[CS-FSLUG] squid/squidguard transparent proxy but not server (iptable rules)

Mark Clayton clayton256 at gmail.com
Thu Sep 27 08:28:09 CDT 2012

On Wed, Sep 26, 2012 at 6:04 PM, Stephen McCracken <sjm.mlists at gmail.com> wrote:
> On 09/26/2012 07:16 AM, Mark Clayton wrote:
>> I run squid/squidguard on my ubuntu server. I usually use the
>> following iptable rule so that localhost httpd traffic is directed to
>> squid:
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
> Well, nomenclature at least seems to be wrong.  You say "localhost" but
> have traffic coming in eth0 specified.
Sorry about the poor nomenclature. I struggled with how to properly word that
sentence for quite awhile. My education still has many holes.

>> I'm doing this because I have a server issue that I'm trying to
>> understand. I run avahi along with squid/squidguard on my ubuntu
>> server with clients using bonjour. It seems squid bypasses
>> nsswitch.conf or resolv but I'm trying to confirm it's not my iptable
>> rules. Without the rules applied the lan clients can resolve .local.
>> addresses but once I apply my rules the clients, whether or not they
>> use the ubuntu server as the proxy, cannot resolve the addresses. Very
>> frustrating because I don't want to have to remember ip numbers when
>> it's hard enough to remember client names!
> The thing is that the proxy usually processes the DNS lookups when the
> client uses a proxy so the client usually sends the request "unresolved"
> to the proxy.  When the client doesn't know that it's using a proxy
> (transparent setup) the client would resolve the address and send it there.
> If I'm reading it correctly, it _seems_ that things work when the client
> does the lookup, but not when the squid server does the lookup.  Can you
> resolve DNS for local addresses from the ubuntu server?

That's pretty close to what's going on but it's a little more complicated.
The clients have the ubuntu server's address as their gateway & DNS
addresses. With avahi and squid/squidguard running and no iptable rules
applied, all the clients and the server can resolve any .local. address.
But obviously squid isn't doing anything.
If I add iptables rules to start utilizing squid that's when things go bad.
If I use the rule:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
--to-port 3128
The clients nor the server can resolve any .local. addresses. If I change
the above rule to:
iptables -t nat -A PREROUTING -i eth1 -p tcp ! -d --dport
80 -j REDIRECT --to-port 3128
Then the clients can resolve all .local. addresses for any protocol I've
tried. The server can resolve all .local. addresses for all protocols I've
tried _except_ http. Squid returns: HTTP/1.0 503 Service Unavailable
Using localhost or the ip number it works fine.

The full iptable rule set is below.

It seems to me we're making progress!

Again I apologize for incorrect terminology. Please correct me so I'll
learn more.


iptables -t nat -A PREROUTING -i eth1 -p tcp ! -d --dport
80 -j REDIRECT --to-port 3128
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner
proxy -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128

> sjm
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com

More information about the Christiansource mailing list