# Anybody with 100% working NAT/MASQ/SQUID/HTTPS solution?

## Gentoo Server

I try real hard but my basic

iptables --append FORWARD --in-interface eth0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

setting is good for http but any https transfer doesnt work

I have only eth0 and ppp0 anybody has a working solution for me?

Greetings Olaf

----------

## xming

Maybe this will help

 *Quote:*   

> 
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
> 
> 

 [/quote]

----------

## Gentoo Server

 *xming wrote:*   

> Maybe this will help
> 
>  *Quote:*   
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
> ...

 [/quote]

I tried it but squid dont like 443 requests

how can I make squid 2.5.3 443 enabled ?

----------

## jhboricua

Have you checked the squid mailing lists?

I've seen some info there that suggested https and squid don't work well together, but I may be wrong.

----------

## Chris W

You can't transparently proxy HTTPS.   Connections must be made end-to-end.

http://www.ibiblio.org/Linux/HOWTO/TransparentProxy-2.html#ss2.3

----------

## Gentoo Server

I tried to disable the squid & redirect then not even http was working i think its a dns problem

ping on the client works 100%

my client has router = dns = wins =   linux server 

on linux server I use dnsmasq to get dns resolved 

my isp is a pp0 with changing dns servers 

I need some special config for dns/dnsmasq ?

internet on linux server is 100%

mtu of isp is 1400

Bye

Olaf

----------

## JC99

If you only have 1 ethernet card, why do you need masquerading?

If you have two cards, did you do 

 *Quote:*   

> cd /etc/init.d
> 
> cp net.eth0 net.eth1
> 
> rc-update add net.eth1 default
> ...

 

I have 2 network cards, one connects to my network(eth1), the other to the internet using ADSL(ppp0 over eth0). 

First, do you have all the right kernel modules installed?

Here is my configuration thus far....

For the kernel, under networking options I have 

 *Quote:*   

> 
> 
> <*> Packet socket
> 
>      [*]   Packet socket: mmapped IO  
> ...

 

Then under IP Netfilter Configuration (which is found under networkting options) I have 

 *Quote:*   

> 
> 
> <*> Connection tracking (required for masq/NAT)            
> 
>      <*>   FTP protocol support 
> ...

 

For my firewall I created a scripts as follows

nano firewall.txt (call it whatever you want) then enter the following

 *Quote:*   

> 
> 
> iptables -F
> 
> iptables -t nat -F
> ...

 

eth1 is the network(ethernet) card connected to my network. ppp0 is my adsl connection to the internet.

chmod the script as follows so you can execute it

 *Quote:*   

> 
> 
> chmod 700 firewall.txt
> 
> 

 

then type

 *Quote:*   

> 
> 
> ./firewall.txt
> 
> 

 

This will enter the rules into your iptables and you should see the following on your screen

 *Quote:*   

> Chain INPUT (policy DROP):15:02 2003
> 
> target     prot opt source               destination
> 
> ACCEPT     all  --  anywhere             anywhere
> ...

 

Now in /etc/conf.d/local.start add the following

 *Quote:*   

> 
> 
> adsl-start
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> ...

 

I assume you have run 

 *Quote:*   

> adsl-setup

 

(you may have to change some options manually in /etc/ppp/pppoe.conf)

You should be good to go!

I don't think you can accept connections for https using squid and I have read using squid for port 80 has potential security risks but I have never tried that. I just have all the computers on my network connect to the internet through squid.

----------

## Gentoo Server

Thanks for your help!

iptables -F

iptables -t nat -F

iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -p all -j ACCEPT

iptables -A INPUT -i eth0 -p all -j ACCEPT

iptables -A INPUT -i ppp0 -p all -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i lo -p all -j ACCEPT

iptables -A FORWARD -i eth0 -p all -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

I did this and everythings works with http when i go to this banking site

https://homebanking.dvg-ka.de/050/index.html

i cannot get it on my client

when i enable proxy server:3128 at my ie6 it works

strange its not possible zu use a linux router without entering proxydata to ie6 

Greetings

Olaf

----------

## axxackall

 *xming wrote:*   

> Maybe this will help
> 
>  *Quote:*   
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
> ...

 [/quote]

What if my users are going to various site sitting on arbitrary ports other than 80? Is it possible to trasparently redirect web connections with arbitrary ports based not on the port number (too many port numbers will be in the table), but on the protocol fingerprint of HTTP?

----------

## acidreign

Might help ? http://www.subverted.net/wakka/wakka.php?wakka=SquidCache

Gentoo server, are you part of the Genoo Server Project ?

----------

