Squid [Archiv] - linuxforen.de -- User helfen Usern

raini_neo

22.12.08, 08:30

Guten Morgen Community,

seit Tagen genauer gesagt seit 2 Wochen versuche ich Squid als Transparenten Proxy zu nutzen.
Mehrere Anleitung sowie Tut´s getestet es geht einfach nicht. Stundenlanges lesen, langsam verzweifle ich.

Zum System:

Opensuse 11.0
yast2-squid + squid 2.6.Stable20-12.1
eth1 ist am Router per DHCP
eth0 10.0.0.1/255.255.255.0

ROUTER (DHCP) => PROXY eth1 DHCP / eth0 10.0.0.1 => CLIENT PC´S

http_port 3128 transparent
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 gesetzt

Mit den Proxyeinstellungen funzt das Inet auf den Clienten. Nehme ich die Proxyeinstellungen raus geht nischt mehr.
Proxyeinstellungen im Browser aktiv = Daten werden in /var/log/squid/access.log geschrieben.

Vielen Dank bereits im vorraus.

Gruß

raini_neo

bla!zilla

22.12.08, 08:43

Ergänze das mal um

iptables -A FORWARD -s $NETWORK -d $IP-PROXY -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

raini_neo

22.12.08, 08:54

Hallo,

danke für die schnelle Antwort, werde es heute Abend testen.

Frage:

iptables -A FORWARD -s $NETWORK -d $IP-PROXY -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

Steht $NETWORK in meinem Beispiel für 10.0.0.0?

Sry, bin noch ein totaler Linux-Newbie

bla!zilla

22.12.08, 08:58

Richtig. Es gilt die CIDR Notation, also bei einer Subnetzmaske von 255.255.255.0 wäre $NETWORK 10.0.0.0/24.

raini_neo

22.12.08, 11:19

hab jetzt folgendes ausgeführt

iptables -A FORWARD -s 10.0.0.0/24 -d 10.0.0.1 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

Ausgabe Client Browser: Die Webseite kann nicht angezeigt werden.

bla!zilla

22.12.08, 11:23

Poste bitte mal die Ausgabe von

iptables -L -v -n

raini_neo

22.12.08, 11:23

Ausgabe iptables -L -v -n:

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 2608 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5255 3709K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
12 628 input_ext all -- eth1 * 0.0.0.0/0 0.0.0.0/0
31 2797 input_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
0 0 ACCEPT udp -- eth0 eth0 10.0.0.0/24 10.0.0.1 udp dpt:3128
0 0 ACCEPT udp -- eth0 eth0 10.0.0.0/24 10.0.0.0/24 udp dpt:3128

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 2608 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
5918 1010K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '

Chain forward_ext (0 references)
pkts bytes target prot opt in out source destination

Chain input_ext (3 references)
pkts bytes target prot opt in out source destination
14 1869 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
10 480 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:3128 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
10 480 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 MARK match 0x1 state NEW LOG flags 6 level 4 prefix `SFW2-INext-ACC-REDIR '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED MARK match 0x1
17 948 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
19 1076 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain reject_func (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable

bla!zilla

22.12.08, 11:26

Der Post ist 3128/tcp, nicht udp. In deiner Forwarding-Chain wird deswegen auch nichts weitergeleitet.

raini_neo

22.12.08, 11:30

hab nochmals die zeile ausgeführt.
mus man die alte iptables löschen?

anbei nochmal iptables -L -v -n

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
749 623K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
2 72 input_ext all -- eth1 * 0.0.0.0/0 0.0.0.0/0
4 463 input_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
0 0 ACCEPT tcp -- eth0 eth0 10.0.0.0/24 10.0.0.1 tcp dpt:3128
0 0 ACCEPT tcp -- eth0 eth0 10.0.0.0/24 10.0.0.1 tcp dpt:3128
0 0 ACCEPT tcp -- eth0 eth0 10.0.0.0/24 10.0.0.1 tcp dpt:3128

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
863 139K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '

Chain forward_ext (0 references)
pkts bytes target prot opt in out source destination

Chain input_ext (3 references)
pkts bytes target prot opt in out source destination
4 463 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:3128 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 MARK match 0x1 state NEW LOG flags 6 level 4 prefix `SFW2-INext-ACC-REDIR '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED MARK match 0x1
2 72 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
2 72 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain reject_func (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable

bla!zilla

22.12.08, 11:37

Ja, solltest du tun. Ich würde überhaupt erstmal versuchen ein ganz schmales Setup zum Laufen zu bringen, statt die ganzen Log und Drop Policies auszuführen.

raini_neo

22.12.08, 17:31

Nabend,

hab mir die arbeit gemacht Opensuse neu zu installieren (um alle Fehlerquellen zu beseitigen).

