 '16 at 13:16










  • I have updated my question after applying two iptable rule
    – Shafiq
    Apr 27 '16 at 10:59










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f279171%2fiptable-rules-for-squid-on-centos-7%23new-answer', 'question_page');

);

Post as a guest






























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
0
down vote













try this iptables rules:



iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


masquerade = allow private ip to access internet



--dport 80 -j redirect --to-port 8080 = any request from private ip that access web will be redirected to our proxy server at port 8080.






share|improve this answer




















  • If the squid box is the Internet router, the PREROUTING will feed the requests to squid. The OP is not explicit about that. The MASQUERADE is for routing the other traffic; for that it is also necessary to allow ip forwarding.
    – Rui F Ribeiro
    Apr 26 '16 at 13:14











  • well just make sure the client pc's gateway destinated to ip address of the proxy server (as long as he already set the proxy server's default route to the gateway of internet and can access the internet). i think it will work also even without ip public. Because that iptables rules masquerade ( change src nat ).
    – Toro tero
    Apr 26 '16 at 13:15










  • Internet does not route private IP addresses.
    – Rui F Ribeiro
    Apr 26 '16 at 13:16










  • I have updated my question after applying two iptable rule
    – Shafiq
    Apr 27 '16 at 10:59














up vote
0
down vote













try this iptables rules:



iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


masquerade = allow private ip to access internet



--dport 80 -j redirect --to-port 8080 = any request from private ip that access web will be redirected to our proxy server at port 8080.






share|improve this answer




















  • If the squid box is the Internet router, the PREROUTING will feed the requests to squid. The OP is not explicit about that. The MASQUERADE is for routing the other traffic; for that it is also necessary to allow ip forwarding.
    – Rui F Ribeiro
    Apr 26 '16 at 13:14











  • well just make sure the client pc's gateway destinated to ip address of the proxy server (as long as he already set the proxy server's default route to the gateway of internet and can access the internet). i think it will work also even without ip public. Because that iptables rules masquerade ( change src nat ).
    – Toro tero
    Apr 26 '16 at 13:15










  • Internet does not route private IP addresses.
    – Rui F Ribeiro
    Apr 26 '16 at 13:16










  • I have updated my question after applying two iptable rule
    – Shafiq
    Apr 27 '16 at 10:59












up vote
0
down vote










up vote
0
down vote









try this iptables rules:



iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


masquerade = allow private ip to access internet



--dport 80 -j redirect --to-port 8080 = any request from private ip that access web will be redirected to our proxy server at port 8080.






share|improve this answer












try this iptables rules:



iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


masquerade = allow private ip to access internet



--dport 80 -j redirect --to-port 8080 = any request from private ip that access web will be redirected to our proxy server at port 8080.







share|improve this answer












share|improve this answer



share|improve this answer










answered Apr 26 '16 at 13:03









Toro tero

112




112











  • If the squid box is the Internet router, the PREROUTING will feed the requests to squid. The OP is not explicit about that. The MASQUERADE is for routing the other traffic; for that it is also necessary to allow ip forwarding.
    – Rui F Ribeiro
    Apr 26 '16 at 13:14











  • well just make sure the client pc's gateway destinated to ip address of the proxy server (as long as he already set the proxy server's default route to the gateway of internet and can access the internet). i think it will work also even without ip public. Because that iptables rules masquerade ( change src nat ).
    – Toro tero
    Apr 26 '16 at 13:15










  • Internet does not route private IP addresses.
    – Rui F Ribeiro
    Apr 26 '16 at 13:16










  • I have updated my question after applying two iptable rule
    – Shafiq
    Apr 27 '16 at 10:59
















  • If the squid box is the Internet router, the PREROUTING will feed the requests to squid. The OP is not explicit about that. The MASQUERADE is for routing the other traffic; for that it is also necessary to allow ip forwarding.
    – Rui F Ribeiro
    Apr 26 '16 at 13:14











  • well just make sure the client pc's gateway destinated to ip address of the proxy server (as long as he already set the proxy server's default route to the gateway of internet and can access the internet). i think it will work also even without ip public. Because that iptables rules masquerade ( change src nat ).
    – Toro tero
    Apr 26 '16 at 13:15










  • Internet does not route private IP addresses.
    – Rui F Ribeiro
    Apr 26 '16 at 13:16










  • I have updated my question after applying two iptable rule
    – Shafiq
    Apr 27 '16 at 10:59















If the squid box is the Internet router, the PREROUTING will feed the requests to squid. The OP is not explicit about that. The MASQUERADE is for routing the other traffic; for that it is also necessary to allow ip forwarding.
– Rui F Ribeiro
Apr 26 '16 at 13:14





If the squid box is the Internet router, the PREROUTING will feed the requests to squid. The OP is not explicit about that. The MASQUERADE is for routing the other traffic; for that it is also necessary to allow ip forwarding.
– Rui F Ribeiro
Apr 26 '16 at 13:14













well just make sure the client pc's gateway destinated to ip address of the proxy server (as long as he already set the proxy server's default route to the gateway of internet and can access the internet). i think it will work also even without ip public. Because that iptables rules masquerade ( change src nat ).
– Toro tero
Apr 26 '16 at 13:15




well just make sure the client pc's gateway destinated to ip address of the proxy server (as long as he already set the proxy server's default route to the gateway of internet and can access the internet). i think it will work also even without ip public. Because that iptables rules masquerade ( change src nat ).
– Toro tero
Apr 26 '16 at 13:15












Internet does not route private IP addresses.
– Rui F Ribeiro
Apr 26 '16 at 13:16




Internet does not route private IP addresses.
– Rui F Ribeiro
Apr 26 '16 at 13:16












I have updated my question after applying two iptable rule
– Shafiq
Apr 27 '16 at 10:59




I have updated my question after applying two iptable rule
– Shafiq
Apr 27 '16 at 10:59

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f279171%2fiptable-rules-for-squid-on-centos-7%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?