I'm trying to create a transparent proxy to cache and blacklist traffic on my self-made Linux router. Problem is that all clients are getting timed-out when trying to reach any HTTP sites (HTTPS works).
Here is my setup:
System: Ubuntu 16.04
Proxy: Squid 3.5.12
iptables:
- Relevant rule:
-A PREROUTING -i wlx30b5c21224f3 -p tcp --dport 80 -j REDIRECT --to-port 9999
- Entire ruleset:
https://pastebin.com/HtzTmYMp
Squid:
- Relevant rules:
http_port 192.168.99.1:8888
http_port 192.168.99.1:9999 intercept
- Entire config:
https://pastebin.com/Ft2f3uaD
Interfaces:
- Internet - enp1s0 (ethernet)
- Local network - wlx30b5c21224f3 (wireless)
Network:
- Network address - 192.168.99.0/24
- Gateway, DNS, Squid - 192.168.99.1
Squid logs:
- Access.log - empty
- Cache.log - https://pastebin.com/AQ6VFdNP
I can tell that squid is working and listening on assigned ports by looking at active processes.
Result of netstat -tulpn | grep squid
:
tcp 0 0 192.168.99.1:9999 0.0.0.0:* LISTEN 2604/(squid-1)
tcp 0 0 192.168.99.1:8888 0.0.0.0:* LISTEN 2604/(squid-1)
udp 0 0 0.0.0.0:35057 0.0.0.0:* 2604/(squid-1)
udp6 0 0 :::50319 :::* 2604/(squid-1)
I can also tell that iptables rule redirects traffic from port 80 to 9999 by watching traffic while trying to connect to HTTP site on one of the clients.
Result of watch 'iptables -t nat -L -n -v'
: https://pastebin.com/wdRjnBDa
Amount of bytes going through iptables rule keeps increasing as I try to reach the site - yet still client times out.
So my theory is that iptables is redirecting traffic properly and squid is listening on proper ports, yet there is something I'm missing that is preventing traffic from ever reaching Squid. (Since Squid logs are more or less empty)
I've tried a bunch of different iptables rules I found in various Squid guides online - most of them yeld the same result as above.
I've also tried a bunch of different ports in Squid, and I've tried to remove ip address from http_port 192.168.99.1:9999
- but that caused squid to listen on ipv6 only (And I'm not sure how that affects iptables rerouting).
PS. This is my firs networking project, so I might be missing something oblivious here.
No comments:
Post a Comment