iptables / transparent proxy / dansguardian

[johnrbek]

Can some of you experienced guys take a look at my iptables script below and tell me why my transparent proxy isn't working?? I've got an FC6 firewall/gateway/dansguardian/squid proxy server that I had working fine previoiusly, so I'm confident my squid.conf and dansguardian.conf files are set up correctly... I lost my working iptables script and started over with the one below... When I comment out the "Forward HTTP Connections... " section below, I get access to the web, but no DG/Squid interaction. When I invoke that line, I just get timeouts... Experienced input is greatly appreciated...

#!/bin/sh
#iptables firewall script for sharing a cable or DSL Internet
#connection, with no public services

#define variables
ipt="/sbin/iptables"
mod="/sbin/modprobe"
LAN_IFACE="eth1"
WAN_IFACE="eth0"

#load kernel modules
$mod ip_tables
$mod iptable_filter
$mod iptable_nat
$mod ip_conntrack
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod iptable_mangle
$mod ipt_MASQUERADE

# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X

#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT

#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT

# Forward HTTP connections to Squid/Dansguardian
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080

#Enable IP masquerading
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

#AlLow incoming SSH from the LAN only to the gateway box
$ipt -A INPUT -p tcp -i $LAN_IFACE -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT

#Enable Webmin access from the LAN only
$ipt -A INPUT -p tcp -i $LAN_IFACE -s 192.168.1.0/24 --dport 10000 -m state --state NEW -j ACCEPT

#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Accept ICMP echo-request and time-exceeded
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

#Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j DROP

echo "The firewall has now started up and is faithfully protecting your system"

[marcelkraan]

this is in a perl script.
you will understand i think


if ($masq == 1){
print "\nLoad MASQUERADE rules\n";
system("echo 1 > /proc/sys/net/ipv4/ip_forward");
chop(my $masqcheck = `$iptables -L -t nat`);
if ($masqcheck =~ /MASQUERADE/ig){
# first delete the old masq rules
system("$iptables -D POSTROUTING -t nat -o $eth -j MASQUERADE");
system("$iptables -A POSTROUTING -t nat -o $eth -j MASQUERADE");
}

}