Wednesday, April 27, 2016

iptables - Prevent non-intercept Squid traffic being tagged by Policy Routing

I've re-edited the original question, because I have changed the setup since the original answer, which was for NAT based setup. NAT is no longer being used and has been replaced with TPROXY for IPv6 compatibility.



I'm running squid in a small network. I've setup a couple of squid listening ports for different scenarios.



Excerpt of squid.conf




  • http_port 3128 - This is will be pushed to Windows clients via domain policy, with the HTTP Proxy set via WPAD.

  • http_port 3129 tproxy - This is for clients that are having traffic on port 80 intercepted.




For the TPROXY setup I'm using the following iptables/ip6tables rules on my DD-WRT router with iproute2 to mark and redirect traffic to the proxy. The problem is in this setup all traffic is tagged, including IPv4 and IPv6 traffic that is going to the Squid proxy via the 3128 port setup.



I need a way to exclude this traffic because it is is adding overhead and breaking connectivity (particularly IPv6) on LAN clients that have the proxy applied directly.



I'm aware I could add specific clients to the PREROUTING table with an ACCEPT rule, but doing this for both IPv4 and IPv6 will become hard to manage quickly. I need to find a generic way to exclude all LAN clients that go through the Squid Proxy on port 3128 at router level but I don't know the best way to do it.



Current DD-WRT Squid policy routing:




# Squid transparent proxy
PROXY_IPV4=192.168.x.x
PROXY_IPV6=2001:470:xxxx:xx::x
CLIENTIFACE=br0
FWMARK=3

iptables -t mangle -A PREROUTING -i $CLIENTIFACE -s $PROXY_IPV4 -p tcp --dport 80 -j ACCEPT
ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -s $PROXY_IPV6 -p tcp --dport 80 -j ACCEPT

iptables -t mangle -A PREROUTING -i $CLIENTIFACE -p tcp --dport 80 -j MARK --set-mark $FWMARK

iptables -t mangle -A PREROUTING -m mark --mark $FWMARK -j ACCEPT
ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -p tcp --dport 80 -j MARK --set-mark $FWMARK
ip6tables -t mangle -A PREROUTING -m mark --mark $FWMARK -j ACCEPT

iptables -t filter -A FORWARD -i $CLIENTIFACE -o $CLIENTIFACE -p tcp --dport 80 -j ACCEPT
ip6tables -t filter -A FORWARD -i $CLIENTIFACE -o $CLIENTIFACE -p tcp --dport 80 -j ACCEPT

ip rule add fwmark $FWMARK table 2
ip -6 rule add fwmark $FWMARK table 2
ip route add default via $PROXY_IPV4 table 2

ip -6 route add default via $PROXY_IPV6 table 2

# End Squid intercept proxy config
-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...