Monday, May 22, 2006

squid and iptables - revisited

One of best combinations for internet connected LAN is squid, a proxy server and iptables, a packet filtering ruleset. To make it useful, this combination is used to configure transparent proxy for a LAN or more.

iptables -t nat -I PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
Above command is for LAN (192.168.0.0/24) connecting to the internet via proxy server running on port 3128.

To make https proxied( it is not actually because we can't proxied encrypted packets but they are just forwarded), the command is as below :
iptables -t nat -I PREROUTING -s 192.168.0.0/24 -p tcp --dport 443 -j REDIRECT --to-port 3128
You can NOT do the same for ftp (port 21). For ftp, you have manually inserted the proxy address for ftp protocol in your browser connection setting.

By above command executed on a proxy server (a.k.a firewall), the PCs in the LAN need not be configured one by one to use the proxy server. Less work for system/network administrator :). They are said to be connected to the internet using proxy server transparently. Now you got it? :)

There's one more way to handle https connection. Instead of going through squid, you can also NAT it. Drop the above https command and use this :

iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -p tcp --dport 443 -j SNAT --to 111.222.333.444
where 111.222.333.444 is your proxy server public IP address.

It is up to you which way you want to use. I can say that from my experience, there's no noticeable difference in terms of performance. If you do not agree, please do not hesitate to write comment and state your experience.

No comments: