All of lore.kernel.org
 help / color / mirror / Atom feed
* routing VPN users through transparent Squid using iptables
@ 2010-08-22 10:39 Jack Andrews
  2010-08-22 16:11 ` Pascal Hambourg
  0 siblings, 1 reply; 5+ messages in thread
From: Jack Andrews @ 2010-08-22 10:39 UTC (permalink / raw)
  To: netfilter

  Hello all!

I'm hoping someone can help me out - I've been tearing my hair out over 
this!

I have pptpd and squid set up.  I want give these users access to the 
internet, but would like to send http traffic through a squid proxy.

Hopefully this rough diagram will give you an idea of what I'm trying to 
achieve:

[CODE]

VPN users connect to pptpd (via eth0)
     \ | /
       |
       |
      / \
  http   everything else
    |     |
    |     |
    |     |
squid    |
    |     |
     \   /
      \ /
       |
      NAT
       |
   internet (via eth0)
[/CODE]

If I set up the following iptables rule, users can connect to the internet:
[CODE]iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE[/CODE]

I can also connect to squid it works as expected.

Now, I was hoping another simple rule would redirect all http traffic 
through squid:
[CODE]iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j 
REDIRECT --to-port 3128[/CODE]

But this doesn't seem to work (I'm also hoping ppp+ is the correct 
formatting for a wildcard?).  Http traffic is never redirected and 
bypasses the proxy.

Can anyone suggest how to get this working?

I don't really know much about this stuff I'm afraid.  I would also love 
some recommendations for ways in which I can debug the system, e.g. 
which log files to look at, tcpdump commands etc.  I find the iptables 
documentation extremely bewildering!

Thanks!

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: routing VPN users through transparent Squid using iptables
  2010-08-22 10:39 routing VPN users through transparent Squid using iptables Jack Andrews
@ 2010-08-22 16:11 ` Pascal Hambourg
  2010-08-23  8:01   ` François Legal
  0 siblings, 1 reply; 5+ messages in thread
From: Pascal Hambourg @ 2010-08-22 16:11 UTC (permalink / raw)
  To: netfilter

Hello,

Jack Andrews a écrit :
> 
> Now, I was hoping another simple rule would redirect all http traffic 
> through squid:
> [CODE]iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j 
> REDIRECT --to-port 3128[/CODE]
> 
> But this doesn't seem to work (I'm also hoping ppp+ is the correct 
> formatting for a wildcard?).  Http traffic is never redirected and 
> bypasses the proxy.

The rule looks good to me. It should do the job.
No other rules in the PREROUTING chain before ?

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: routing VPN users through transparent Squid using iptables
  2010-08-22 16:11 ` Pascal Hambourg
@ 2010-08-23  8:01   ` François Legal
  2010-08-23  8:29     ` Pascal Hambourg
  0 siblings, 1 reply; 5+ messages in thread
From: François Legal @ 2010-08-23  8:01 UTC (permalink / raw)
  To: netfilter

I think the problem comes from SQUID as it has to be listening on the
interface (here ppp+) for transparent proxying to work.
If SQUID is started before the pptpd connection comes up, then this is
not the case.

François


On Sun, 22 Aug 2010 18:11:47 +0200, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
> 
> Jack Andrews a écrit :
>>
>> Now, I was hoping another simple rule would redirect all http traffic
>> through squid:
>> [CODE]iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j
>> REDIRECT --to-port 3128[/CODE]
>>
>> But this doesn't seem to work (I'm also hoping ppp+ is the correct
>> formatting for a wildcard?).  Http traffic is never redirected and
>> bypasses the proxy.
> 
> The rule looks good to me. It should do the job.
> No other rules in the PREROUTING chain before ?
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: routing VPN users through transparent Squid using iptables
  2010-08-23  8:01   ` François Legal
@ 2010-08-23  8:29     ` Pascal Hambourg
  2010-08-23 15:28       ` François Legal
  0 siblings, 1 reply; 5+ messages in thread
From: Pascal Hambourg @ 2010-08-23  8:29 UTC (permalink / raw)
  To: netfilter

François Legal a écrit :
> I think the problem comes from SQUID as it has to be listening on the
> interface (here ppp+) for transparent proxying to work.
> If SQUID is started before the pptpd connection comes up, then this is
> not the case.

I thought about this kind of issue. But then redirected HTTP connections
would fail.

>> Jack Andrews a écrit :
>>>
>>> But this doesn't seem to work (I'm also hoping ppp+ is the correct
>>> formatting for a wildcard?).  Http traffic is never redirected and
>>> bypasses the proxy.


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: routing VPN users through transparent Squid using iptables
  2010-08-23  8:29     ` Pascal Hambourg
@ 2010-08-23 15:28       ` François Legal
  0 siblings, 0 replies; 5+ messages in thread
From: François Legal @ 2010-08-23 15:28 UTC (permalink / raw)
  To: netfilter

That's correct. Maybe Jack should check the counters for that chain to
see whether or not it is matched by some traffic.

On Mon, 23 Aug 2010 10:29:06 +0200, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> François Legal a écrit :
>> I think the problem comes from SQUID as it has to be listening on the
>> interface (here ppp+) for transparent proxying to work.
>> If SQUID is started before the pptpd connection comes up, then this is
>> not the case.
> 
> I thought about this kind of issue. But then redirected HTTP connections
> would fail.
> 
>>> Jack Andrews a écrit :
>>>>
>>>> But this doesn't seem to work (I'm also hoping ppp+ is the correct
>>>> formatting for a wildcard?).  Http traffic is never redirected and
>>>> bypasses the proxy.
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-08-23 15:28 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-08-22 10:39 routing VPN users through transparent Squid using iptables Jack Andrews
2010-08-22 16:11 ` Pascal Hambourg
2010-08-23  8:01   ` François Legal
2010-08-23  8:29     ` Pascal Hambourg
2010-08-23 15:28       ` François Legal

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.