IPF Transparent Squid with IPF and IPNAT not working

M

Maxamoto

This is killing me. I've gone over this about a hundred times and still can't seem to get it to pass packets from 80 to 8080 on the internal interface transparently. I'm really hoping the community can spot where the mistake is, if there is one. Here goes:

Here is my uname -a:
Code: 
router# uname -a
FreeBSD router.somewhere.lan 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Feb 18 02:24:46 UTC 2011    
root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

And my rc.conf:
Code: 
hostname="router.somewhere.lan"
sshd_enable="YES"
webmin_enable="YES"
named_enable="YES"
#named_auto_forward="YES"
sendmail_enable="NO"
squid_enable="YES"
dhcpd_enable="YES"

### Ipnat and Ipfilter setup

ipfilter_enable="YES"
ipnat_enable="YES"
gateway_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Dv -P /var/run/ipmon.pid /var/log/firewall.log"
ifconfig_em1="inet 10.0.0.1 netmask 255.255.0.0" # Internal NIC
ifconfig_em0="DHCP" # External NIC

On to ipf.rules:
Code: 
#################################################################
# Outside Interface
#################################################################

pass in quick on em0 proto tcp from any to any port = 22 flags S keep frags keep state
pass in quick on em0 proto tcp from any to any port = 10000 flags S keep frags keep state
pass out quick on em0 proto tcp from any to any flags S keep frags keep state
pass out quick on em0 proto udp from any to any keep state keep frags
pass out quick on em0 proto icmp from any to any keep state

block out quick on em0 all

pass in log quick on em0 proto udp from any to any port = 68 keep state

block in log quick on em0 all

#################################################################
# Inside Interface
#################################################################
pass in quick on em1 all
pass out quick on em1 all

#################################################################
# Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all

And ipnat.rules:
Code: 
### Ipnat setup

map em0 10.0.0.1/24 -> 0/32 proxy port ftp ftp/tcp
rdr em0 0.0.0.0/0 port 22 -> 10.0.0.1 port 22 tcp
map em0 10.0.0.1/24 -> 0/32 portmap tcp/udp auto
map em0 10.0.0.1/24 -> 0/32
rdr em1 10.0.0.1/24 port 80 -> 127.0.0.1 port 8080 tcp

And lastly, my squid.conf:
Code: 
http_port 127.0.0.1:8080 transparent
icp_port 0
htcp_port 0

cache_mem 8 MB
cache_swap_low 95
cache_swap_high 98
maximum_object_size 1024 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
ipcache_size 1024
ipcache_low 95
ipcache_high 98
fqdncache_size 1024
cache_replacement_policy lru
memory_replacement_policy lru
cache_store_log none
half_closed_clients off
log_icp_queries off
buffered_logs on
logfile_rotate 0
memory_pools on
client_db off
retry_on_error on

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    20%     1440
refresh_pattern .               0       20%     4320

cache_dir aufs /var/squid/cache 512 16 256

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl network src 10.0.0.0/16
http_access allow network

cache_mgr Me
visible_hostname MachineName
ftp_user some@email.com
cache_effective_user squid
cache_effective_group squid

I'm not really trying to do anything fancy here, just run NAT and force internal machines to use the proxy without having to use messy PAC files and the like. To me, ipnat.rules look like it should just work. What am I missing here? And yes, Squid 3.1 was compiled with the correct options to allow transparent proxy support (ipfilter). I should also mention that when a machine behind the NAT is configured to use 10.0.0.1:8080 as a proxy, it works fine.

Thanks in advance to whoever can show me where I went wrong.
 
I'm not really sure what you are trying to tell me with that link, but I appreciate your time. I had read that page at the start of my troubles a few days ago, but it really doesn't describe what the cause of my issue is, unless I'm missing something.

Changing
Code: 
http_port 8080 transparent
doesn't seem to change anything. Additionally, I am not getting the same error as the poster in your link was. I don't get a Squid based error at all, just a generic "this page cannot be displayed" message from IE and Firefox. This is why I was more inclined to think there is something wrong with ipnat.rules, but I was hoping a second set of eyes would help me locate the offending code.
 
Code: 
em0:  # External nic
bge0: # Internal nic
My /etc/ipnat.rules
Code: 
map em0 0/0                     -> 0/32 proxy port ftp ftp/tcp
map em0 0/0                     -> 0/32 portmap tcp/udp auto
map em0 0/0                     -> 0/32
rdr em0 0.0.0.0/0 port 22       -> 192.168.1.3 port 22 tcp
rdr bge0 192.168.1.3/24 port 80 -> 127.0.0.1 port 3129 tcp
/etc/ipf.rules
Code: 
pass out quick on bge0 all
pass in quick on bge0 all
pass out quick on em0 proto tcp from any to any port = 80 flags S keep state
pass in quick on em0 proto tcp from any to any port = 80 flags S keep state
/usr/local/etc/squid/squid.conf
Code: 
http_port 3128
http_port 3129 intercept
Test: [CMD=]squid -f /usr/local/etc/squid/squid.conf -k parse[/CMD]
Results:
Code: 
2013/01/03 18:28:15| Processing: http_port 3128
2013/01/03 18:28:15| Processing: http_port 3129 intercept
Does anybody know if my configuration is ready for proxy intercepting?
 
I have the same problem over here. Squid32 transparent proxy does not work with ipfilter.
Code: 
2013/02/27 21:50:02 kid1| IPF (IPFilter) NAT open failed: (13) Permission denied
2013/02/27 21:50:02 kid1| BUG #3329: Orphan Comm::Connection: local=127.0.0.1:3128 remote=192.168.168.112:54531 FD 12 flags=33
2013/02/27 21:50:02 kid1| NOTE: 4 Orphans since last started.
 
Last edited by a moderator:
The squid31 intercept proxy works fine with identical ipnat.rules and squid.conf on the same FreeBSD box. I was trying to upgrade Squid to 3.2 because 3.1 is marked deprecated.
 
Last edited by a moderator:
This is probably because Squid is not compatible with IPF 5. It's on my list of things to fix (either in Squid or in IPF).
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top