Unable to redirect HTTP traffic to transparent proxy (Squid)

Question

I'm trying to create a transparent proxy to cache and blacklist traffic on my self-made Linux router. Problem is that all clients are getting timed-out when trying to reach any HTTP sites (HTTPS works).

Here is my setup:

System: Ubuntu 16.04

Proxy: Squid 3.5.12

iptables:
  - Relevant rule:
   -A PREROUTING -i wlx30b5c21224f3 -p tcp --dport 80 -j REDIRECT --to-port 9999
  - Entire ruleset:
    https://pastebin.com/HtzTmYMp

Squid:
  - Relevant rules:
   http_port 192.168.99.1:8888
   http_port 192.168.99.1:9999 intercept
  - Entire config:
    https://pastebin.com/Ft2f3uaD

Interfaces:
  - Internet - enp1s0 (ethernet)
  - Local network - wlx30b5c21224f3 (wireless)

Network:
  - Network address - 192.168.99.0/24
  - Gateway, DNS, Squid - 192.168.99.1

Squid logs:
- Access.log - empty
- Cache.log - https://pastebin.com/AQ6VFdNP

I can tell that squid is working and listening on assigned ports by looking at active processes.
Result of netstat -tulpn | grep squid:

tcp 0 0 192.168.99.1:9999 0.0.0.0:* LISTEN 2604/(squid-1)
tcp 0 0 192.168.99.1:8888 0.0.0.0:* LISTEN 2604/(squid-1)
udp 0 0 0.0.0.0:35057 0.0.0.0:* 2604/(squid-1)
udp6 0 0 :::50319 :::* 2604/(squid-1)

I can also tell that iptables rule redirects traffic from port 80 to 9999 by watching traffic while trying to connect to HTTP site on one of the clients.
Result of watch 'iptables -t nat -L -n -v': https://pastebin.com/wdRjnBDa

Amount of bytes going through iptables rule keeps increasing as I try to reach the site - yet still client times out.

So my theory is that iptables is redirecting traffic properly and squid is listening on proper ports, yet there is something I'm missing that is preventing traffic from ever reaching Squid. (Since Squid logs are more or less empty)

I've tried a bunch of different iptables rules I found in various Squid guides online - most of them yeld the same result as above. I've also tried a bunch of different ports in Squid, and I've tried to remove ip address from http_port 192.168.99.1:9999 - but that caused squid to listen on ipv6 only (And I'm not sure how that affects iptables rerouting).

PS. This is my firs networking project, so I might be missing something oblivious here.

acgbox · Answer 1 · 2022-12-13T14:08:18.137

assuming you have the basic iptables rules in your script (like LOOPBACK, Global, MASQUERADE, etc.)

variables:

# local network interface (for computers on the local network)
lan=wlx30b5c21224f3
# external network interface (output to the internet)
internet=enp2s0

PD: change the values of the variables to the name of your network interfaces. To find out the names of the network interfaces, run the following command:

ip -o link | awk '$2 != "lo:" {print $2, $(NF-2)}' | sed 's_: _ _'

iptables rules:

iptables -t nat -A PREROUTING -i $lan -p tcp --dport 80 -j REDIRECT --to-port 9999
iptables -A INPUT -i $lan -p tcp --dport 9999 -j ACCEPT
iptables -A FORWARD -i $lan -p tcp -m multiport --dports 443,9999 -o internet -j ACCEPT

But if you have two directives in squid (transparent 9999 and non-transparent 8888) I suggest you create different lists so that each one goes to the directive you want. For example:

# send list of mac addresses to directive > http_port 192.168.99.1:8888

for mac in $(cat mac-proxy.txt); do
    iptables -t mangle -A PREROUTING -i $lan -p tcp --dport 8888 -m mac --mac-source $mac -j ACCEPT
    iptables -A INPUT -i $lan -p tcp --dport 8888 -m mac --mac-source $mac -j ACCEPT
    iptables -A FORWARD -i $lan -p tcp --dport 8888 -m mac --mac-source $mac -j ACCEPT
done

# send list of mac addresses to directive > http_port 192.168.99.1:9999 intercept

for mac in $(cat mac-transparent.txt); do
    iptables -t nat -A PREROUTING -i $lan -p tcp --dport 80 -m mac --mac-source $mac -j REDIRECT --to-port 9999
    iptables -A INPUT -i $lan -p tcp --dport 9999 -m mac --mac-source $mac -j ACCEPT
    iptables -A FORWARD -i $lan -p tcp -m multiport --dports 443,9999 -o $internet -m mac --mac-source $mac -j ACCEPT
done

The mac-transparent and mac-proxy lists must contain the mac addresses of the computers on your local network that will pass through squid

chongo2002 · Answer 2 · 2018-11-02T18:35:42.503

0

Make sure you open/have another http_port for the reverse proxy:

The reason the SSL works is because it is not going through squid. in this example you can intercept that as well (first line is what you need):

http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
 cert=/etc/squid/certs/squidCA.pem \
 generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

iptable:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 3128

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

edited Nov 02 '18 at 18:35

answered Nov 01 '18 at 18:27

chongo2002

15
8

Do I need additional rules in iptables for reverse proxy? Also it looks to me like I already have reverse proxy port set - 8888. Or am I missing something? – smoothRenegade Nov 01 '18 at 22:23
I do see that you have that correct. Maybe it is your Masquerading? Mine looks slightly different, I have "all" instead a specific host. Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 – chongo2002 Nov 02 '18 at 18:34

Unable to redirect HTTP traffic to transparent proxy (Squid)

2 Answers2