Search squid archive

Re: Re: [help] setting up firewall policy for transparent (single-homed host) proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Rachmat Hidayat Al Anshar wrote:
I am stuck on confuse...
I have no idea with this...
I trying to configure the iptables only with this following command (with default policy set to ACCEPT)
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128

iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box

iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

note:
- eth0 -> internal device


Try JUST this (one command to a line, I've split them to wrapping can be seen clearly):

SQUID=10.0.0.0 - or whatever the squid box IP is.

iptables -t nat -A PREROUTING -i eth0 -s !$SQUID -p tcp --dport 80 -j DNAT --to $SQUID:3128

iptables -A FORWARD --dport 80 -s $SQUID -j ACCEPT

iptables -A FORWARD --dport 80 -j REJECT


Amos


My proxy box was ignored...
I have configured squid with some access control, to block some words, domains, an IPs.
I tested to access the web box outside the network, here's the result:
- the sites  was opened successfully
- when i try to adding a "blocked word" (such as "porn")..
  the sites also successfully open the page...
Squid was ignored...
What should I do...
Help me guys...


Thanks
Rachmat Hidayat Al Anshar




----- Original Message ----
From: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@xxxxxxxxx>
To: squid cache <squid-users@xxxxxxxxxxxxxxx>
Cc: Chris Zhang <abnamro.chris@xxxxxxxxx>
Sent: Thursday, January 10, 2008 3:50:24 PM
Subject:  Re: [help] setting up firewall policy for transparent (single-homed host) proxy

----- Original Message ----
From: Chris Zhang To: Rachmat Hidayat Al Anshar Sent: Thursday, January 10, 2008 2:12:48 PM
Subject: Re: [help] setting up firewall policy for
transparent

 (single-homed host) proxy
Hi Rachmat,


Did you take that line out and then tried it again and it still
didn't work?
Yes I do, I have done with it, and the proxy box still ignored

I don't think you need to recompile Squid, you need to change /etc/squid.conf file as suggested by the link I pointed to you. More specifically, make sure you have these lines,

    * httpd_accel_host virtual
    * httpd_accel_port 80
    * httpd_accel_with_proxy on
    * httpd_accel_uses_host_header on

I also finish with it...

Also I am a bit confused with the setup you had there. Does
your

squid
machine have a public IP? My understanding is that all your
computers

that are behind the firewall are NATed, this also includes
your

 Squid.
All of this deployed at vmware, the virtual environment. There is only an example of public environment. And you're
correct, my squid box located behind firewall (also act as nat device).

The idea with a transparent proxy is that you configure all client computers to use the gateway, on the gateway you have rules which
say

if
the outgoing port is port 80, and the traffic is coming from
your

client
machines, redirect those traffic to your Squid machine on port 3128.

'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
--dport

 80 -j ACCEPT' is saying if the traffic is going INTO the gateway
(in

 your case these traffic originate from the clients), and if
the

 destination port is port 80, protocol is tcp, accept it.

Yep, its correct. ### Squid Transparent Proxy
iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp --dport 80
 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80
 -j DNAT --to squid-box:3128

iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j
 SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p
 tcp --dport 3128 -j ACCEPT

But you really want this line '
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport
80

 -j DNAT --to squid-box:3128' which is the line after the first line.

The result of having this first line before the second line (
iptables

 -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j
DNAT

 --to squid-box:3128 ) is that the second line will never catch
any

 traffic.

Please
see

 http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 . It
is

 exactly what you need.

Chris


I have done following steps on
this

 http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6
But my proxy still ignored. How is it?
I'll try it once more...anyway...

Thanks
Rachmat Hidayat Al Anshar








Rachmat Hidayat Al Anshar wrote:
Hay ho Chris, Thanks for replying.

First of all, I have reference to that link, but in other
disscussion

 forum
I found someone out there says that...
" The traffic is being caught by the first rule, since
the

 connection
probably isn't coming from the squid box.  Before that rule,
you

 need
to put in an ACCEPT for http packets aimed at the firewall box:
  iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \
    --dport 80 -j ACCEPT"..something like that...
 I have been trying for many times, and I still can't solve
this

 problem.
Is it about compiling options, What command that I have to issue to get informed, what configure
option that squid used to compile at compiling process for a
first

 time???
Can we re-compile squid? If so, what should I do?

