* routing VPN users through transparent Squid using iptables
@ 2010-08-22 10:39 Jack Andrews
2010-08-22 16:11 ` Pascal Hambourg
0 siblings, 1 reply; 5+ messages in thread
From: Jack Andrews @ 2010-08-22 10:39 UTC (permalink / raw)
To: netfilter
Hello all!
I'm hoping someone can help me out - I've been tearing my hair out over
this!
I have pptpd and squid set up. I want give these users access to the
internet, but would like to send http traffic through a squid proxy.
Hopefully this rough diagram will give you an idea of what I'm trying to
achieve:
[CODE]
VPN users connect to pptpd (via eth0)
\ | /
|
|
/ \
http everything else
| |
| |
| |
squid |
| |
\ /
\ /
|
NAT
|
internet (via eth0)
[/CODE]
If I set up the following iptables rule, users can connect to the internet:
[CODE]iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE[/CODE]
I can also connect to squid it works as expected.
Now, I was hoping another simple rule would redirect all http traffic
through squid:
[CODE]iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j
REDIRECT --to-port 3128[/CODE]
But this doesn't seem to work (I'm also hoping ppp+ is the correct
formatting for a wildcard?). Http traffic is never redirected and
bypasses the proxy.
Can anyone suggest how to get this working?
I don't really know much about this stuff I'm afraid. I would also love
some recommendations for ways in which I can debug the system, e.g.
which log files to look at, tcpdump commands etc. I find the iptables
documentation extremely bewildering!
Thanks!
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: routing VPN users through transparent Squid using iptables
2010-08-22 10:39 routing VPN users through transparent Squid using iptables Jack Andrews
@ 2010-08-22 16:11 ` Pascal Hambourg
2010-08-23 8:01 ` François Legal
0 siblings, 1 reply; 5+ messages in thread
From: Pascal Hambourg @ 2010-08-22 16:11 UTC (permalink / raw)
To: netfilter
Hello,
Jack Andrews a écrit :
>
> Now, I was hoping another simple rule would redirect all http traffic
> through squid:
> [CODE]iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j
> REDIRECT --to-port 3128[/CODE]
>
> But this doesn't seem to work (I'm also hoping ppp+ is the correct
> formatting for a wildcard?). Http traffic is never redirected and
> bypasses the proxy.
The rule looks good to me. It should do the job.
No other rules in the PREROUTING chain before ?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: routing VPN users through transparent Squid using iptables
2010-08-22 16:11 ` Pascal Hambourg
@ 2010-08-23 8:01 ` François Legal
2010-08-23 8:29 ` Pascal Hambourg
0 siblings, 1 reply; 5+ messages in thread
From: François Legal @ 2010-08-23 8:01 UTC (permalink / raw)
To: netfilter
I think the problem comes from SQUID as it has to be listening on the
interface (here ppp+) for transparent proxying to work.
If SQUID is started before the pptpd connection comes up, then this is
not the case.
François
On Sun, 22 Aug 2010 18:11:47 +0200, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
>
> Jack Andrews a écrit :
>>
>> Now, I was hoping another simple rule would redirect all http traffic
>> through squid:
>> [CODE]iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j
>> REDIRECT --to-port 3128[/CODE]
>>
>> But this doesn't seem to work (I'm also hoping ppp+ is the correct
>> formatting for a wildcard?). Http traffic is never redirected and
>> bypasses the proxy.
>
> The rule looks good to me. It should do the job.
> No other rules in the PREROUTING chain before ?
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: routing VPN users through transparent Squid using iptables
2010-08-23 8:01 ` François Legal
@ 2010-08-23 8:29 ` Pascal Hambourg
2010-08-23 15:28 ` François Legal
0 siblings, 1 reply; 5+ messages in thread
From: Pascal Hambourg @ 2010-08-23 8:29 UTC (permalink / raw)
To: netfilter
François Legal a écrit :
> I think the problem comes from SQUID as it has to be listening on the
> interface (here ppp+) for transparent proxying to work.
> If SQUID is started before the pptpd connection comes up, then this is
> not the case.
I thought about this kind of issue. But then redirected HTTP connections
would fail.
>> Jack Andrews a écrit :
>>>
>>> But this doesn't seem to work (I'm also hoping ppp+ is the correct
>>> formatting for a wildcard?). Http traffic is never redirected and
>>> bypasses the proxy.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: routing VPN users through transparent Squid using iptables
2010-08-23 8:29 ` Pascal Hambourg
@ 2010-08-23 15:28 ` François Legal
0 siblings, 0 replies; 5+ messages in thread
From: François Legal @ 2010-08-23 15:28 UTC (permalink / raw)
To: netfilter
That's correct. Maybe Jack should check the counters for that chain to
see whether or not it is matched by some traffic.
On Mon, 23 Aug 2010 10:29:06 +0200, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> François Legal a écrit :
>> I think the problem comes from SQUID as it has to be listening on the
>> interface (here ppp+) for transparent proxying to work.
>> If SQUID is started before the pptpd connection comes up, then this is
>> not the case.
>
> I thought about this kind of issue. But then redirected HTTP connections
> would fail.
>
>>> Jack Andrews a écrit :
>>>>
>>>> But this doesn't seem to work (I'm also hoping ppp+ is the correct
>>>> formatting for a wildcard?). Http traffic is never redirected and
>>>> bypasses the proxy.
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-08-23 15:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-08-22 10:39 routing VPN users through transparent Squid using iptables Jack Andrews
2010-08-22 16:11 ` Pascal Hambourg
2010-08-23 8:01 ` François Legal
2010-08-23 8:29 ` Pascal Hambourg
2010-08-23 15:28 ` François Legal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.