I am stuck on confuse... I have no idea with this... I trying to configure the iptables only with this following command (with default policy set to ACCEPT) iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-boxiptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPTnote: - eth0 -> internal device My proxy box was ignored... I have configured squid with some access control, to block some words, domains, an IPs. I tested to access the web box outside the network, here's the result: - the sites was opened successfully - when i try to adding a "blocked word" (such as "porn").. the sites also successfully open the page... Squid was ignored... What should I do... Help me guys... Thanks Rachmat Hidayat Al Anshar ----- Original Message ---- > From: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@xxxxxxxxx> > To: squid cache <squid-users@xxxxxxxxxxxxxxx> > Cc: Chris Zhang <abnamro.chris@xxxxxxxxx> > Sent: Thursday, January 10, 2008 3:50:24 PM > Subject: Re: [help] setting up firewall policy for transparent (single-homed host) proxy > > ----- Original Message ---- > > From: Chris Zhang > > To: Rachmat Hidayat Al Anshar > > Sent: Thursday, January 10, 2008 2:12:48 PM > > Subject: Re: [help] setting up firewall policy for > transparent > (single-homed host) proxy > > > > Hi Rachmat, > > > > > > Did you take that line out and then tried it again and it still > > didn't work? > > Yes I do, I have done with it, and the proxy box still ignored > > > I don't think you need to recompile Squid, you need to change > > /etc/squid.conf file as suggested by the link I pointed to you. More > > specifically, make sure you have these lines, > > > > * httpd_accel_host virtual > > * httpd_accel_port 80 > > * httpd_accel_with_proxy on > > * httpd_accel_uses_host_header on > > > I also finish with it... > > > Also I am a bit confused with the setup you had there. Does > your > squid > > machine have a public IP? My understanding is that all your > computers > > > that are behind the firewall are NATed, this also includes > your > Squid. > > All of this deployed at vmware, the virtual environment. > There is only an example of public environment. And you're > correct, my squid box located behind firewall (also act as nat device). > > > The idea with a transparent proxy is that you configure all client > > computers to use the gateway, on the gateway you have rules which > > say > > > if > > the outgoing port is port 80, and the traffic is coming from > > your > > > client > > machines, redirect those traffic to your Squid machine on port 3128. > > > > 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > > --dport > > > 80 -j ACCEPT' is saying if the traffic is going INTO the gateway > > (in > > > your case these traffic originate from the clients), and if > > the > > > destination port is port 80, protocol is tcp, accept it. > > Yep, its correct. > ### Squid Transparent Proxy > iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp --dport 80 > -j ACCEPT > iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 > -j DNAT --to squid-box:3128 > > iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j > SNAT --to iptables-box > iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p > tcp --dport 3128 -j ACCEPT > > > But you really want this line ' > > iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport > > 80 > > > -j DNAT --to squid-box:3128' which is the line after the first line. > > > > > > The result of having this first line before the second line ( > > iptables > > > -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j > > DNAT > > > --to squid-box:3128 ) is that the second line will never catch > > any > > > traffic. > > > > > > Please > > see > > > http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 . It > > is > > > exactly what you need. > > > > > > Chris > > > > > I have done following steps on > this > http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6 > But my proxy still ignored. How is it? > I'll try it once more...anyway... > > Thanks > Rachmat Hidayat Al Anshar > > > > > > > > > > > > > > > > > > Rachmat Hidayat Al Anshar wrote: > > > Hay ho Chris, > > > Thanks for replying. > > > > > > First of all, I have reference to that link, but in other > > disscussion > > > forum > > > I found someone out there says that... > > > " The traffic is being caught by the first rule, since > the > connection > > > probably isn't coming from the squid box. Before that rule, > you > need > > > to put in an ACCEPT for http packets aimed at the firewall box: > > > iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \ > > > --dport 80 -j ACCEPT"..something like that... > > > I have been trying for many times, and I still can't solve > > this > > > problem. > > > > > > Is it about compiling options, > > > What command that I have to issue to get informed, what configure > > > option that squid used to compile at compiling process for a > > first > > > time??? > > > > > > Can we re-compile squid? If so, what should I do? > > > > > > Thanks in advance > > > Rachmat Hidayat Al Anshar > > > > > > > > > > > > ----- Original Message ---- > > > > > >> From: Chris Zhang > > >> To: Rachmat Hidayat Al Anshar > > >> Cc: linux@xxxxxxxxxxxxxxx > > >> Sent: Wednesday, January 9, 2008 7:11:46 PM > > >> Subject: Re: [clug] [help] setting up firewall policy > > for > > > transparent (single-homed host) proxy > > >> > > >> Hi Rachmat, > > >> > > >> > > >> Maybe you want to try it again without this line > > >> > > >> > > >> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > > >> --dport > > >> > > >> > > > 80 > > > > > >> -j ACCEPT' > > >> > > >> > > >> Also I think you will have to change squid.conf file (see > > >> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 ) > > >> > > >> > > >> Chris > > >> > > >> > > >> Rachmat Hidayat Al Anshar wrote: > > >> > > >>> var YAHOO = {'Shortcuts' : {}}; > > >>> YAHOO.Shortcuts.hasSensitiveText = false; > > >>> YAHOO.Shortcuts.sensitivityType = []; > > >>> YAHOO.Shortcuts.doUlt = false; > > >>> YAHOO.Shortcuts.location = "us"; > > >>> YAHOO.Shortcuts.document_id = 0; > > >>> YAHOO.Shortcuts.document_type = ""; > > >>> YAHOO.Shortcuts.document_title = "[help] setting up firewall > > >>> > > >> policy > > >> > > >> > > > for transparent (single-homed host) proxy"; > > > > > >>> YAHOO.Shortcuts.document_publish_date = ""; > > >>> YAHOO.Shortcuts.document_author = "rachmat_hidayat_03@xxxxxxxxx"; > > >>> YAHOO.Shortcuts.document_url = ""; > > >>> YAHOO.Shortcuts.document_tags = ""; > > >>> YAHOO.Shortcuts.annotationSet = { > > >>> "lw_1199853885_0": { > > >>> "text": "Yahoo! Mobile", > > >>> "extended": 0, > > >>> "startchar": 1530, > > >>> "endchar": 1542, > > >>> "start": 1530, > > >>> "end": 1542, > > >>> "extendedFrom": "", > > >>> "predictedCategory": "ORGANIZATION", > > >>> "predictionProbability": "0.679211", > > >>> "weight": 0.661212, > > >>> > > >>> > > >> "type": > > >> > > >> > > > ["shortcuts:/us/instance/organization/company/yahoo_property"], > > > > > >>> "category": ["ORGANIZATION"], > > >>> "context": "friend newshound and know-it-all with Yahoo > Mobile > Try > > >>> > > >> it > > >> > > >> > > > now", > > > > > >>> "metaData": { > > >>> "yprop_name": "Yahoo! Mobile", > > >>> "yprop_url": "http://mobile.yahoo.com/"; > > >>> } > > >>> } > > >>> }; > > >>> > > >>> Hi all... > > >>> > > >>> I am on my research deploying a transparent single-homed > host > proxy > > >>> server on my virtual network. My squid box is not on the same > > >>> > > >> box > > >> > > >> > > > where the > > > > > >>> firewall applied. I didn't have any idea how to set up the > > >>> > > >> iptables > > >> > > >> > > > running on > > > > > >>> the firewall, so I can redirect all client's web request to my > > >>> > > >> proxy > > >> > > >> > > > box, > > > > > >>> and make it as the only host on the network may request web > > >>> > > >> services > > >> > > >> > > > through > > > > > >>> firewall to the Internet...??? > > >>> > > >>> > > >>> INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET > > >>> ^ > > >>> | > > >>> v > > >>> > > >>> squid web > > >>> proxies > > >>> > > >>> I try to use this following firewall script... > > >>> > > >>> #!/bin/sh > > >>> # Firewall Script > > >>> ############################################################### > > >>> ### interfaces > > >>> EXT_DEV=eth0 > > >>> INT_DEV=eth1 > > >>> INT_NET=10.1.1.0/24 > > >>> > > >>> ### Loading firewall modules > > >>> modprobe ip_conntrack > > >>> modprobe ip_conntrack_ftp > > >>> > > >>> ############################################################### > > >>> ### Enable Packet Forwarding > > >>> echo 1 > /proc/sys/net/ipv4/ip_forward > > >>> > > >>> ### Remove all previous rules, and delete any user defined chains > > >>> iptables -F > > >>> iptables -X > > >>> iptables -t nat -F > > >>> iptables -t nat -X > > >>> > > >>> ### Set the default policies to drop > > >>> iptables -P INPUT DROP > > >>> iptables -P OUTPUT DROP > > >>> iptables -P FORWARD DROP > > >>> > > >>> ### Loopback device OK > > >>> iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT > > >>> iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT > > >>> > > >>> ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH. > > >>> iptables -A INPUT -p icmp --icmp-type any -j ACCEPT > > >>> iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT > > >>> iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT > > >>> > > >>> ### Allow all Internal traffic to Server > > >>> iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT > > >>> iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT > > >>> > > >>> ### OUTBOUND Rule: Allow ALL packets out the external device > > >>> iptables -A OUTPUT -o $EXT_DEV -j ACCEPT > > >>> iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT > > >>> > > >>> ### INBOUND Rule: Allow ALL EXT packets if a connection > > >>> > > >> already > > >> > > >> > > > exists (See "NEW" Inbound Rules) > > > > > >>> iptables -A INPUT -i $EXT_DEV -m state --state > > >>> > > >> RELATED,ESTABLISHED > > >> > > >> > > > -j ACCEPT > > > > > >>> iptables -A FORWARD -i $EXT_DEV -m state --state > > >>> > > >> RELATED,ESTABLISHED > > >> > > >> > > > -j ACCEPT > > > > > >>> ### Squid Transparent Proxy > > >>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > > >>> > > >> --dport > > >> > > >> > > > 80 -j ACCEPT > > > > > >>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp > > >>> > > >> --dport > > >> > > >> > > > 80 -j DNAT --to squid-box:3128 > > > > > >>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d > > >>> > > >> squid-box > > >> > > >> > > > -j SNAT --to iptables-box > > > > > >>> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 > > >>> > > >> -p > > >> > > >> > > > tcp --dport 3128 -j ACCEPT > > > > > >>> and the result is: > > >>> - client's web browser ignore the squid proxy > > >>> the http service is directly passing through the firewall > > >>> > > >>> All response will greatly appreciated. > > >>> > > >>> > > >>> Thanks in advance (^^,) > > >>> Rachmat Hidayat Al Anshar > > >>> > > >>> Be a better friend, newshound, and > > >>> know-it-all with Yahoo! Mobile. Try it now. > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > > > > > > > > _______________________________________________________________________________ > > > > > >> _____ > > >> > > >>> Never miss a thing. Make Yahoo your home page. > > >>> http://www.yahoo.com/r/hs > > >>> > > >>> > > >>> > > >> > > > > > > > > > > > > > > > > > > _______________________________________________________________________________ > > _____ > > > Be a better friend, newshound, and > > > know-it-all with Yahoo! Mobile. Try it > > now. > > > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > > > > > > > > > > > > > > > > > > > ________________________________________________________________________________ > ____ > Never miss a thing. Make Yahoo your home page. > http://www.yahoo.com/r/hs > > ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
