Jump to content
Can't remember your login details? Read more... ×

Help with squid/iptables, ip_forward, etc... with proxy!

Recommended Posts

Hi guys,

I'm new @ ubuntu/linux and willing to learn.


I have a squid server at port 3128. traffic incoming into the squid server gets redirected to another port 1010 using:


iptables -t nat -A PREROUTING -p tcp --destination-port 3128 -j REDIRECT --to-port 1010

echo 1 > /proc/sys/net/ipv4/ip_forward

traffic from an external pc through the squid proxy at port 3128 successfully gets to the website/ip it was looking for. All works fine.


However when i'm trying to add an external proxy in the equation, and can't get it to work! Ideally, i want traffic to go into squid at port 3128 get redirected to port 1010 then forwarded to external proxy and access the original website/ip sought.


Proxy works only if i do not have iptables setup to redirect traffic from port 3128 to port 1010. The moment i redirect traffic from 3128 to 1010 using the iptable config above, external pc connects to website/ip directly from squid server instead of going through the extra proxy (from cache_peer).


I see how it makes sense since traffic is redirected to port 1010 before it goes through cache_peer. However, I am sure there should be a way to use iptables to configure the traffic to go back to the external proxy, am i right?


can anyone point me on the right track? is it something to do with postrouting/route?


desperate, i tried to apply a system-wide proxy, but even that did not work :(


any help/pointers much appreciated

Share this post

Link to post
Share on other sites

Alright I managed to get around it by using proxychains.

So I have my the squid server with cache_peer listening to two ports.

I redirect traffic from port 3128 to 1010.

I use proxychains to redirect the traffic back to 1050 (which is the 2nd port squid server is listening to). Then squid server uses its basic cache_peer and connects to proxy.


i only realise this is not an elegant solution because the connection is now actually super slow

Share this post

Link to post
Share on other sites



i edited the python script for the software that was listening at 1010 so it directs the connection to the external proxy. looks like its working now, but i can't do extensive testing (at work atm).

Edited by ameel

Share this post

Link to post
Share on other sites

ACtually, nvm. Figured it out.


Basically client connects to 1010

app listening at 1010

app forwards connection to 3128

squid listening at 3128

squid forwards connection to external proxy


(no iptables needed)


another problem is that the app listening at 1010 has certain limitations. when i try to download big files, it timesout eventually (or i cbb waiting im assuming it times out). im guessing when i click on the link, the app at 1010 downloads the file first before sending it back to the client. thence huge files (700mb or so) take forever or timeout before client sees popup to confirm downloading the file which makes it completely useless. anyone has any idea?



Share this post

Link to post
Share on other sites

Whatever you're trying to achieve, you're doing it wrong.


Why exactly do you need 2 proxies?


:edit: shit, didn't realise this thread was so old...

Edited by Linux_Inside V2

Share this post

Link to post
Share on other sites

when i try to download big files, it timesout eventually

If squid is working, you may not see any progress until squid has the file,

then it will be moved to the browsers download folder or /tmp (check here for large files progress).


I still use the squid with iptables, ala "atomic firewalled gateway server" by Ashton Mills.


Rather than 2 ports for squid, I use a nic just for an internal connection (no cable). Currently this is a usb/nic.


on my home network, is my external connection and is my internal squid connection.


These ip's are used in both the squid.conf and firewall script.


here's a look at mine,



# Atomic IPTables firewall script v1.2
# Simple but effective firewall written for
# the Atomic Uber Linux box guide,
# Issue 21, Oct 2002
# Updated May 2003 for bandwidth shaping
# Ashton Mills
# amills@iinet.com.au

# Environment variables, change these values accordingly




## You shouldn't need to touch anything below here

# Load appropriate iptables modules, others will be loaded dynamically on demand

	$MODPROBE ip_tables
	$MODPROBE iptable_filter
	$MODPROBE ip_nat_ftp
	$MODPROBE ip_conntrack
	$MODPROBE ip_conntrack_ftp

# Set proc values for TCP/IP. In order:
# Disable IP spoofing attacks
# Ignore broadcast pings
# Block source routing
# Kill redirects
# Set acceptable local port range
# Allow dynamic IP addresses
# Enable forwarding (gateway)

	echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
	echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
	echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
	echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
	echo "1600 61000" > /proc/sys/net/ipv4/ip_local_port_range
	echo "1" > /proc/sys/net/ipv4/ip_dynaddr
	echo "1" > /proc/sys/net/ipv4/ip_forward

# Flush everything

	$IPTABLES -t nat -F
	$IPTABLES -t mangle -F
## --- DEFAULT POLICY --- ##

	# Drop everything on INPUT and FORWARD chains, accept OUTPUT


## --- INPUT CHAIN --- ##

	# Allow Telstra hearbeat -- BPA users uncomment this

	$IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT
	$IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT

	# Allow local net browsing avahi/Zeroconf

	$IPTABLES -A INPUT -p udp --sport 3128 -j ACCEPT
	$IPTABLES -A INPUT -p udp --sport 5353 -j ACCEPT
	#Allow bootp port -- Optus and some ADSL users need this
	$IPTABLES -A INPUT -p udp -d --dport 68 -j ACCEPT

	# Allow access to services on this (the gateway) machine

	# SSH
	$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

	# Teamspeak
	$IPTABLES -A INPUT -p udp --dport 8767 -j ACCEPT

	# Half Life server
	$IPTABLES -A INPUT -p udp --dport 27015 -j ACCEPT
	$IPTABLES -A INPUT -p udp --dport 27010 -j ACCEPT
	# FTP
	$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
	$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT

	# Bittorrent
	$IPTABLES -A INPUT -p tcp --dport 6881:6969 -j ACCEPT
	$IPTABLES -A INPUT -p udp --dport 6881:6969 -j ACCEPT
	$IPTABLES -A INPUT -p tcp --dport 7881 -j ACCEPT
	$IPTABLES -A INPUT -p udp --dport 8881 -j ACCEPT
	$IPTABLES -A INPUT -p udp --dport 4444 -j ACCEPT

	# Accept all connections on local and internal interfaces

	# Accept local connections for webcam
	$IPTABLES -A INPUT -p tcp -m tcp --sport 8081 -j ACCEPT

	$IPTABLES -A OUTPUT -p tcp -o tcp --dport 8081 -j ACCEPT
	$IPTABLES -A INPUT -p udp -m udp --sport 8081 -j ACCEPT

	$IPTABLES -A OUTPUT -p udp -o udp --dport 8081 -j ACCEPT
 	# Accept local config for webcam
	$IPTABLES -A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT

	$IPTABLES -A OUTPUT -p tcp -o tcp --dport 8080 -j ACCEPT
	$IPTABLES -A INPUT -p udp -m udp --sport 8080 -j ACCEPT

	$IPTABLES -A OUTPUT -p udp -o udp --dport 8080 -j ACCEPT

	# cups
	$IPTABLES -A INPUT -p tcp -m tcp --sport 631 -j ACCEPT

	$IPTABLES -A OUTPUT -p tcp -o tcp --dport 631 -j ACCEPT
	$IPTABLES -A INPUT -p udp -m udp --sport 631 -j ACCEPT

	$IPTABLES -A OUTPUT -p udp -o udp --dport 631 -j ACCEPT
	# Stateful inspection -- Allow packets in from connections already established


	# Drop packets from invalid sources (reserved networks and localhost)


	# Don't log igmp, web or ssl. More noise we don't need to log.

	$IPTABLES -A INPUT -p tcp --dport 80 -j DROP
	$IPTABLES -A INPUT -p tcp --dport 443 -j DROP

	# Log everything else

	$IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "|iptables -- "


# EGRESS (upstream)

	# TOS marked packets (we'll just work with minimise-delay and maximise-throughput)
	$IPTABLES -t mangle -A POSTROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 10
	$IPTABLES -t mangle -A POSTROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 30

	# UDP (most games, including all Half Life mods as well as DNS, IM clients and more)
	$IPTABLES -t mangle -A POSTROUTING -p udp -j MARK --set-mark 10
	# Games that use DirectPlay from DirectX (note UDP traffic already matched above)
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 47624 -j MARK --set-mark 10
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10

	# Place other games here
	# EVE online
#	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 26000 -j MARK --set-mark 10

	# ICMP (ping)
	$IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 10
	# SSH
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK --set-mark 10
	# Web, SSL
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 80 -j MARK --set-mark 20
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 443 -j MARK --set-mark 20

	# ACKs	
	$IPTABLES -t mangle -A POSTROUTING -p tcp -m length --length :64 -j MARK --set-mark 20

	# No need for catchall for class 30, handled by HTB root qdisc initilisation
# INGRESS (downstream)

	# Only prioritise class 10 traffic

	# Don't police high priority UDP, game, ping and SSH packets
	$IPTABLES -t mangle -A PREROUTING -p udp -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 47624 -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 22 -j MARK --set-mark 10

	# Place other games here
	# EVE online
#	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 26000 -j MARK --set-mark 10

	# Catchall, police everything else
	$IPTABLES -t mangle -A PREROUTING -m mark --mark 0 -j MARK --set-mark 30

	# NOTE: It's a good idea -not- to add HTTP to be let through the police filter even
	# for browsing as many P2P programs, not to mention your HTTP file downloads, will
	# flood the link unpoliced, causing delays with high priority (class 10) packets.
	# Shape HTTP going out, but let it be bulk coming in.
	# Read the note at the end of the atomic.shaper script for more on INGRESS shaping.
## --- FORWARD CHAIN --- ##

