iptables question (was Re: Squid question)

Tim Wunder tim
Mon May 17 11:57:20 PDT 2004 

On Wednesday 24 December 2003 3:09 pm, someone claiming to be David A. Bandel 
wrote:
> On Wed, 24 Dec 2003 12:31:44 -0500
> Tim Wunder <tim at thewunders.org> wrote:
>
> Tim, let's back up.
>
<snip>
> well, there's a match -m called owner.  So we need to see who's running
> squid:  root or squid?  If squid, life becomes easier.  Also , the only
> chain we can use -m owner --uid-owner xxx is the OUTPUT chain.
>
> So:
> iptables -t nat -I OUTPUT -o eth0 -m owner --uid-owner ! 101 -p tcp
> --dport 80 -j REDIRECT --to-ports 3128
> (in the above rule I assumed the UIDfor squid was 101)
>

When I tried a variation of this, with --uid-owner !23, I got an error:
# iptables -t nat -I OUTPUT -o eth0 -m owner --uid-owner !23 -p tcp --dport 80 
-j REDIRECT --to-ports 3128
iptables -t nat -I OUTPUT -o eth0 -m owner --uid-owner startx -p tcp --dport 
80 -j REDIRECT --to-ports 3128
iptables v1.2.8: Bad OWNER UID value `startx'
Try `iptables -h' or 'iptables --help' for more information.

Note that the '!23' I entered was converted to 'startx'. It looks like -m 
owner is one of the matches where a ! isn't acceptable. But it's progress, I 
dived a little further into 'man iptables' and found there are several owner 
matches available, including a --gid-owner match. So I grep'd /etc/group to 
see if there's a group all the users belong to (like users), but there 
wasn't. Fedora Core, as did RHL 8.0, gives each user their own group.
That left me to try out a rule for my gid, 500:
# iptables -t nat -I OUTPUT -o eth0 -m owner --gid-owner 500 -p tcp --dport 80 
-j REDIRECT --to-ports 3128
Which almosts did what I want. With that rule in place, I couldn't connect to 
the internet from my browser when it was configured for a direct connection 
to the internet. I got 
ERROR
The requested URL could not be retrieved...
But the internet worked fine when I configure the browser for connection thru 
the proxy. Almost there...

>From looking at 'tcpdump -i eth0 port <##>, when configured for direct 
connection to the internet, I get no traffic on port 80, but traffic on port 
3128.

So...what's up now? A squid configuration issue perhaps?
OK, I go back to tldp and the page on configuring transparent proxy with 
squid. I edit my squid.conf file as they recommend:
httpd_accel_host "virtual"
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

and tried again...
After that, I get an 'access denied' error from squid. That's good, it's not a 
'cannot retrieve' error, it's a 'denied' error, so squid was doing something.
I go back to my squid.conf file and edit the http_access setting to 'allow 
all' and....
SUCCESS!
squid gets used!

so, ultimately, I both have to configure squid for transparent proxy and 
create iptables rules that force squid use, for each user. (Or, I create a 
group that we'll all belong to that'll be each user's primary group, and 
create an iptables rule for that group.)

I'll also eventually need to set up better http_access rules within squid. But 
this looks like the path to ultimate success. Many thanks to your prudent use 
of the clue-stick.

Maybe I'll try to put all this down in some sort of sensical manner for an 
entry to the SxS's...

Regards, 
Tim

-- 
Fedora Core 1, Kernel 2.4.22-1.2129.nptl,  KDE 3.1.4, Xfree86 4.3.0
 10:20:01  up 16 days, 13:09,  3 users,  load average: 0.21, 0.09, 0.07
It's what you learn after you know it all that counts

More information about the Linux-users mailing list