# Home router

## mungo_k

I read http://www.gentoo.org/doc/en/home-router-howto.xml

Well, it works. But no good. It doesn't work for google's https servers (e-mail). No pages loaded, infinite wait.

I added squid, and if i tell browser to use https 192.168.1.1:3128 it works.

Someone tell that it possible if i use pptp WAN. In doc http://www.gentoo.org/doc/en/home-router-howto.xml i see that it can be corrected with some rule to iptables, but it doesn't work for me.

Anyone know how it can be resolved?

----------

## mbjr

The guide seems to be ignoring https forwarding, i.e. it says:

 *Quote:*   

> HTTP forwarding to an internal host
> 
> # iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.56

 

Now I'm not sure if you gave a try to something like this:

```
HTTPS forwarding to an internal host

# iptables -t nat -A PREROUTING -p tcp --dport 143 -i ${WAN} -j DNAT --to 192.168.0.56
```

Or if you are really after using squid as a transparent proxy and would direct traffic to your squid instance in which case that has to be prepared to serve https properly.

PS: I dropped a line to vaiper to incl info on https forwarding given its popularity these days.

Hope that helps,

----------

## mungo_k

Pptp - is /dev/ppp0. So if I redirect to ip it won't be correct. Redirection to squid in any case gives errors.

What do you meen by saying "Or if you are really after using squid as a transparent proxy and would direct traffic to your squid instance in which case that has to be prepared to serve https properly"? What a special preparation needed?

----------

## mbjr

Oh I see. In that sense you couldn't implement your firewall configuration based on that guide "as is", could you?

Transparent proxying is a great thing as clients don't have to implement any settings in their proxy configuration. Instead, your firewall captures the outgoing requests on http/https and directs them to squid directly. It's pretty much done by: iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128, and same for port 143 (https) --to-port either 3128 or something else in case you define a different instance for HTTPs proxying.

There is a great guide living in Gentoo's Firewall documentation that explains a rather complex setup with Squid, but obviously you will need a partial implementation of the scenario explained there. Here's the guide: http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12#doc_chap6 - let me know if this helps.

Thanks,

----------

## Hu

OP: please post the output of iptables-save -c ; ip addr show as run from the home router.

----------

## mungo_k

In my squid.conf I added https port 3129 (as in example). And redirect in iptables set from 143 to 3129. When I replaced it to 3128 (http) it works.

Iptables config:

```
# Generated by iptables-save v1.4.13 on Wed Aug  8 09:04:38 2012

*mangle

:PREROUTING ACCEPT [1156763563:721880709126]

:INPUT ACCEPT [582866851:368883319147]

:FORWARD ACCEPT [573248083:352874577102]

:OUTPUT ACCEPT [670146935:295518977366]

:POSTROUTING ACCEPT [1192891266:645971919284]

COMMIT

# Completed on Wed Aug  8 09:04:38 2012

# Generated by iptables-save v1.4.13 on Wed Aug  8 09:04:38 2012

*nat

:PREROUTING ACCEPT [319:17988]

:INPUT ACCEPT [280:15977]

:OUTPUT ACCEPT [14:980]

:POSTROUTING ACCEPT [0:0]

[1895:92488] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 143 -j REDIRECT --to-ports 3128

[10456:885932] -A POSTROUTING -o ppp0 -j MASQUERADE

COMMIT

# Completed on Wed Aug  8 09:04:38 2012

# Generated by iptables-save v1.4.13 on Wed Aug  8 09:04:38 2012

*filter

:INPUT ACCEPT [10930:9030294]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [11142:2275899]

[22878:7700977] -A INPUT -i lo -j ACCEPT

[666622:85467761] -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 21,22,80,443,1723,3128,10000 -j ACCEPT

[30:1424] -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 25,53,110,587,993,5190 -j ACCEPT

[7742:490264] -A INPUT -i eth0 -p udp -m udp -m multiport --dports 53,123 -j ACCEPT

[9:444] -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j DROP

[0:0] -A INPUT -i ppp0 -p tcp -m tcp -m multiport --dports 137,138,139 -j DROP

[0:0] -A INPUT -i ppp0 -p udp -m udp -m multiport --dports 137,138,139 -j DROP

[0:0] -A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP

[8344303:6622838523] -A FORWARD -d 192.168.1.0/24 -i ppp+ -j ACCEPT

[13625:3081124] -A FORWARD -s 192.168.1.0/24 -i eth0 -j ACCEPT

[2126:135439] -A FORWARD -i eth0 -o ppp0 -p tcp -m tcp -m multiport --dports 123,5190 -j ACCEPT

[27:2052] -A FORWARD -i eth0 -o ppp0 -p udp -m udp -m multiport --dports 123,5190 -j ACCEPT

[9:432] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

COMMIT

# Completed on Wed Aug  8 09:04:38 2012

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

    link/ether 6c:62:6d:6c:84:f1 brd ff:ff:ff:ff:ff:ff

    inet 192.168.1.50/24 brd 192.168.1.255 scope global eth0

3: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN qlen 3

    link/ppp

    inet 109.232.116.118 peer 109.232.112.1/32 scope global ppp0

```

----------

## mungo_k

Today it's not working... I'm in prostration...

----------