Thanks in advance
Rachmat Hidayat Al Anshar



----- Original Message ----
From: Chris Zhang To: Rachmat Hidayat Al Anshar Cc: linux@xxxxxxxxxxxxxxx
Sent: Wednesday, January 9, 2008 7:11:46 PM
Subject: Re: [clug] [help] setting up firewall policy
for

 transparent (single-homed host) proxy
Hi Rachmat,


Maybe you want to try it again without this line


'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
--dport

80
-j ACCEPT'


Also I think you will have to change squid.conf file (see http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 )


Chris


Rachmat Hidayat Al Anshar wrote:
var YAHOO = {'Shortcuts' : {}};
YAHOO.Shortcuts.hasSensitiveText = false;
YAHOO.Shortcuts.sensitivityType = [];
YAHOO.Shortcuts.doUlt = false;
YAHOO.Shortcuts.location = "us";
YAHOO.Shortcuts.document_id = 0;
YAHOO.Shortcuts.document_type = "";
YAHOO.Shortcuts.document_title = "[help] setting up firewall
policy

 for transparent (single-homed host) proxy";
YAHOO.Shortcuts.document_publish_date = "";
YAHOO.Shortcuts.document_author = "rachmat_hidayat_03@xxxxxxxxx";
YAHOO.Shortcuts.document_url = "";
YAHOO.Shortcuts.document_tags = "";
YAHOO.Shortcuts.annotationSet = {
"lw_1199853885_0": {
"text": "Yahoo! Mobile",
"extended": 0,
"startchar": 1530,
"endchar": 1542,
"start": 1530,
"end": 1542,
"extendedFrom": "",
"predictedCategory": "ORGANIZATION",
"predictionProbability": "0.679211",
"weight": 0.661212,

"type":

 ["shortcuts:/us/instance/organization/company/yahoo_property"],
"category": ["ORGANIZATION"],
"context": "friend newshound and know-it-all with Yahoo
Mobile

 Try
it

 now",
"metaData": {
"yprop_name": "Yahoo! Mobile",
"yprop_url": "http://mobile.yahoo.com/";
}
 }
};

Hi all...

I am on my research deploying a transparent single-homed
host

 proxy
 server on my virtual network. My squid box is not on the same
box

 where the
 firewall applied.  I didn't have any idea how to set up the
iptables

 running on
 the firewall, so I can redirect all client's web request to my
proxy

 box,
 and make it as the only host on the network may request web
services

 through
 firewall to the Internet...???


INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET
                                 ^
                                |
                                 v
squid web
                              proxies

I try to use this following firewall script...
#!/bin/sh
# Firewall Script
###############################################################
### interfaces EXT_DEV=eth0
INT_DEV=eth1
INT_NET=10.1.1.0/24

### Loading firewall modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp

###############################################################
### Enable Packet Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

### Remove all previous rules, and delete any user defined chains
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

### Set the default policies to drop
iptables -P INPUT   DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD DROP

### Loopback device OK
iptables -A INPUT  -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
iptables -A INPUT   -p icmp --icmp-type any -j ACCEPT
iptables -A OUTPUT  -p icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT

### Allow all Internal traffic to Server
iptables -A INPUT  -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT

### OUTBOUND Rule: Allow ALL packets out the external device
iptables -A OUTPUT  -o $EXT_DEV -j ACCEPT
iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT

### INBOUND Rule: Allow ALL EXT packets if a connection
already

 exists (See "NEW" Inbound Rules)
iptables -A INPUT   -i $EXT_DEV -m state --state
RELATED,ESTABLISHED

 -j ACCEPT
iptables -A FORWARD -i $EXT_DEV -m state --state
RELATED,ESTABLISHED

 -j ACCEPT
### Squid Transparent Proxy
iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
--dport

 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
--dport

 80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
squid-box

 -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0
-p

 tcp --dport 3128 -j ACCEPT
and the result is:
- client's web browser ignore the squid proxy
  the http service is directly passing through the firewall

All response will greatly appreciated.


Thanks in advance (^^,)
Rachmat Hidayat Al Anshar Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.







 _______________________________________________________________________________
_____
Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs




 _______________________________________________________________________________
_____
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it
now.

http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ





________________________________________________________________________________
____
Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs






      ____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs



--
Please use Squid 2.6STABLE17 or 3.0STABLE1.
There are serious security advisories out on all earlier releases.


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux