当前位置: 文江博客话题详情

Squid+iptables:如何允许 https 传递并绕过 Squid?

发布于 2024-08-28 07:42:49 字数 403 浏览 11 评论 0原文

今天基本上是从 Squid 和 iptables 开始的(google 是你的朋友)。这东西会害死我的。

我在 Ubuntu 9.04 服务器上设置了 Squid3 作为透明代理。当我使用代理盒作为我的默认网关等时,它工作得很好。此设置的 iptable 规则是教程的一部分。 :P

不幸的是,我无法访问 https 网站(例如 Gmail 或基本上端口 443 上的任何内容)。这是因为 Squid 不喜欢它无法缓存的内容,在本例中是 https 流量。

我想添加一个 iptable 规则,以便我基本上可以访问 https 站点并使用 Skype。基本上允许这些类型的流量通过而不经过Squid代理? (可以这么说,绕过它)

有人可能知道如何做到这一点,或者有任何来源的链接可以帮助我解决这个问题吗?

谢谢。

原文

Basically started with Squid and iptables today (google is your friend). This stuff is going to be the death of me.

I have Squid3 setup on Ubuntu 9.04 server as Transparent Proxy. It works sweetly when i use the proxy-box as my default gateway etc. The iptable rules for this setup was part of the tutorial. :P

I can unfortunately not access https sites (such as Gmail or anything on port 443 basically). This is because Squid dont like what it cannot cache, which in this case is the https traffic.

I would like to add an iptable rule so that i can basically access https sites and use Skype. Basically allow these types of traffic to pass through without going through Squid proxy? (bypassing it so to speak)

Would anyone perhaps know how to do this or have a link to any sources that would assist me in figuring it out?

Thank you.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

天气好吗我好吗 2024-09-04 07:42:49

在真正考虑过咀嚼自己的手腕并整夜梦想着 IP + 强力谷歌搜索/尝试任何我可以用数字手指操作的东西之后,我设法将一些实际有效的东西组合在一起。我不知道其中的技术原因,所以如果您可以提供固定的解释,请这样做! :D

PS:解释中的所有内容都是通过命令行完成的

PS:这不是最终的解决方案,但它是回答我自己的问题的有效解决方案。

这里是:

第 1 步:必须在盒子上启用 IP 转发:

vim /etc/sysctl.conf

// 找到并取消注释以下

net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1

第 2 步:添加环回规则(这更多的是当所有端口都被覆盖时) ,显然很多应用程序都需要它?

iptables -I INPUT -i lo -j ACCEPT

步骤3.添加绕过端口443的规则:(eth1是互联网接口,xxxx/eth0是LAN接口)

iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source x.x.x.x

步骤4.然后最后是使Squid透明的规则:(xxxx是LAN接口的IP)

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination x.x.x.x:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

After actually considering chewing through my own wrists and dreaming of IPs all night long + brute force googling/trying ANYTHING i could get my digital fingers on i managed to put something together that actually works. I dont know the technical reasons why, so if you can provide set explanations please do so! :D

PS: everything in the explanation is done via command line

PS: this is not a final solution, but its a working one in answer to my own question.

Here it is:

Step 1: Had to enable IP Forwarding on the box:

vim /etc/sysctl.conf

//find and uncomment the following

net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1

Step 2: Add loop back rule (this is more for when all ports are covered, apparently many apps need it?

iptables -I INPUT -i lo -j ACCEPT

Step 3. Add rules for the bypassing of port 443: (eth1 is internet interface and x.x.x.x/eth0 is LAN interface)

iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source x.x.x.x

Step 4. Then finally the rules making Squid transparent:(x.x.x.x is IP of LAN interface)

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination x.x.x.x:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
回复 原文
感情废物 2024-09-04 07:42:49
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source x.x.x.x

那是错误的。意味着您从内部 LAN 发送到 Internet 的每个数据包 TCP/UDP/etc 都将使用专用 LAN IP(可能是 192.178.xx)作为源 IP,而不是公共 IP。

可能对您有帮助:

PREROUTING == DestinationNAT -> From Internet to Intern LAN

POSTROUTING == SourceNAT -> From Intern LAN to Internet


iptables -t nat -A PREROUTING -i intern -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i intern -p tcp --dport 3128 
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o extern -p tcp --dport 80
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i extern -p tcp --sport 80
iptables -A OUTPUT -j ACCEPT -m --state ESTABLISHED,RELATED -o intern -p tcp --sport 80

绕过 443 就足够了:

iptables -I FORWARD -p tcp --dport 443 -j ACCEPT

如果您的 system/squid/firewall 也是从您的网络到互联网的路由器,请不要忘记:

iptables -t nat -A POSTROUTING -o extern -j SNAT --to-source Public_external_IP

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source x.x.x.x

That is wrong. Means that every packet TCP/UDP/etc that you send from your intern LAN to Internet will use as SOURCE IP the Private LAN IP (probably 192.178.x.x), instead of the Public IP.

May be that helps you:

PREROUTING == DestinationNAT -> From Internet to Intern LAN

POSTROUTING == SourceNAT -> From Intern LAN to Internet


iptables -t nat -A PREROUTING -i intern -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i intern -p tcp --dport 3128 
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o extern -p tcp --dport 80
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i extern -p tcp --sport 80
iptables -A OUTPUT -j ACCEPT -m --state ESTABLISHED,RELATED -o intern -p tcp --sport 80

To bypasss 443 would be enough with:

iptables -I FORWARD -p tcp --dport 443 -j ACCEPT

And if your system/squid/firewall is also the router from your network to internet, do not forget:

iptables -t nat -A POSTROUTING -o extern -j SNAT --to-source Public_external_IP
回复 原文
青萝楚歌 2024-09-04 07:42:49

对于这些解释...

步骤 #1 将机器设置为路由器。对于任何要接受或转发发往除自身之外的计算机的 IP 流量的 Linux 计算机,这是必需的。如果没有这个,网络堆栈的最低级别将拒绝流量,NAT 甚至没有机会做它的事情。

步骤#2 与所询问的问题无关。与代理无关的路由器操作可能需要也可能不需要。

步骤#3 让机器正常中继端口 443 作为路由器。使用 MASQUERADE 代替 SNAT 可以使 POSTROUTING 规则变得更好。

步骤#4 两条线以不同的方式做同样的事情。如果您不知道 DNAT 和 REDIRECT 之间的区别,第一行可能会给您带来麻烦。为简单起见,仅使用“重定向”。

阅读http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect 可以为你省去很多麻烦。

您的设置中还缺少一个关键的 mangle 表规则,该规则在该 wiki 页面上进行了解释。

For those explanations...

step #1 sets up the machine as a router. This is required for any Linux machine that is going to accept or forward IP traffic destined for machines other than itself. Without this the lowest levels of the networking stack will reject the traffic and NAT will not even get a chance to do its thing.

step #2 is not relevant to the problem being asked about. It may or may not be needed for the router operations unrelated to the proxying.

step #3 lets the machine relay port 443 normally as a router. The POSTROUTING rule could be made better by using MASQUERADE instead of SNAT.

step #4 both lines do the same thing in different ways. The first line may lead you to trouble in future if you dont know what the differences are between DNAT and REDIRECT. For simplicity use REDIRECT only.

Reading http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect could have saved you a lot of trouble.

There is also a critical mangle table rule missing from your setup which is explained on that wiki page.

回复 原文
~没有更多了~

关于作者

嘴硬脾气大

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

胡图图

文章 0 评论 0

zt006

文章 0 评论 0

z祗昰~

文章 0 评论 0

冰葑

文章 0 评论 0

野の

文章 0 评论 0

天空

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文