Re: change netfilter packet flow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

On Sat, Sep 22, 2018 at 09:05:45AM +0330, morteza1131@xxxxxxxxx wrote:
> Hello
> I am in a dire need about using squid in my Linux iptables firewall as a transparent proxy.
> I want to have both firewalling  rules and http filtering with squid based on linux iptables.  
> I know, it is not possible to apply iptables rules in forward chain and after that filter http requests with applications like squid. 
> When i use squid for http filtering, squid is listen on input port of machine so when i redirect packets to the input chain, my firewall rules in forward chain are bypassed. is there any way to handle such situation???

I am not sure I am understanding every part of your email correctly, so you
might need to clarify.

Forward chain is not used because you are not forwarding packets but squid
copies them from one socket to another, so you should forget about forwarding
chain in this case. See [1]. In case of a transparent proxy you route the
packets to the local computer, so according to [1] forwarding chain is not
touched.

I suppose you use SOCKET and/or TPROXY match in the prerouting chain along with
policy routing. AFAIK this makes matching packets appear in the input chain (see
[1] again) so you might try firewalling in the input chain.

Hope this helps,
Mate

[1]: https://www.csie.ntu.edu.tw/~b93070/CNL/v4.0/CNLv4.0.files/image2070.gif

> 
> do you know how other firewalls like Pfsense or opensense and ... handle this situation?
> 
> tanx
> 
> Sent from my Huawei Mobile



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux