This is killing me. I've gone over this about a hundred times and still can't seem to get it to pass packets from 80 to 8080 on the internal interface transparently. I'm really hoping the community can spot where the mistake is, if there is one. Here goes:
Here is my
And my rc.conf:
On to ipf.rules:
And ipnat.rules:
And lastly, my squid.conf:
I'm not really trying to do anything fancy here, just run NAT and force internal machines to use the proxy without having to use messy PAC files and the like. To me, ipnat.rules look like it should just work. What am I missing here? And yes, Squid 3.1 was compiled with the correct options to allow transparent proxy support (ipfilter). I should also mention that when a machine behind the NAT is configured to use 10.0.0.1:8080 as a proxy, it works fine.
Thanks in advance to whoever can show me where I went wrong.
Here is my
uname -a
:
Code:
router# uname -a
FreeBSD router.somewhere.lan 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Feb 18 02:24:46 UTC 2011
root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
And my rc.conf:
Code:
hostname="router.somewhere.lan"
sshd_enable="YES"
webmin_enable="YES"
named_enable="YES"
#named_auto_forward="YES"
sendmail_enable="NO"
squid_enable="YES"
dhcpd_enable="YES"
### Ipnat and Ipfilter setup
ipfilter_enable="YES"
ipnat_enable="YES"
gateway_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Dv -P /var/run/ipmon.pid /var/log/firewall.log"
ifconfig_em1="inet 10.0.0.1 netmask 255.255.0.0" # Internal NIC
ifconfig_em0="DHCP" # External NIC
On to ipf.rules:
Code:
#################################################################
# Outside Interface
#################################################################
pass in quick on em0 proto tcp from any to any port = 22 flags S keep frags keep state
pass in quick on em0 proto tcp from any to any port = 10000 flags S keep frags keep state
pass out quick on em0 proto tcp from any to any flags S keep frags keep state
pass out quick on em0 proto udp from any to any keep state keep frags
pass out quick on em0 proto icmp from any to any keep state
block out quick on em0 all
pass in log quick on em0 proto udp from any to any port = 68 keep state
block in log quick on em0 all
#################################################################
# Inside Interface
#################################################################
pass in quick on em1 all
pass out quick on em1 all
#################################################################
# Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all
And ipnat.rules:
Code:
### Ipnat setup
map em0 10.0.0.1/24 -> 0/32 proxy port ftp ftp/tcp
rdr em0 0.0.0.0/0 port 22 -> 10.0.0.1 port 22 tcp
map em0 10.0.0.1/24 -> 0/32 portmap tcp/udp auto
map em0 10.0.0.1/24 -> 0/32
rdr em1 10.0.0.1/24 port 80 -> 127.0.0.1 port 8080 tcp
And lastly, my squid.conf:
Code:
http_port 127.0.0.1:8080 transparent
icp_port 0
htcp_port 0
cache_mem 8 MB
cache_swap_low 95
cache_swap_high 98
maximum_object_size 1024 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
ipcache_size 1024
ipcache_low 95
ipcache_high 98
fqdncache_size 1024
cache_replacement_policy lru
memory_replacement_policy lru
cache_store_log none
half_closed_clients off
log_icp_queries off
buffered_logs on
logfile_rotate 0
memory_pools on
client_db off
retry_on_error on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 20% 1440
refresh_pattern . 0 20% 4320
cache_dir aufs /var/squid/cache 512 16 256
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl network src 10.0.0.0/16
http_access allow network
cache_mgr Me
visible_hostname MachineName
ftp_user some@email.com
cache_effective_user squid
cache_effective_group squid
I'm not really trying to do anything fancy here, just run NAT and force internal machines to use the proxy without having to use messy PAC files and the like. To me, ipnat.rules look like it should just work. What am I missing here? And yes, Squid 3.1 was compiled with the correct options to allow transparent proxy support (ipfilter). I should also mention that when a machine behind the NAT is configured to use 10.0.0.1:8080 as a proxy, it works fine.
Thanks in advance to whoever can show me where I went wrong.