1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables help with squid proxy server

Discussion in 'Tomato Firmware' started by remlei, Jun 30, 2014.

  1. remlei

    remlei Networkin' Nut Member

    I have N16 running with shibby tomato with entware and squid. (it also serve as a router for internet access)

    I want to redirect all port 80 traffic to squid which running inside tomato router (not as a separate box)

    I tried searching google and every iptables i stumbled about squid doesnt work.

    im really weak about iptables so someone can please help me.
     
  2. rs232

    rs232 Network Guru Member

    Adjust the IPs and squid port and put the following 3 lines under Administration,Scripts/Firewall
    Code:
    iptables -t nat -A PREROUTING -i br0 -s 192.168.1.96/27 -p tcp --dport 80 -j DNAT --to 192.168.1.3:3128
    iptables -t nat -A POSTROUTING -o br0 -s 192.168.1.96/27 -p tcp -d 192.168.1.3 -j SNAT --to 192.168.1.1
    iptables -t filter -I FORWARD -d 192.168.1.3 -i br0 -o br0 -p tcp --dport 3128 -j ACCEPT
    Then reboot your router

    In my example above only client witin 192.168.1.96/27 are going to have calls to port 80 redirected to a proxy operating on the LAN address 192.168.1.3:3128

    HTH
     
  3. remlei

    remlei Networkin' Nut Member

    thanks for the reply. tried your inputs and it works only on certain IP range. Is it possible for it to be done on entire subnet (192.168.0.2-254) to redirect all http traffic to squid?
     
  4. rs232

    rs232 Network Guru Member

    In my example above change all the :

    192.168.1.96/27

    into

    192.168.0.0/24

    HTH
     
  5. remlei

    remlei Networkin' Nut Member

    im getting a connection timeout after I changed it. and I cant even access tomato router admin page after that. have to reset the router to default settings to get out of it
     
  6. Monk E. Boy

    Monk E. Boy Network Guru Member

    It could be because setting it to 192.168.0.0/24 affects all 192.168.0.x addresses. That includes the router and the squid server (assuming it lives on 192.168.0.x). You would need to exclude the squid and/or router to avoid having the iptables rule apply to traffic coming from/going to the router and/or squid server.

    You could insert a specific rule above the proxy server rules to allow traffic to/from squid and/or router, which would preserve the simple (single subnet-wide) rule while excluding this specific traffic (router and/or squid) from it. Since the -A appends the rule to the end of the table, you would append a rule before each that simply jumps to the required action for traffic to/from squid and/or router. I'm a little fuzzy on what that action should be though, I rarely play around in PREROUTING and POSTROUTING.

    Also, when experimenting with iptables rules, it's best to ssh or telnet into the router and try them out from a command prompt. Since everything you implement at the command prompt only affects the currently-running configuration of the router, a reboot will reset all the changes you've made. If you plug the lines you're experimenting with into the scripts (firewall, etc.) section of the administration website, rebooting the router just re-implements your changes which puts you into the boat of having to perform a factory reset to undo the changes.
     
    Last edited: Jul 2, 2014
  7. remlei

    remlei Networkin' Nut Member

    thanks for the reply. I found the right iptables rule for my needs here in http://www.tipidpc.com/viewtopic.php?tid=268324

    to reroute all http traffic to squid
    Code:
    iptables -t nat -A PREROUTING -i br0 -s ! <SQUID_IP_HERE> -p tcp --dport 80 -j DNAT --to-destination <SQUID_IP_HERE>:<SQUID_PORT_HERE>
    and I need to exclude my router IP for being re routed to squid (or else if it crash, I wont be able to access tomato web admin page)

    Code:
    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -d <ROUTER_IP_HERE> -j RETURN
    to exclude certain sites from being cached by squid you can do this

    Code:
    iptables -t nat -I PREROUTING -i br0 -p tcp -d google.com -j ACCEPT
     
  8. koitsu

    koitsu Network Guru Member

    Please remember that using FQDNs/hostnames in iptables commands only causes them to be resolved once at the time the command is run. If google.com, for example, returns multiple A records, you're only going to get one of the results (and it'll be random because multiple records in DNS is round-robin); or if they change DNS later your rules will suddenly stop working for no reason.

    And in Google's case, they do use multiple A records:

    Code:
    ;; QUESTION SECTION:
    ;google.com.                    IN      A
    
    ;; ANSWER SECTION:
    google.com.             300     IN      A       74.125.239.101
    google.com.             300     IN      A       74.125.239.100
    google.com.             300     IN      A       74.125.239.105
    google.com.             300     IN      A       74.125.239.99
    google.com.             300     IN      A       74.125.239.104
    google.com.             300     IN      A       74.125.239.97
    google.com.             300     IN      A       74.125.239.102
    google.com.             300     IN      A       74.125.239.96
    google.com.             300     IN      A       74.125.239.103
    google.com.             300     IN      A       74.125.239.110
    google.com.             300     IN      A       74.125.239.98
    
    Facebook, Netflix, etc. also use similar methodologies. Many CDNs do as well. It's very common on the Internet for this to be implemented. TL;DR -- it's invalid to think that a domain name or hostname always maps to a single/static IP address at all times.

    So when adding rules of that nature, please avoid using FQDNs/hostnames and instead use something else (like squid itself -- it can actually parse HTTP headers submit by the client and work off of ASCII strings, e.g. HTTP Host: header, and not have to worry about DNS). iptables + DNS = avoid. :)
     
  9. jerrm

    jerrm Network Guru Member

    Actually, iptables will expand the result and add a line for each A record, which I guess makes the results valid for the ttl (only five minutes for google) if everything on the network is set for the same DNS server and in perfect sync when they make their DNS queries (which will NEVER happen).

    Not to mention that google.com is not the same address as www.google.com or mail.google.com, etc. Many other domains are similar.

    As @koitsu says, using Squid itself is the proper answer. Read up on Squid ACLs.
     
  10. koitsu

    koitsu Network Guru Member

    Wow, you're right (just tested it). Didn't expect that behaviour :) Learned something new!
     
  11. remlei

    remlei Networkin' Nut Member

    well I do know about squid's acl, but I prefer bypassing the squid to iptables since some of my online games that I played goes through port 80 that is forcing to do CONNECT messages instead of POST. So even with ACL set to bypass those IP/MAC that I listed, it still had trouble passing though.
     
  12. Wolfgan

    Wolfgan Reformed Router Member

    Interesting remlei, I was trying to implement something similar for my PS3 connections (I was exploring srelay as I read it need less resources). Did you follow any particular tutorial on how to install/configure entware+squid on tomato?
    Thx, Wolf
     

Share This Page