Ausgangssituation:

Opensuse 11.0
yast2-squid + squid 2.6.Stable20-12.1
eth1 ist am Router per DHCP
eth0 10.0.0.1/255.255.255.0
http_port 3128 transparent

Was ich gemacht habe:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A FORWARD -s 10.0.0.0/24 -d 10.0.0.1 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

Ping vom Client auf Proxy und umgekehrt möglich.

Ausgabe: iptables -L -v -n

CChain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
51 3356 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3903 2766K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
100 11738 input_ext all -- eth1 * 0.0.0.0/0 0.0.0.0/0
231 24448 input_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
0 0 ACCEPT tcp -- eth0 eth0 10.0.0.0/24 10.0.0.1 tcp dpt:3128

Chain OUTPUT (policy ACCEPT 3 packets, 120 bytes)
pkts bytes target prot opt in out source destination
51 3356 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
4679 1404K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
3 120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '

Chain forward_ext (0 references)
pkts bytes target prot opt in out source destination

Chain input_ext (3 references)
pkts bytes target prot opt in out source destination
282 33730 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
15 720 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:3128 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
25 1200 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 MARK match 0x1 state NEW LOG flags 6 level 4 prefix `SFW2-INext-ACC-REDIR '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED MARK match 0x1
24 1256 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
24 1256 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain reject_func (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable

Ausgabe: route

Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
link-local * 255.255.0.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default dsldevice.lan 0.0.0.0 UG 0 0 0 eth1

Am verhalten hat sich nichts geändert. Proxy Eintrag im Browser = INet ok und access.log wird geschrieben. Ohne geht nichts.

mfg. Raini

honkstar

22.12.08, 18:37

Ohne es mir genauer angesehen zu haben:

iptables -A FORWARD -s 10.0.0.0/24 -d 10.0.0.1 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
ist das so gewollt?
wäre nicht besser

]iptables -A FORWARD -s 10.0.0.0/24 -d 10.0.0.1 -i eth0 -o eth1 -p tcp --dport 3128 -j ACCEPT
zu schreiben?
Ansonsten hilft ein tcpdump auf den Router.

hab mir die arbeit gemacht Opensuse neu zu installieren (um alle Fehlerquellen zu beseitigen).
Viel mit Windows gearbeitet, he?
*scnr*

raini_neo

22.12.08, 18:52

servus honkstar,

was deine letzte Frage betrifft, mus ich leider mit "JA" beantworten. Leider bin ich noch ein totaler Linux Newbie. Aber mir sind jetzt schon die Vorteile von Linux bekannt!

Leider bringt auch dein Vorschlag nicht das erwünschte Ergebnis!

Bin um jede Hilfe dankbar!

bla!zilla

22.12.08, 21:23

Tja, aber immer noch laufen keine Pakete über die FORWARD Chain. Irgendwie irritiert mich das REDIRECT... versuch mal bitte

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-port 3128

raini_neo

23.12.08, 11:17

bekomme bei der Eingabe folgende Fehlermeldung:

iptables v1.4.0: Unknown arg `--to-port'
Try `iptables -h' or 'iptables --help' for more information.

bla!zilla

23.12.08, 11:35

man iptables ist dein Freund.

raini_neo

23.12.08, 16:48

Hoffe es richtig interpretiert zu haben.

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.1:3128

Ausgabe iptables -L -v -n

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 2608 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1168 531K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
13 1029 input_ext all -- eth1 * 0.0.0.0/0 0.0.0.0/0
100 10407 input_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
0 0 ACCEPT tcp -- eth0 eth0 10.0.0.0/24 10.0.0.1 tcp dpt:3128

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 2608 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
1364 481K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '

Chain forward_ext (0 references)
pkts bytes target prot opt in out source destination

Chain input_ext (3 references)
pkts bytes target prot opt in out source destination
82 9816 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
8 384 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:3128 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
14 672 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128
17 948 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
17 948 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain reject_func (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable

Browser ohne Proxyeintrag wieder ohne Erfolg :(

raini_neo

23.12.08, 16:52

Hoffe es richtig interpretiert zu haben.

