How to Setup iptables for a squid proxy with just one HW-NIC

homeFault asked:

I got a Server with a static ipadress for rent and now i want to setup a transparent proxy on this server.

after i configured the squid for testing purposes with the listener “http_access allow all”, i wanted to set the iptables.
i figured out that i only have one ethernet connection with my static ipadress mounted. but at least i didnt found a documentation which showed me how to configure this. (found much about how config squid with two physical seperate NICs but not with one)

output:

root@1:~# ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:49 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3536 (3.5 KB)  TX bytes:3536 (3.5 KB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: ::2/128 Scope:Compat
          inet6 addr: 2a01:[....]external-ipv6[...]/128 Scope:Global
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:551353 errors:0 dropped:0 overruns:0 frame:0
          TX packets:455717 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:351211942 (351.2 MB)  TX bytes:267054641 (267.0 MB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:[...]external-ipv4[...]  P-t-P:[...]external-ipv4[...]  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

i have read much about iptables, and some about ebtables. and now i got stucked. i dont know which step should be my next.

my iptables are complete empty at the moment.

do i need ebtables for a correctly working transparent proxy? are the correct iptables enough to get this done without ebtables? if so, i would very appreciate if you can give me a string to set them.

#

Sources:
wiki[.]ubuntuusers[.]de/Squid
http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables
http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html

#

especially this quote should explain me how to do this but i dont get it…

Next, I had added following rules to forward all http requests (coming
to port 80) to the Squid server port 3128 :

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

with

iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j DNAT --to 127.0.0.1:3128
iptables -t nat -A PREROUTING -i venet0:0 -p tcp --dport 80 -j REDIRECT --to-port 3128

this should work, but it doesnt…

My answer:


You can’t use a transparent proxy in this scenario.

A transparent proxy must be in the network route of the traffic so that it can intercept and rewrite all of the traffic to redirect it to squid, and since your server is outside your network path, you have no way to do this.

If you want to use this server as a proxy, it will have to be a normal forward proxy.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.