hello, i have a similar problem to do transparent proxy with squid and iptable
in squid.conf i have: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on my iptables script is: #!/bin/sh echo "Chargement des regles iptables" IPTABLES=/sbin/iptables # where iptables binary lies # Setting up Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Setting up IP spoofing protection if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then for f in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > $f done fi # definition d'objets firewall_adsl="ppp0" # interface externe du firewall localhost="127.0.0.1" # boucle local firewall_intranet="192.168.0.1" # passerelle du LAN intranet="192.168.0.0/24" # adresse sous-reseau et masque any="0.0.0.0/0" # Internet # Interfaces dev_intra="eth0" # interface intranet dev_inter="ppp0" # interface pour l'ADSL # port maxi hports="1024:" # Reinitialisation des tables $IPTABLES -F $IPTABLES -X # Interdit tout par defaut $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP #KEEPSTATE=" -m state --state ESTABLISHED,RELATED" # Regle du tunnel ADSL $IPTABLES -A INPUT -j ACCEPT -i $dev_inter -d $firewall_intranet $IPTABLES -A OUTPUT -j ACCEPT -o $dev_inter #Accepte tout sur l'interface lo $IPTABLES -A INPUT -j ACCEPT -p ALL -i lo $IPTABLES -A OUTPUT -j ACCEPT -p ALL -o lo # Acceptes tout de l'intranet si les paquets sont diriges vers son interface $IPTABLES -A INPUT -j ACCEPT -p ALL -i $dev_intra $IPTABLES -A OUTPUT -j ACCEPT -p ALL -o $dev_intra # Redirection des requetes port 80 vers Squid (proxy transparent) $IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j REDIRECT --to-port 3128 # Activation du forwarding $IPTABLES -A FORWARD -j ACCEPT -i $dev_intra -o ppp0 -s $intranet $IPTABLES -A FORWARD -j ACCEPT -o $dev_intra -i ppp0 -s $any #Activation du masquerading IP #$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # activation du mode etabli pour les principaux protocoles $IPTABLES -A OUTPUT -j ACCEPT -o ppp0 -p TCP $KEEPSTATE $IPTABLES -A INPUT -j ACCEPT -i ppp0 -p TCP $KEEPSTATE $IPTABLES -A OUTPUT -j ACCEPT -o ppp0 -p UDP $KEEPSTATE $IPTABLES -A INPUT -j ACCEPT -i ppp0 -p UDP $KEEPSTATE $IPTABLES -A OUTPUT -j ACCEPT -o ppp0 -p ICMP $KEEPSTATE $IPTABLES -A INPUT -j ACCEPT -i ppp0 -p ICMP $KEEPSTATE # Accepte la sortie de tous les protocoles vers ppp0 $IPTABLES -A OUTPUT -j ACCEPT -p ALL -o ppp0 # FTP accessible depuis l'internet $IPTABLES -A INPUT -j ACCEPT -p TCP -i ppp0 --sport $hports --dport 20 $IPTABLES -A INPUT -j ACCEPT -p TCP -i ppp0 --sport $hports --dport 21 # Serveur web accessible depuis l'internet $IPTABLES -A INPUT -j ACCEPT -p TCP -i ppp0 --sport $hports --dport 80 # Rejet du broadcast en entree/sortie $IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -s 10.0.0.255 $IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -d 10.0.0.255 $IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -s 10.0.0.255 $IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -d 10.0.0.255 $IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -s 0.0.0.0 $IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -d 0.0.0.0 $IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -s 0.0.0.0 $IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -d 0.0.0.0 $IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -s 255.255.255.255 $IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -d 255.255.255.255 $IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -s 255.255.255.255 $IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -d 255.255.255.255 # Reject and log others. Log into log level emergency, with line prefixes with '#FW'. $IPTABLES -N log_and_drop $IPTABLES -A INPUT -j log_and_drop $IPTABLES -A INPUT -j LOG --log-level emerg --log-prefix='FW ' $IPTABLES -A INPUT -j REJECT # Telnet uniquement possible en interne iptables -A INPUT -p tcp --destination-port telnet -i ppp0 -j DROP # Limite du ping iptables -A INPUT -p icmp --icmp-type echo-request --match limit --limit 2/s -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j DROP #securite NFS iptables -A INPUT -s $intranet -d $firewall_intranet -j ACCEPT iptables -A INPUT -s $any -d $any -p 17 -j DROP iptables -A INPUT -s $any -d $any -p 6 -j DROP --syn #gestion des logs iptables -A FORWARD -p tcp --dport 80 --syn -j LOG --log-prefix "quelqu'un surf..."
