English 中文(简体)
Squid+iptables: how do i allow https to pass-through and bypassing Squid?
原标题:

Basically started with Squid and iptables today (google is your friend). This stuff is going to be the death of me.

I have Squid3 setup on Ubuntu 9.04 server as Transparent Proxy. It works sweetly when i use the proxy-box as my default gateway etc. The iptable rules for this setup was part of the tutorial. :P

I can unfortunately not access https sites (such as Gmail or anything on port 443 basically). This is because Squid dont like what it cannot cache, which in this case is the https traffic.

I would like to add an iptable rule so that i can basically access https sites and use Skype. Basically allow these types of traffic to pass through without going through Squid proxy? (bypassing it so to speak)

Would anyone perhaps know how to do this or have a link to any sources that would assist me in figuring it out?

Thank you.

最佳回答

After actually considering chewing through my own wrists and dreaming of IPs all night long + brute force googling/trying ANYTHING i could get my digital fingers on i managed to put something together that actually works. I dont know the technical reasons why, so if you can provide set explanations please do so! :D

PS: everything in the explanation is done via command line

PS: this is not a final solution, but its a working one in answer to my own question.

Here it is:

Step 1: Had to enable IP Forwarding on the box:

vim /etc/sysctl.conf

//find and uncomment the following

net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1

Step 2: Add loop back rule (this is more for when all ports are covered, apparently many apps need it?

iptables -I INPUT -i lo -j ACCEPT

Step 3. Add rules for the bypassing of port 443: (eth1 is internet interface and x.x.x.x/eth0 is LAN interface)

iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source x.x.x.x

Step 4. Then finally the rules making Squid transparent:(x.x.x.x is IP of LAN interface)

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination x.x.x.x:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
问题回答
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source x.x.x.x

That is wrong. Means that every packet TCP/UDP/etc that you send from your intern LAN to Internet will use as SOURCE IP the Private LAN IP (probably 192.178.x.x), instead of the Public IP.

May be that helps you:

PREROUTING == DestinationNAT -> From Internet to Intern LAN

POSTROUTING == SourceNAT -> From Intern LAN to Internet


iptables -t nat -A PREROUTING -i intern -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i intern -p tcp --dport 3128 
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o extern -p tcp --dport 80
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i extern -p tcp --sport 80
iptables -A OUTPUT -j ACCEPT -m --state ESTABLISHED,RELATED -o intern -p tcp --sport 80

To bypasss 443 would be enough with:

iptables -I FORWARD -p tcp --dport 443 -j ACCEPT

And if your system/squid/firewall is also the router from your network to internet, do not forget:

iptables -t nat -A POSTROUTING -o extern -j SNAT --to-source Public_external_IP

For those explanations...

step #1 sets up the machine as a router. This is required for any Linux machine that is going to accept or forward IP traffic destined for machines other than itself. Without this the lowest levels of the networking stack will reject the traffic and NAT will not even get a chance to do its thing.

step #2 is not relevant to the problem being asked about. It may or may not be needed for the router operations unrelated to the proxying.

step #3 lets the machine relay port 443 normally as a router. The POSTROUTING rule could be made better by using MASQUERADE instead of SNAT.

step #4 both lines do the same thing in different ways. The first line may lead you to trouble in future if you dont know what the differences are between DNAT and REDIRECT. For simplicity use REDIRECT only.

Reading http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect could have saved you a lot of trouble.

There is also a critical mangle table rule missing from your setup which is explained on that wiki page.





相关问题
How should I use https in Ruby on Rails

I m developing an application in Rails (2.3.4) and there are some parts that need to run over a secure protocol, for example, the login form, the credit card form, etc. How can I do just these pages ...

How to open a stream to httpS URL

I want to open a stream to a httpS URL and read the data. Kindly let me know how to do it. Regards Chaitanya

direct http to https on certain pages?

Hi I have added the below code to .ht access but how can I add another page to this? such as login.php also if the user types in www. they get a "untrusted connection" as the SSL is only valid ...

See what content is not sent over HTTPS

I created a page that is HTTPS only. On my browsers, I always get a warning that the page includes resources that are not secured. I just can t find out why! Looking at the source code seems fine. All ...

C# maintaining session over HTTPS on the client

I need to login to a website and perform an action. The website is REST based so I can easily login by doing this (the login info is included as a querystring on the URL, so I dont t need to set the ...

热门标签