Search squid archive

Re: Re: [help] setting up firewall policy for transparent (single-homed host) proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

http://wiki.squid-cache.org/ConfigExamples/ has a bunch.


On Wed, Jan 09, 2008, Rachmat Hidayat Al Anshar wrote:
> I have been searching on the squid-user archive, there is some post
> 
> that similar with my needs, but there is nothing was succeed for me.
> 
> I don't know if someone (is already there) suggest this suggest...
> 
> 
> 
> It will be nice if squid developers spends a little time to make a 
> 
> complete documentation about how-to transparently implementing
> 
> squid in a network. So if there is someone needs or having through
> 
> this problem, they just "redirect"  to that documentation. 
> 
> 
> 
> 
> Thanks
> Rachmat Hidayat Al Anshar
> 
> ----- Original Message ----
> > From: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@xxxxxxxxx>
> > To: squid cache <squid-users@xxxxxxxxxxxxxxx>
> > Cc: Chris Zhang <abnamro.chris@xxxxxxxxx>
> > Sent: Thursday, January 10, 2008 6:40:14 AM
> > Subject:  Re: [help] setting up firewall policy for transparent (single-homed host) proxy
> > 
> > Hay ho Chris, 
> > Thanks for replying.
> > 
> > First of all, I have reference to that link, but in other
> > disscussion
> > 
>  forum
> > I found someone out there says that...
> > " The traffic is being caught by the first rule, since the connection
> > probably isn't coming from the squid box.  Before that rule, you need
> > to put in an ACCEPT for http packets aimed at the firewall box:
> >   iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \
> >     --dport 80 -j ACCEPT"..something like that...
> >  I have been trying for many times, and I still can't solve
> > this
> > 
>  problem.
> > 
> > Is it about compiling options,  
> > What command that I have to issue to get informed, what configure
> > option that squid used to compile at compiling process for a
> > first
> > 
>  time???
> > 
> > Can we re-compile squid? If so, what should I do?
> > 
> > Thanks in advance
> > Rachmat Hidayat Al Anshar
> > 
> > 
> > 
> > ----- Original Message ----
> > > From: Chris Zhang 
> > > To: Rachmat Hidayat Al Anshar 
> > > Cc: linux@xxxxxxxxxxxxxxx
> > > Sent: Wednesday, January 9, 2008 7:11:46 PM
> > > Subject: Re: [clug] [help] setting up firewall policy for
> > transparent
> > 
>  (single-homed host) proxy
> > > 
> > > Hi Rachmat,
> > > 
> > > 
> > > Maybe you want to try it again without this line
> > > 
> > > 
> > > 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> > > --dport
> > > 
> >  80 
> > > -j ACCEPT'
> > > 
> > > 
> > > Also I think you will have to change squid.conf file (see 
> > > http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 )
> > > 
> > > 
> > > Chris
> > > 
> > > 
> > > Rachmat Hidayat Al Anshar wrote:
> > > > var YAHOO = {'Shortcuts' : {}};
> > > > YAHOO.Shortcuts.hasSensitiveText = false;
> > > > YAHOO.Shortcuts.sensitivityType = [];
> > > > YAHOO.Shortcuts.doUlt = false;
> > > > YAHOO.Shortcuts.location = "us";
> > > > YAHOO.Shortcuts.document_id = 0;
> > > > YAHOO.Shortcuts.document_type = "";
> > > > YAHOO.Shortcuts.document_title = "[help] setting up firewall
> > > policy
> > > 
> >  for transparent (single-homed host) proxy";
> > > > YAHOO.Shortcuts.document_publish_date = "";
> > > > YAHOO.Shortcuts.document_author = "rachmat_hidayat_03@xxxxxxxxx";
> > > > YAHOO.Shortcuts.document_url = "";
> > > > YAHOO.Shortcuts.document_tags = "";
> > > > YAHOO.Shortcuts.annotationSet = {
> > > > "lw_1199853885_0": {
> > > > "text": "Yahoo! Mobile",
> > > > "extended": 0,
> > > > "startchar": 1530,
> > > > "endchar": 1542,
> > > > "start": 1530,
> > > > "end": 1542,
> > > > "extendedFrom": "",
> > > > "predictedCategory": "ORGANIZATION",
> > > > "predictionProbability": "0.679211",
> > > > "weight": 0.661212,
> > > >
> > > "type":
> > > 
> >  ["shortcuts:/us/instance/organization/company/yahoo_property"],
> > > > "category": ["ORGANIZATION"],
> > > > "context": "friend newshound and know-it-all with Yahoo Mobile Try
> > > it
> > > 
> >  now",
> > > > "metaData": {
> > > > "yprop_name": "Yahoo! Mobile",
> > > > "yprop_url": "http://mobile.yahoo.com/";
> > > > }
> > > >  }
> > > > };
> > > >
> > > > Hi all...
> > > >
> > > > I am on my research deploying a transparent single-homed host proxy
> > > >  server on my virtual network. My squid box is not on the same
> > > box
> > > 
> >  where the
> > > >  firewall applied.  I didn't have any idea how to set up the
> > > iptables
> > > 
> >  running on
> > > >  the firewall, so I can redirect all client's web request to my
> > > proxy
> > > 
> >  box,
> > > >  and make it as the only host on the network may request web
> > > services
> > > 
> >  through
> > > >  firewall to the Internet...???
> > > >
> > > >
> > > > INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET
> > > >                                  ^
> > > >                                 |
> > > >                                  v
> > > >                        
> > > >        squid web
> > > >                               proxies
> > > >
> > > > I try to use this following firewall script...
> > > >                                                         
> > > > #!/bin/sh
> > > > # Firewall Script
> > > > ###############################################################
> > > > ### interfaces 
> > > > EXT_DEV=eth0
> > > > INT_DEV=eth1
> > > > INT_NET=10.1.1.0/24
> > > >
> > > > ### Loading firewall modules
> > > > modprobe ip_conntrack
> > > > modprobe ip_conntrack_ftp
> > > >
> > > > ###############################################################
> > > > ### Enable Packet Forwarding
> > > > echo 1 > /proc/sys/net/ipv4/ip_forward
> > > >
> > > > ### Remove all previous rules, and delete any user defined chains
> > > > iptables -F
> > > > iptables -X
> > > > iptables -t nat -F
> > > > iptables -t nat -X
> > > >
> > > > ### Set the default policies to drop
> > > > iptables -P INPUT   DROP
> > > > iptables -P OUTPUT  DROP
> > > > iptables -P FORWARD DROP
> > > >
> > > > ### Loopback device OK
> > > > iptables -A INPUT  -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> > > > iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> > > >
> > > > ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
> > > > iptables -A INPUT   -p icmp --icmp-type any -j ACCEPT
> > > > iptables -A OUTPUT  -p icmp --icmp-type any -j ACCEPT
> > > > iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
> > > >
> > > > ### Allow all Internal traffic to Server
> > > > iptables -A INPUT  -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
> > > > iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
> > > >
> > > > ### OUTBOUND Rule: Allow ALL packets out the external device
> > > > iptables -A OUTPUT  -o $EXT_DEV -j ACCEPT
> > > > iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
> > > >
> > > > ### INBOUND Rule: Allow ALL EXT packets if a connection
> > > already
> > > 
> >  exists (See "NEW" Inbound Rules)
> > > > iptables -A INPUT   -i $EXT_DEV -m state --state
> > > RELATED,ESTABLISHED
> > > 
> >  -j ACCEPT
> > > > iptables -A FORWARD -i $EXT_DEV -m state --state
> > > RELATED,ESTABLISHED
> > > 
> >  -j ACCEPT
> > > >
> > > > ### Squid Transparent Proxy
> > > > iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> > > --dport
> > > 
> >  80 -j ACCEPT
> > > > iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> > > --dport
> > > 
> >  80 -j DNAT --to squid-box:3128
> > > >
> > > > iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
> > > squid-box
> > > 
> >  -j SNAT --to iptables-box
> > > > iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0
> > > -p
> > > 
> >  tcp --dport 3128 -j ACCEPT
> > > >
> > > > and the result is:
> > > > - client's web browser ignore the squid proxy
> > > >   the http service is directly passing through the firewall
> > > >
> > > > All response will greatly appreciated.
> > > >
> > > >
> > > > Thanks in advance (^^,)
> > > > Rachmat Hidayat Al Anshar 
> > > >       
> > > > Be a better friend, newshound, and 
> > > > know-it-all with Yahoo! Mobile.  Try it now.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >     
> > > 
> > 
>  _______________________________________________________________________________
> > > _____
> > > > Never miss a thing.  Make Yahoo your home page. 
> > > > http://www.yahoo.com/r/hs
> > > >
> > > >   
> > > 
> > > 
> > 
> > 
> > 
> > 
> >    
> > 
>  
> > ________________________________________________________________________________
> > ____
> > Be a better friend, newshound, and 
> > know-it-all with Yahoo! Mobile.  Try it
> > now.
> > 
>   http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 
> > 
> > 
> > 
> 
> 
> 
> 
>       ____________________________________________________________________________________
> Looking for last minute shopping deals?  
> Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux