[squid-users] Squid as gateway

Eliezer Croitoru eliezer at ngtech.co.il
Fri Jul 21 16:04:03 UTC 2017


Hey,

Let's split the scenario into two different issues.
- interception
- routing

Since the squidbox is a router you need to first enable it to be a router and also to do NAT for DNS and other services to work.
Means that the MASQUARADE rule is fine but you should limit it only to the specific outgoing interface of the WAN side ie: ens192

And you should define the right iptables rules of the intercept ie:
This is wrong:
pkts bytes target     prot opt in     out     source              
destination         
    0     0 ACCEPT     tcp  --  *      *       192.168.1.20       0.0.0.0/0           
tcp dpt:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0            tcp dpt:80 to:192.168.1.20:3129


Please post using a send the complete "iptables-save"
So I would be able to see what I'm suspecting.
Technically what you shoul have in the nat table is the next rule:
iptables -t nat -A PREROUTING -I ens192 -p tcp --dport 80 -j REDIRECT --to-port 3129

Then you can try to see using " watch -d iptables -t nat -L -nv" if the rules are being "hit" by the counter.
If the rule doesn't catch the traffic it should be accounted at the POLICY ACCEPT rule.

Let me know if it helps,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of erdosain9
Sent: Friday, July 21, 2017 17:19
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid as gateway

Hi, and thanks

The ROUTERWIFI is a TpLink TL-WR940N.... i dont see in this router any Nat
option :-(

This is the router table of the SquidBox

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
0.0.0.0         10.1.158.1      0.0.0.0         UG    0      0        0
ens192
10.1.158.0      0.0.0.0         255.255.255.0   U     0      0        0
ens192
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0
ens160
169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0
ens192
192.168.0.0     192.168.1.40    255.255.255.0   UG    0      0        0
ens160
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
ens160
192.168.2.0     192.168.1.1     255.255.255.0   UG    0      0        0
ens160
192.168.6.0     192.168.1.1     255.255.255.0   UG    0      0        0
ens160

If i enable ipv4 forwarding in SquidBox, the clients of the ROUTERWIFI can
access internet, so i think the router table it's ok.... the clients can go
to internet but just because ipv4 forwarding is enable (the squid service is
not getting anything, i dont see nothing in the access.log...) if i disable
ipv4 forwarding the clients dont go anyway.

This is iptables

[root at squid ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 383 packets, 42336 bytes)
 pkts bytes target     prot opt in     out     source              
destination         
    0     0 ACCEPT     tcp  --  *      *       192.168.1.20       0.0.0.0/0           
tcp dpt:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0            tcp dpt:80 to:192.168.1.20:3129

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination         
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0           
0.0.0.0/0 



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683200.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list