How to separate the gateway and transparent Squid proxy into separate servers?

M

Michael2017-04-11 09:40:31

linux

Michael, 2017-04-11 09:40:31

There are two servers. One gateway on Ubuntu with ip 192.168.0.1, a firewall is configured on it, NAT is implemented, it is the default gateway, dns server, dhcp server for all computers on the local network. The second server is on Debian (ip 192.168.0.2), it has only squid installed and is configured for transparent filtering. On the gateway I do iptables -t nat -A PREROUTING -i eth0 ! -s 192.168.0.2 ! -d 192.168.0.0/24 -p tcp -m multiport --dport 80,8080 -j DNAT --to 192.168.0.2:3128. But this is not enough, the pages do not open, some other manipulations need to be carried out, but I don’t understand which ones. Squid itself is configured correctly when I specify it as the default gateway for a computer on the local network, all traffic through it is transparently proxied, but the trick is that the server with squid should not be the default gateway.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

chupasaurus, 2017-04-11
@chupasaurus

You are missing the rules:

iptables -t nat -m multiport -A PREROUTING -o eth0 -s 192.168.0.2 --dport 80,8080 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d 192.168.0.2 -j SNAT --to 192.168.0.1
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp -d 192.168.0.2 --dport 3218 -j DROP

The first one allows traffic from the proxy to the world, the second one deploys responses from the proxy to clients through itself, the third one, if not, goes to the end of the chain, the fourth one is optional and blocks traffic to the proxy port from everywhere except the gateway.