It is a virtual machine with slackware
eth0 bridge receive internet from main switch (connected to the internet link) on network 10.0.0.0/24 where the gateway is 10.0.0.254 and the ip it receives is 10.0.0.19
eth1 is the internal network using 192.168.1.0/24 and the ip of eth1 is 192.168.1.254
Output of route -n:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.0.0.254 0.0.0.0 UG 202 0 0 eth0
I have installed named(bind) and set a forward to 10.0.0.254 and made my server nameserver as 192.168.1.254 which seems to be working just fine no problems here.
I have installed squid 2.7 and 3.1 with --enable-linux-netfilter
and the follow rules on the iptables (only posted the rules that were related but since it was working for browsing i dont belive the problem might be here):
# deny all traffic
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
# Use stateful inspection feature to only allow incoming connections
# related to connections I have already established myself
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# allow all traffic on lo interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# allow squid access
$IPT -A INPUT -i eth1 -p tcp --dport 3128 -m conntrack --ctstate NEW -j ACCEPT
# redirect requests to squid
# both rules worked just fine
#$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.254:3128
$IPT -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128
# share internet access
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
This is the test configuration i am using for SQUID (very default rule just for testing the transparent proxy):
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow localnet
http_access deny all
always_direct allow all
With all the above, i can navigate just fine but transparent proxy was never there, i test by acessing this page http://stuff.dan.cx/php/testproxy.php, if i go to it direct from the server without using the proxy all goes well, if i go using the proxy it detects the proxy right away.
While i don't think the below is the best pratice i could hide the proxy on version 2.7 using the below config:
header_access Via deny all
header_access Forwarded-For deny all
header_access X-Forwarded-For deny all
Questions:
- Why the transparent proxy won't work on 3.1.8 ?
- What else could I verify to find the problem ?
I've been searching on the internet and here on the forums but found nothing that helped me out at all.
I've tried the squid page but didn't got any answer so far aswell.
I just found what rules to add on the 3.1.8 in order to make the proxy undetectable which to me it seems more like a work around solution then the real method to transparent proxy.
The rules I had to use to do so was:
I will mark this as the answer only because no one else had any ideas to help me out but I am still looking forward on how to solve this question and would appreciate inputs that may be helpfull to the question in case, also if another answer solves my problem I will be taking it as the answer.