	# Stateful inspection -- Forward in connections already established


	# Allow outbound DNS queries from the FW and the replies too
	# - Interface eth0 is the internet interface
	# Zone transfers use TCP and not UDP. Most home networks
	# / websites using a single DNS server won't require TCP statements
# Printer port
	$IPTABLES -A INPUT -p udp -i eth0 --sport --dport 1024:65535 -j ACCEPT
	$IPTABLES -A INPUT -p tcp -i eth1 --sport --dport 1024:65535 -j ACCEPT

	$IPTABLES -A INPUT -p udp -i eth1 --sport --dport 1024:65535 -j ACCEPT
	$IPTABLES -A INPUT -p tcp -i eth0 --sport --dport 1024:65535 -j ACCEPT

	$IPTABLES -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
	$IPTABLES -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT

# Forwards for software running on Windows/Linux machines behind the firewall

	# Kazaa Lite (change destination IP accordingly)

#	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 1214 -j DNAT --to-dest
#	$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 1214 -d -j ACCEPT 
	# Bittorrent

	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6881:6969 -j DNAT --to-dest
	$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 6881:6969 -d -j ACCEPT
	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 6881:6969 -j DNAT --to-dest
	$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 6881:6969 -d -j ACCEPT

	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 4444 -j DNAT --to-dest
	$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 4444 -d -j ACCEPT

	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 7881 -j DNAT --to-dest
	$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 7881 -d -j ACCEPT
	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 7881 -j DNAT --to-dest
	$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 7881 -d -j ACCEPT

	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 8881 -j DNAT --to-dest
	$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 8881 -d -j ACCEPT
	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 8881 -j DNAT --to-dest
	$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 8881 -d -j ACCEPT

	# Forwards for hosting DirectPlay games
#	$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 47624 -m state --state NEW,ESTABLISHED -j ACCEPT
#	$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 47624 -j DNAT --to-destination
#	$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
#	$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 2300:2400 -j DNAT --to-destination
#	$IPTABLES -A FORWARD -i eth0 -o eth1 -p udp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
#	$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2300:2400 -j DNAT --to-destination

	# Forward out all traffic


## --- OUTPUT CHAIN --- ##

	# Follows policy

## --- NAT --- ##

	# Enable masquerade


## -- Transparent proxy to Squid --- ##

	$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

	$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128


http_port transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir diskd /var/spool/squid 5000 16 256
cache_store_log none
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp:		   1440	20%	 10080
refresh_pattern ^gopher:		1440	0%	  1440
refresh_pattern .			   0	   20%	 4320
half_closed_clients off
acl manager proto cache_object
acl localhost src
acl to_localhost dst
#acl localnet src	 # RFC1918 possible internal network
acl localnet src  # RFC1918 possible internal network
acl localnet src # RFC1918 possible internal network
acl SSL_ports port 443 563
acl Safe_ports port 80		  # http
acl Safe_ports port 21		  # ftp
acl Safe_ports port 443 563	 # https, snews
acl Safe_ports port 70		  # gopher
acl Safe_ports port 210		 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280		 # http-mgmt
acl Safe_ports port 488		 # gss-http
acl Safe_ports port 591		 # filemaker
acl Safe_ports port 777		 # multiling http
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
acl mynetwork src
http_access allow mynetwork
http_access allow localnet
http_access allow localhost
http_reply_access allow all
icp_access allow all
visible_hostname squid@GamesBox.GlennsPref.net
append_domain .GamesBox.GlennsPref.net
err_html_text admin@GamesBox.GlennsPref.net
memory_pools off
coredump_dir /var/spool/squid
ie_refresh on


# Kernel sysctl configuration file
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables IP dynaddr
net.ipv4.ip_dynaddr = 0
# Disable ECN
net.ipv4.tcp_ecn = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
#kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# If you set this variable to 1 then cd tray will close automatically when the 
# cd drive is being accessed.
# Setting this to 1 is not advised when supermount is enabled
# (as it has been known to cause problems)
# removed to fix some digital extraction problems 
# dev.cdrom.check_media=1

# to be able to eject via the device eject button (magicdev)

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
fs.inotify.max_user_watches = 524288
net.ipv4.conf.all.forwarding=1  #hacked squid

Each nic requires an ip, I don't know how this would work with dhcp (non-static) addressing.


I use rc.local to instigate the scripts for ifup, firewall and squid.

This adds some time to the boot sequence, but not much, and

the connection is usually ready by the time the OS has loaded to a full GUI desktop.



# Provides: rc.local
# X-Mandriva-Compat-Mode
# Default-Start: 2 3 4 5
# Short-Description: Local initialization script
# Description: This script will be executed at the end of the boot process.
#			  You can put your own initialization stuff in here if you don't
#			  want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
ifdown eth0
ifdown eth1
sh /etc/init.d/atomic.firewall
ifup eth1
ifup eth0
service squid start
/usr/bin/mbmon -r -P 5355

I hope this helps, regards Glenn

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now