Ubuntu 10.04 server, squid 3.2.
Конфигурация такая - интернет получается по eth0 либо ppp0, раздаётся на wan0.
ppp0 создаётся через wvdial, тобишь модем. eth0 - провод из роутера. wan0 - точка доступа под hostapd.
80-ый порт перенаправляется в сквид на 3128.
wan0 - 192.168.13.x, в ней IP машины 192.168.13.1, eth0 и ppp0 - dhcp.
На eth0 всё работает, если в передаю вместо eth0 ppp0, то как шлюз продолжает работать, а вот пакеты на 80-ый порт теряются вникуда.
Уже два дня бьюсь, ничего не могу понять. Помогите, очень прошу! Вот результирующий iptables-save:
# Generated by iptables-save v1.4.4 on Wed Mar 21 05:02:41 2012
*mangle
:PREROUTING ACCEPT [425:53881]
:INPUT ACCEPT [170:14702]
:FORWARD ACCEPT [213:36719]
:OUTPUT ACCEPT [95:12714]
:POSTROUTING ACCEPT [308:49433]
COMMIT
# Completed on Wed Mar 21 05:02:41 2012
# Generated by iptables-save v1.4.4 on Wed Mar 21 05:02:41 2012
*nat
:PREROUTING ACCEPT [48:3100]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [6:411]
-A PREROUTING -i wlan0 -p udp -m udp --dport 53 -j DNAT --to-destination 217.118.66.243:53
-A PREROUTING -i wlan0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 217.118.66.243:53
-A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.13.1:3128
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 21 05:02:41 2012
# Generated by iptables-save v1.4.4 on Wed Mar 21 05:02:41 2012
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [102:26110]
:OUTPUT ACCEPT [12:795]
-A INPUT -i lo -j ACCEPT
-A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wlan0 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -i wlan0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o wlan0 -j ACCEPT
COMMIT
Вот squid.conf
cache deny all
acl localnet src 192.168.13.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
#acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
#http_access deny all
http_access allow all
# Squid normally listens to port 3128
http_port 192.168.13.1:3128 transparent
# Leave coredumps in the first cache dir
coredump_dir /usr/local/var/cache/squid
Вот ifconfig:
eth0 Link encap:Ethernet HWaddr 50:af:73:12:5e:9c
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:26 Base address:0x6000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:110 errors:0 dropped:0 overruns:0 frame:0
TX packets:110 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11996 (11.9 KB) TX bytes:11996 (11.9 KB)
mon.wlan0 Link encap:UNSPEC HWaddr 00-1C-7B-A0-89-02-30-30-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:31 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2538 (2.5 KB) TX bytes:0 (0.0 B)
ppp0 Link encap:Point-to-Point Protocol
inet addr:172.20.10.224 P-t-P:10.64.64.64 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:130 errors:0 dropped:0 overruns:0 frame:0
TX packets:158 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:29303 (29.3 KB) TX bytes:13859 (13.8 KB)
wlan0 Link encap:Ethernet HWaddr 00:1c:7b:a0:89:02
inet addr:192.168.13.1 Bcast:192.168.13.255 Mask:255.255.255.0
inet6 addr: fe80::21c:7bff:fea0:8902/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:416 errors:0 dropped:0 overruns:0 frame:0
TX packets:371 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:40176 (40.1 KB) TX bytes:66983 (66.9 KB)
Повторюсь, если скормить eth0 в качестве WAN_iface в скрипт ниже, то всё работает.
За помощь готов проставиться, ибо в отчаянии, а надо очень.
Скрипт, который определяет шлюзы, днсы и подмаски интерфейсов и строит iptables:
#! /bin/sh
# LAN_iface WAN_iface
LAN_iface=$1
WAN_iface=$2
re_addr="[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*"
re_inet="inet addr: *$re_addr"
re_mask="mask: *$re_addr"
echo LAN iface: $LAN_iface
echo WAN iface: $WAN_iface
LAN_ip=$(ifconfig $LAN_iface | grep -o -i "$re_inet" | grep -o "$re_addr")
ifconfig $LAN_iface | grep -o -i "$re_inet"
LAN_mask=$(ifconfig $LAN_iface | grep -o -i "$re_mask" | grep -o "$re_addr")
ifconfig $LAN_iface | grep -o -i "$re_mask"
LAN_net="$LAN_ip/$LAN_mask"
ifconfig_WAN=$(ifconfig $WAN_iface)
WAN_ip=$(ifconfig $WAN_iface | grep -o -i "$re_inet" | grep -o "$re_addr")
WAN_mask=$(ifconfig $WAN_iface | grep -o -i "$re_mask" | grep -o "$re_addr")
WAN_net="$WAN_ip/$WAN_mask"
echo LAN: $LAN_iface : $LAN_net
echo WAN: $WAN_iface : $WAN_net
DNS_ip=$(cat /etc/resolv.conf | grep -o $re_addr -m 1)
echo DNS: $DNS_ip
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
echo prepared to forward packets
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo forward part1
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $WAN_iface -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $WAN_iface -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_iface -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_iface -j ACCEPT
iptables -A OUTPUT -o $LAN_iface -j ACCEPT
echo forward part2
echo iptables -t nat -A PREROUTING -i $LAN_iface -p udp --dport 53 -j DNAT --to $DNS_ip:53
iptables -t nat -A PREROUTING -i $LAN_iface -p udp --dport 53 -j DNAT --to $DNS_ip:53
echo iptables -t nat -A PREROUTING -i $LAN_iface -p tcp --dport 53 -j DNAT --to $DNS_ip:53
iptables -t nat -A PREROUTING -i $LAN_iface -p tcp --dport 53 -j DNAT --to $DNS_ip:53
echo setting up http redir
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_iface -p tcp --dport 80 -j DNAT --to $LAN_ip:3128
# if it is same system
#iptables -t nat -A PREROUTING -i $WAN_iface -p tcp --dport 80 -j REDIRECT --to-port 3128
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP