I'm trying to implement a Transparent Squid Proxy for a wireless network where it mainly serve for mobile devices. The software I'm using is squid 3.4.6 (latest version compiled from source) in Debian 7.6 server and IPTables. My Network is composed of many VLAN's witch all get controlled by a central firewall by CheckPoint, witch also allow's us to control who goes where and witch servers go directly to the internet. Here's a small diagram I created:
So, what I did so far is I isolated one VLAN just for the mobile devices where they get DHCP/DNS requests redirected to our data center where all the servers are. Finally using an option of that redirects all HTTP and HTTPS traffic (http mapped) from that Wireless dedicated VLAN to a single Squid server on the datacenter.
I installed the squid server with one NIC (which gets all squid traffic connected directly to the internet using the Checkpoint firewall) Debian with all updates and I logged my installation process so it's easier to replicate. All of this is made on the same machine:
Install VMWARE Tools
apt-get install -y build-essential linux-headers-amd64
mount /dev/cdrom /mnt/
cp /mnt/VMwareTools-4.0.0-236512.tar.gz /tmp/
umount /mnt/
tar -zxvf /tmp/VMwareTools-4.0.0-236512.tar.gz --directory=/tmp/
mkdir -pv /usr/lib64
/tmp/vmware-tools-distrib/vmware-install.pl --default
rm /tmp/WM* /tmp/vm* -rf
Install SQUID
apt-get install -y libtool libssl-dev libcrypto++-dev devscripts fakeroot htop ssl-cert squid-langpack && apt-get build-dep -y squid3
sysctl -w net.ipv4.ip_forward=1
nano /etc/sysctl.conf
- net.ipv4.ip_forward=1
- net.ipv4.conf.default.rp_filter = 0
- net.ipv4.conf.default.accept_source_route = 0
wget http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.6.tar.gz
tar -zxvf squid-3.4.6.tar.gz
cd squid-3.4.6
nano configure.sh
chmod +x configure.sh
./configure.sh
make
make install
Content of the configure.sh
#!/bin/sh
'./configure' \
'--build=x86_64-linux-gnu' \
'--srcdir=.' \
'--prefix=/usr' \
'--includedir=/usr/include' \
'--localstatedir=/var' \
'--mandir=/usr/share/man' \
'--infodir=/usr/share/info' \
'--libexecdir=/usr/lib/squid' \
'--datadir=/usr/share/squid' \
'--sysconfdir=/etc/squid' \
'--localstatedir=/var' \
'--bindir=/usr/sbin' \
'--enable-inline' \
'--enable-ssl' \
'--enable-ssl-crtd' \
'--enable-icap-client' \
'--enable-follow-x-forwarded-for' \
'--enable-removal-policies=heap,lru' \
'--enable-delay-pools' \
'--enable-cache-digests' \
'--enable-storeio=ufs,aufs,diskd,rock' \
'--enable-disk-io' \
'--disable-eui' \
'--disable-snmp' \
'--disable-wccp' \
'--disable-wccpv2' \
'--disable-http-violations' \
'--disable-translation' \
'--disable-auto-locale' \
'--disable-htcp' \
'--disable-internal-dns' \
'--with-default-user=proxy' \
'--with-logdir=/var/log/squid/' \
'--with-pidfile=/var/run/squid.pid' \
'--with-filedescriptors=65536' \
'--with-cppunit-basedir=/usr' \
'--with-large-files' \
"$@"
Configuring SQUID
nano /etc/init.d/squid
chmod +x /etc/init.d/squid
chown -R proxy:proxy /var/log/squid/
update-rc.d squid defaults
mkdir -p /etc/squid/ssl
openssl genrsa -des3 -out openssl.key 1024
openssl req -new -key openssl.key -out openssl.csr
cp openssl.key openssl.key.old
openssl rsa -in openssl.key.old -out openssl.key
openssl x509 -req -days 365 -in openssl.csr -signkey openssl.key -out openssl.crt
/usr/lib/squid/ssl_crtd -c -s /etc/squid/ssl/db
nano /etc/squid/squid.conf
Content of squid.conf
http_port 3128
http_port 3129 transparent
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl/openssl.crt key=/etc/squid/ssl/openssl.key version=3
visible_hostname proxyc.domain.com
dns_nameservers 8.8.8.8 8.8.4.4
strip_query_terms on
access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
coredump_dir /var/cache/squid
shutdown_lifetime 1 second
ssl_bump server-first all
always_direct allow all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /etc/squid/ssl/db -M 8MB
sslcrtd_children 5
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA
http_access allow all
http_reply_access allow all
This is where I believe the problem is but I have no idea what to do:
IPTABLES configuration
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 3129 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 3130 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 ! -s 192.168.1.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3129
iptables -t nat -I PREROUTING -i eth0 ! -s 192.168.1.1 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.1:3130
How do I get the IPTables to redirect the incoming HTTP/HTTPS traffic as DNAT into the Squid Port on 3129 and 3130 ... the port 3128 works in any browser that I can configure the proxy but the redirects with IPTables are driving me NUTS!
What I posted above in the IPTables doesn't work. I keep getting error 111 connection refused, and if I install some web browser any URL I place there I keep getting Apache welcome page of "It Works!!". if anyone could enlighten me what I'm doing wrong I would appreciate it.