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.1:3128

Ausgabe iptables -L -v -n

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 2608 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1168 531K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
13 1029 input_ext all -- eth1 * 0.0.0.0/0 0.0.0.0/0
100 10407 input_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
0 0 ACCEPT tcp -- eth0 eth0 10.0.0.0/24 10.0.0.1 tcp dpt:3128

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 2608 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
1364 481K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '

Chain forward_ext (0 references)
pkts bytes target prot opt in out source destination

Chain input_ext (3 references)
pkts bytes target prot opt in out source destination
82 9816 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
8 384 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:3128 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
14 672 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128
17 948 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
17 948 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain reject_func (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable

Browser ohne Proxyeintrag wieder ohne Erfolg :(

Etwas ist allerdings komisch, führe ich den Befehl iptables -L -v -n nochmals auf (ca.2min. später) ist der Eintrag für die 10.0.0.1 wieder weg!

Sry für den Doppelpost (evtl. kann ein Mod den letzten Beitrag löschen - Danke!)

bla!zilla

23.12.08, 19:49

Wirf bitte mal alles weg und nur die für den transparenten Proxy notwendigen Rules laden. Poste bitte mal deine squid.conf - aber bitte ohne Kommentare!

raini_neo

23.12.08, 19:54

Hallo bla!zilla.

das Thema hat sich erledigt! Hab das ganze mit der Eingabe der IPTABLES verschmissen.

Lösung: alles über die SuSEfirewall2 gelöst. (/etc/sysconfig/SuSEfirewall)

Wenn intresse besteht poste ich meine config der SuSEfirwall.

Trotzdem Vielen Dank für die HILFE!!!

mfg. raini_neo

P.S.: mein nächstes Prob folgt ;)

bla!zilla

23.12.08, 19:56

Einfach mal die Ausgabe von iptables -L -v -n posten. SuSEfirewall2 ist nur ein Frontend für iptables.

raini_neo

23.12.08, 19:59

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
30 1956 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5467 3977K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
145 10982 input_int all -- eth0 * 0.0.0.0/0 0.0.0.0/0
10 528 input_ext all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `
SFW2-IN-ILL-TARGET '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
108 5168 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
690 84191 forward_int all -- eth0 * 0.0.0.0/0 0.0.0.0/0
843 614K forward_ext all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `
SFW2-FWD-ILL-ROUTING '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
30 1956 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
6624 4482K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `
SFW2-OUT-ERROR '

Chain forward_ext (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5
843 614K ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 PKTTYPE = multicast LOG flag
s 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flag
s 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `
SFW2-FWDext-DROP-DEFLT '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `
SFW2-FWDext-DROP-DEFLT '
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 le
vel 4 prefix `SFW2-FWDext-DROP-DEFLT-INV '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain forward_int (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5
690 84191 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 PKTTYPE = multicast LOG flag
s 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flag
s 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `
SFW2-FWDint-DROP-DEFLT '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix ` SFW2-FWDint-DROP-DEFLT '
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 le vel 4 prefix `SFW2-FWDint-DROP-DEFLT-INV '
0 0 reject_func all -- * * 0.0.0.0/0 0.0.0.0/0

Chain input_ext (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:3128 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 MARK match 0x1 state NEW LOG flags 6 level 4 prefix `SFW2-INext-ACC-REDIR '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED MARK match 0x1
10 528 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 PKTTYPE = multicast LOG flag s 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
10 528 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flag s 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix ` SFW2-INext-DROP-DEFLT '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix ` SFW2-INext-DROP-DEFLT '
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 le vel 4 prefix `SFW2-INext-DROP-DEFLT-INV '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain input_int (1 references)
pkts bytes target prot opt in out source destination
145 10982 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain reject_func (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable

bla!zilla

23.12.08, 20:10

Ich sehe da nichts, was die Anfragen auf den Proxy auf Port 3128/tcp umleitet....

honkstar

24.12.08, 09:03

Poste doch mal bitte die Ausgabe von

iptables -t nat -vnL

raini_neo

24.12.08, 11:56

Chain PREROUTING (policy ACCEPT 85 packets, 7248 bytes)
pkts bytes target prot opt in out source destination
66 3168 REDIRECT tcp -- * * 10.0.0.0/24 0.0.0.0/0 tcp dpt:80 redir ports 3128

Chain POSTROUTING (policy ACCEPT 18 packets, 1343 bytes)
pkts bytes target prot opt in out source destination
355 22553 MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 305 packets, 19826 bytes)
pkts bytes target prot opt in out source destination

bla!zilla

25.12.08, 09:01

Ah, da ist es ja.

raini_neo

27.12.08, 13:17

Vielen Dank nochmlas für die unermüdliche Hilfe von Euch!

Thema hiermit erledigt.

mfg. raini_neo