Hi, I'm currently setting up a small LAN. The target hosts will be windows laptops, so all the smarts are in a single FC5 linux box connected to cable internet. So far I've managed to setup pretty much everything I needed (dns, dhcp, nat, smtp, webmail, spam-filter...) but I'm stuck on the transparent proxy stage. I've got the gateway apache configured as proxy on the lan-facing IP, and it works when configured manually in the laptop browsers, but I'm not getting any further. All the docs on the internet seem to focus on the squid-on-another-box scenario, and I'm failing to adapt them to my setup. Can anyone help me? (a big plus would be to make apache transparent proxy for the gateway itself, as it will double up as my own system) I've attached my current iptables rules if it can help. Regards, -- Nicolas Mailhot
# Custom iptables rules *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #-A PREROUTING -p tcp -m multiport --dports http,https,squid,svn,http-alt,webcache -j REDIRECT --to-port 8081 #-A PREROUTING -p tcp -m multiport --dports http,https,squid,svn,http-alt,webcache -j DNAT --to 192.168.1.1:8081 -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] #-A PREROUTING -p tcp -m multiport --dports http,https,squid,svn,http-alt,webcache -j REDIRECT --to-port 8081 #-A PREROUTING -p tcp -m multiport --dports http,https,squid,svn,http-alt,webcache,tproxy -s 127.0.0.1 -j ACCEPT -A PREROUTING -p tcp -m multiport -i eth1 --dports http,https,squid,svn,http-alt,webcache -j MARK --set-mark 3 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :INBOUND - [0:0] :GENCHK - [0:0] :ICMP - [0:0] :SPOOF - [0:0] :SYN-FLOOD - [0:0] :LOG_FILTER - [0:0] :LSI - [0:0] :LSO - [0:0] :LS - [0:0] :OUTBOUND - [0:0] ### Input # loopback -A INPUT -i lo -j ACCEPT # Broadcast -A INPUT -m pkttype --pkt-type broadcast -i eth0 -p udp -m multiport --ports bootps,bootpc -j INBOUND -A INPUT -m pkttype --pkt-type broadcast -i eth0 -j LS # Generic checks -A INPUT -j ICMP -A INPUT -j GENCHK -A INPUT -j SPOOF # Multicast -A INPUT -m pkttype --pkt-type multicast -j ACCEPT -A INPUT -i eth0 -j INBOUND -A INPUT -i eth1 -j INBOUND -A INPUT -j LOG_FILTER -A INPUT -j LOG --log-prefix "Unknown Input " --log-level 6 ### Forward # Generic checks -A FORWARD -j ICMP -A FORWARD -j GENCHK -A FORWARD -j SPOOF # Do not forward any broadcast -A FORWARD -m pkttype --pkt-type broadcast -j LS -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i eth1 -j OUTBOUND -A FORWARD -d 192.168.1.0/24 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j LOG_FILTER -A FORWARD -j LOG --log-prefix "Unknown Forward " --log-level 6 ### Output # Loopback -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j GENCHK -A OUTPUT -o eth0 -j OUTBOUND -A OUTPUT -o eth1 -j OUTBOUND -A OUTPUT -j LOG_FILTER -A OUTPUT -j LOG --log-prefix "Unknown Output " --log-level 6 ### Inbound -A INBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT # DHCP -A INBOUND -p udp -m multiport --ports bootps,bootpc -j ACCEPT # Multicast -A INBOUND -m pkttype --pkt-type multicast -j ACCEPT -A INBOUND -d 224.0.0.251 -j ACCEPT # Syn-flood tcp protection -A INBOUND -p tcp --syn -j SYN-FLOOD -A INBOUND -p tcp -m multiport --dports ssh,submission,https,imaps -j ACCEPT -A INBOUND -p tcp -d 192.168.1.1 -m multiport --dports smtp,domain,ntp,printer,tproxy -i eth1 -j ACCEPT -A INBOUND -p udp -d 192.168.1.1 -m multiport --dports smtp,domain,ntp,printer -i eth1 -j ACCEPT -A INBOUND -p udp -d 192.168.1.255 --sport ipp --dport ipp -i eth1 -j ACCEPT -A INBOUND -p udp -d 192.168.1.1 --sport ipp --dport ipp -i eth1 -j ACCEPT # This DNS server deffers replies in UDP -A INBOUND -p udp -s 202.89.131.4 --sport domain --dport domain -i eth0 -j ACCEPT -A INBOUND -j LSI ### Generic checks -A GENCHK -m state --state INVALID -j DROP -A GENCHK -p tcp ! --syn -m state --state NEW -j LS -A GENCHK -m state --state RELATED,ESTABLISHED -j RETURN -A GENCHK -m state --state ! NEW -j LS -A GENCHK -j RETURN ### ICMP check -A ICMP -p icmp --fragment -j DROP -A ICMP -p icmp --icmp-type echo-reply -m limit --limit 1/sec -j ACCEPT -A ICMP -p udp --dport traceroute -j LS -A ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT -A ICMP -p icmp --icmp-type redirect -m limit --limit 2/sec -j ACCEPT -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT -A ICMP -p icmp -j LS -A ICMP -j RETURN ### Spoof check (need to accept dhcp and lo before) # Refuse packets claiming to be to the loopback interface. # Refusing packets claiming to be to the loopback interface protects against # source quench, whereby a machine can be told to slow itself down by an icmp source # quench to the loopback. -A SPOOF -d 127.0.0.0/8 -j LS # Accept LAN in -A SPOOF -s 192.168.1.0/24 -i eth1 -j RETURN # Nothing else from LAN -A SPOOF -i eth1 -j LS # Refuse packets claiming to be from a Class A private network. -A SPOOF -s 10.0.0.0/8 -j LS # Refuse packets claiming to be from a Class B private network. -A SPOOF -s 172.16.0.0/12 -j LS # Refuse packets claiming to be from a Class C private network. -A SPOOF -s 192.168.0.0/16 -j LS # Refuse Class D multicast addresses. Multicast is illegal as a source address -A SPOOF -s 224.0.0.0/4 -j LS # Refuse Class E reserved IP addresses. -A SPOOF -s 240.0.0.0/5 -j LS # Accept LAN out -A SPOOF -d 192.168.1.0/24 -o eth1 -j RETURN # Nothing else to LAN -A SPOOF -o eth1 -j LS # If we got this far filtering can continue -A SPOOF -j RETURN ### syn-flood check -A SYN-FLOOD -m limit --limit 5/s --limit-burst 10 -j RETURN -A SYN-FLOOD -j DROP ### Outbound -A OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT # DHCP -A OUTBOUND -p udp --sport bootpc --dport bootps -o eth0 -j ACCEPT -A OUTBOUND -p udp --sport bootps --dport bootpc -o eth1 -j ACCEPT -A OUTBOUND -p udp --sport ipp --dport ipp -o eth0 -j DROP -A OUTBOUND -j ACCEPT ### Generic logging filtering -A LOG_FILTER -m multiport -p tcp --ports 135,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds,593,ms-sql-s,ms-sql-m -j DROP -A LOG_FILTER -m multiport -p udp --ports 135,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds,593,ms-sql-s,ms-sql-m -j DROP -A LOG_FILTER -p icmp --icmp-type echo-request -m limit --limit 1/sec -j RETURN -A LOG_FILTER -p icmp --icmp-type echo-request -j DROP -A LOG_FILTER -m limit --limit 5/sec -j RETURN -A LOG_FILTER -j DROP ### Inbound log -A LSI -j LOG_FILTER -A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6 -A LSI -j DROP ### Outbound log -A LSO -j LOG_FILTER -A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6 -A LSO -j DROP ### Generic log -A LS -j LOG_FILTER -A LS -m limit --limit 5/sec -j LOG --log-prefix "Blocking " --log-level 6 -A LS -j DROP COMMIT
Attachment:
signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
