iptables config not working between squid server and openvpn server

Support for security such as Firewalls and securing linux
Post Reply
mcompany
Posts: 4
Joined: 2011/12/06 21:26:38

iptables config not working between squid server and openvpn server

Post by mcompany » 2011/12/15 14:30:20

I'm not having a every good time with this..

Goal of this whole thing

Set up a squid proxy server so the users can access the internet. # Check working

Set up a openvpn server # linode VPS # check working.. The openvpn client connects to the openvpn server fine.
http://library.linode.com/networking/openvpn/centos-5

Forward all the users http request from the squid server with iptalbes to the vpn server # none working..

##################################################
Network overview
default gateway 192.168.1.1
##################################################
DHCP / SQUID Proxy Server / Centos 5.6 all updated

From DHCP Server
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:19:B9:21:23:D7
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.1.17
GATEWAY=192.168.1.1
TYPE=Ethernet
USERCTL=YES
IPV6INIT=NO
PEERDNS=YES

Static IP
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
HWADDR=00:c0:a8:7c:9a:0c
NETMASK=255.255.255.0
IPADDR=192.168.2.1
GATEWAY=192.168.1.1
TYPE=Ethernet
USERCTL=yes
IPV6INIT=no
PEERDNS=yes

DNS 65.106.1.196

/sbin/route # before I connect to the VPN
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

/etc/resolv.conf
nameserver 65.106.1.196
nameserver 65.106.7.196

/etc/sysctl.conf
net.ipv4.ip_forward = 1

/etc/sysconfig/selinux
SELINUX=disabled
##################################################
DHCP Server
range dynamic-bootp 192.168.2.10 192.168.2.25/24
option routers 192.168.2.1

/etc/sysconfig/dhcpd
DHCPDARGS=eth1

##################################################
Squid Proxy server Squid Cache: Version 2.6.STABLE21 # Squid works fine.
/etc/squid/squid.conf
acl lan src 192.168.1.0/24 192.168.2.0/24
http_access allow lan
http_port 192.168.2.1:3128 transparent

##################################################

/etc/sysconfig/iptables

-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE

##################################################

OPENVPN
/etc/openvpn/
ca.crt client.conf kontrolfreak.crt kontrolfreak.key
/etc/openvpn/client.conf
remote xxx.xxx.xxx.xxx 1194 # ip from the VPS
dev tun
ca ca.crt
cert xxxxx.crt
key xxxxx.key
##################################################
##################################################
##################################################

VPS Linode
xxx.xxx.xxx.xxx IP
centos 5.6 64-bit

OPENVPN
Tunnel All Connections through the VPN
/etc/openvpn/server.conf
push "redirect-gateway def1"

/etc/sysctl.conf
net.ipv4.ip_forward = 1


/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j REJECT
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save

/etc/dnsmasq.conf
listen-address=127.0.0.1,10.8.0.1

bind-interfaces
################################
/etc/rc.local
/etc/init.d/dnsmasq restart

touch /var/lock/subsys/local

/etc/openvpn/server.conf
push "dhcp-option DNS 10.8.0.1"

/etc/init.d/openvpn restart
/etc/init.d/dnsmasq restart
chkconfig dnsmasq on
####################################################
VPN connects but can't pass http traffic through it.

After I connection to the OPENVPN Server and do a /sbin/route from the client.
output from client

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.5 * 255.255.255.255 UH 0 0 0 tun0
xxx.xxx.xxx.xxx 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

eth0 Link encap:Ethernet HWaddr 00:19:B9:21:23:D7
inet addr:192.168.1.17 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1712802 errors:0 dropped:0 overruns:0 frame:0
TX packets:1028175 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2015592814 (1.8 GiB) TX bytes:130841225 (124.7 MiB)
Interrupt:169 Memory:dfbf0000-dfc00000

eth1 Link encap:Ethernet HWaddr 00:C0:A8:7C:9A:0C
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:709507 errors:0 dropped:0 overruns:0 frame:0
TX packets:322975 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:383004034 (365.2 MiB) TX bytes:187867736 (179.1 MiB)
Interrupt:169 Base address:0x2f00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:23261 errors:0 dropped:0 overruns:0 frame:0
TX packets:23261 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14212441 (13.5 MiB) TX bytes:14212441 (13.5 MiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:28 errors:0 dropped:0 overruns:0 frame:0
TX packets:891 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3577 (3.4 KiB) TX bytes:63775 (62.2 KiB)

#############################################################################


I know it has to do with the route or iptable or both

I have tried the following
iptables -t nat -A POSTROUTING -s 192.168.2.1 -o tun0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ \! -d 178.79.178.75 -j DROP

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE


-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
COMMIT
# Completed on Thu Dec 8 14:51:23 2011
# Generated by iptables-save v1.3.5 on Thu Dec 8 14:51:23 2011
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE


tun0

-A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -j SNAT --to-source 83.***.***.214

iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination 192.168.2.1

#######################################################

Could it be that in the squid.conf
http_port xxx.xxx.xxx.xxx 3128

needs to be set the tun0 ip address
http_port 10.8.0.1 3128

Can someone please give me some insight on what I could be doing wrong..

Thanks head of time..

shawn

Maybe something like this.

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.17:3128

/sbin/iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

iptables config not working between squid server and openvpn

Post by gerald_clark » 2011/12/15 15:07:44

Do not double post.

You might have better luck in an OpenVPN forum.
CentOS does not ship OpenVPN.

User avatar
AlanBartlett
Forum Moderator
Posts: 9345
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: iptables config not working between squid server and openvpn server

Post by AlanBartlett » 2011/12/16 00:26:02

This thread is locked. Please post any assistance to the [url=https://www.centos.org/modules/newbb/viewtopic.php?topic_id=34742&forum=40&post_id=149510#forumpost149510]original thread[/url].

Post Reply