Re: Transparent proxy single machine question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ken scott wrote:
On Sat, 2004-06-26 at 18:42, Dimitar Katerinski wrote:


Hello Ken,

Ah just know I understand that this is a workstation with some users, and squid and DG running ot this machine. Okay, I did some tests and came up with a solution ;-)
You can't redirect packets that origin from the machine itself, to some other local port (as far as i know). Maybe you can play with CONFIG_IP_NF_NAT_LOCAL option in the kernel, but as I understand it, it lets you to use destination NAT on connections originating from local processes on the nat box itself, but that is now we are looking for. So
here is what you can do:


1. Leave the proxy setting as is in the browser properties (127.0.0.1:8181)
2. Allow outgoing requests to port 80 only for the UID that squid is running under.
iptables -A OUTPUT -m owner ! --uid squid -p tcp --dport 80 -j DROP
This rule can be more flexible, but I live this to you, I hope you get the idea.
3. And finally test, whether you can make requests as user with and without proxy set in the browser.



Dimitar,

Success!! (at least mostly.) Thanks greatly for your assistance.
I used WEBMIN firewall module to build the following rule:
-A OUTPUT -p tcp -m tcp --dport 80 -m owner ! --uid-owner squid -j
DROP


case 1- User requests (with browser set to no proxy) time out after
about a minute.    [Desired outcome except timeout takes a long time]
case 2- User requests (with browser proxy set to the Dansguardian 8181
port) work fine.  [Desired outcome]
case 3- User requests (with browser proxy set to the Squid 3128 port)
also work fine.  [Not desired since webfiltering is bypassed]

So three things remain
1) Newbie question - How do I edit/change directly the iptable rules
without requiring webmin?  (I can print them out with the iptables-save
command)
2) Can I get the request reject/timeout to occur more quickly?
3) Can I close the loop hole of someone pointing their browser to the
squid port (rather than the dg port)?

Thanks again!!
Ken

Hello Ken,


First about the indesired timeout, you could do -j REJECT instead of -j DROP as REJECT target send tcp rst to the connection.
iptables -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner squid -j REJECT --reject-with tcp-reset


As for bypassing DG, you could easily allow only DG to be able to connect to 3128.
iptables -A OUTPUT -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j REJECT --reject-with tcp-reset


About asking me how to modify iptables rules, well it would be nice to read some howtos on netfilter.org ;-) The commands I'm giving you can be executed directly from the console, so no need for webmin. You can put them in your startup scripts, so they can be executed everytime the box starts. And finally, if you want to delete the above rules, you can substitute -A with -D, just my 2cents :-).

I wish you luck with the issue you have. I think we almost or fully resolve it ;-), so I may go to sleep now, because its 04:00 am here.

Regards,
Dimitar

--
"The only thing necessary for the triumph of evil is for good men to do nothing."
--Edmund Burke.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux