April 24, 2024, 10:33:07 PM

News : LinuxSolved.com Linux Help Community Forum..

 

« previous next »
Pages: [1]

Author Topic: DNS and transparent proxy issues  (Read 4116 times)

Offline obukev

  • New Member
  • Posts: 2
DNS and transparent proxy issues
« on: January 20, 2005, 10:20:08 PM »
Hi all,

I am running Squid that came packaged with Fedora Core 3.  I have successfully implemented Squid and can partially access the internet with transparent proxy.  Let me give a little bit of configuration information for background:

Linux box running Fedora Core 3 with Squid, Firewall, and Gateway all on the same box.

eth0 is ISP side (T1)192.168.0.1/24(not real IP...you understand I'm sure)
eth1 is Inside (Clients)10.0.0.1/24

Inside LAN is 10.0.0.0/24 network

If I configure the browser to use a proxy server, I can surf all day.  If I remove the proxy information from the browser settings, I can only access web pages if I type in the IP address of the web site.  I realize that this is a DNS resolution problem, but I cannot figure out if it is a squid.conf problem or iptables problem.

here is squid.conf

http_port 3128
http_port 8080

hierarchy_stoplist cgi-bin

acl QUERY urlpath_regex cgi-bin \?
no_cache deny query

cache_dir ufs /var/spool/squid 100 16 256

dns_nameservers 24.240.243.9 24.240.243.15

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

refresh_pattern ^ftp:             1440     20%     10080
refresh_pattern ^gopher:       1440     0%       1440
refresh_pattern .                   0          20%      4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80               #http
acl Safe_ports port 53               #dns
acl Safe_ports port 21               #ftp
acl Safe_ports port 443 563       #https, snews
acl Safe_ports port 70               #gopher
acl Safe_ports port 210             #wais
acl Safe_ports port 1025-65535 #unregistered ports
acl Safe_ports port 280             #http-mgmt
acl Safe_ports port 488             #gss-http
acl Safe_ports port 591             #filemaker
acl Safe_ports port 777             #multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl our_networks src 10.0.0.0/24
http_access allow our_networks
http_access allow all
http_access allow localhost
http_access deny all
http_reply_access allow all

icp_access allow all
miss_access allow all

visible_hostname dormtest

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header_on

error_directory /etc/squid/errors
coredump_dir /var/spool/squid



Here is iptables

# Generated by iptables-save v1.2.11 on Thu Jan 20 10:34:46 2005
*nat
:PREROUTING ACCEPT [2565:485719]
:POSTROUTING ACCEPT [469:28724]
:OUTPUT ACCEPT [469:28724]
-A PREROUTING -d 192.168.0.1 -i eth0 -j DNAT --to-destination 10.0.0.1
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 3128
-A PREROUTING -d 10.0.0.1 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.0.1
-A PREROUTING -d 10.0.0.1 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.0.1
-A POSTROUTING -s 10.0.0.1 -o eth0 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth1 -j SNAT --to-source 192.168.0.1
COMMIT
# Completed on Thu Jan 20 10:34:46 2005
# Generated by iptables-save v1.2.11 on Thu Jan 20 10:34:46 2005
*filter
:INPUT ACCEPT [5228:592409]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24:942]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 53 --dport 1:65535
-A INPUT -i eth0 -p tcp -m tcp --sport 53 --dport 1:65535
-A INPUT -i eth0 -p tcp -m tcp --sport 1:65535 --dport 22
-A INPUT -i eth0 -p tcp -m tcp --sport 1:65535 --dport 80
-A INPUT -i eth0 -p tcp -m tcp --sport 1:65535 --dport 443
-A INPUT -i eth0 -p tcp -m tcp --sport 1:65535 --dport 53
-A INPUT -i eth0 -p udp -m udp --sport 1:65535 --dport 53
-A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/255.255.255.0 -i eth1 -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.0.1 -i eth0 -o eth1 -p tcp -m multiport --dports 80,443,22,53 -m state --state NEW -j ACCEPT
-A FORWARD -d 10.0.0.1 -i eth0 -o eth1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m state --state NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 1:65535 --dport 53
-A OUTPUT -o eth0 -p tcp -m tcp --sport 1:65535 --dport 53
-A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW -j ACCEPT
-A OUTPUT -s 10.0.0.0/255.255.255.0 -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Thu Jan 20 10:34:46 2005


Sorry for the lenghty post.... wanted to give all neccessary info....

Thanks in advance for help.
Logged

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
DNS and transparent proxy issues
« Reply #1 on: January 21, 2005, 11:11:30 AM »
I have not gone through all of your post deeply but your problem can be resolved as giving the ip of your ISP's dns server in client's as DNS server.
you can do that manually or usind dhcpd (if you are using)
Logged

Offline obukev

  • New Member
  • Posts: 2
DNS and transparent proxy issues
« Reply #2 on: January 21, 2005, 02:37:59 PM »
Ricky....

Thank you for responding.  Based on the number of posts you answer, I can tell that you are well respected and devote a great deal of time to helping others.  For that, I am greatful.

To continue with my problem, I have tried using the DNS from my ISP, but I still cannot resolve DNS queries.

The DNS I am using is associated with Charter Communications.  I have them in resolv.conf as well as in the squid.conf, so I am at a loss.  I am using the following for DNS:

24.240.243.9
24.240.243.15

If there is anything else you need from me, let me know.

Thanks again for your help.

P.S.  I am basically setting this up in a test environment.  The University that I work at wants to use this as a proxy server transparently and have Perfigo distribute addresses via DHCP on the student ResNet, so all I have to worry about is configuration with eth0 and eth1 with statically assigned IP's
Logged
Pages: [1]
« previous next »