Hi Amos... Mmmm...its giving an feedback after I issuing " iptables -A FORWARD --dport 80 -s $SQUID -j ACCEPT" it says "unknown arg --dport", maybe the FORWARD chain can't proceed without any other switch (parameter)... Thanks Rachmat Hidayat Al Anshar ----- Original Message ---- > From: Amos Jeffries <squid3@xxxxxxxxxxxxx> > To: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@xxxxxxxxx> > Cc: squid cache <squid-users@xxxxxxxxxxxxxxx> > Sent: Thursday, January 10, 2008 7:45:44 PM > Subject: Re: Re: [help] setting up firewall policy for transparent (single-homed host) proxy > > Rachmat Hidayat Al Anshar wrote: > > I am stuck on confuse... > > I have no idea with this... > > I trying to configure the iptables only with this following command > > (with default policy set to ACCEPT) > > iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp > --dport > 80 -j DNAT --to squid-box:3128 > > iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box > -j > > SNAT --to iptables-box > > iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 > -p > tcp > --dport 3128 -j ACCEPT > > note: > > - eth0 -> internal device > > > Try JUST this (one command to a line, I've split them to wrapping > can > be > seen clearly): > > SQUID=10.0.0.0 - or whatever the squid box IP is. > > iptables -t nat -A PREROUTING -i eth0 -s !$SQUID -p tcp --dport 80 -j > DNAT --to $SQUID:3128 > > iptables -A FORWARD --dport 80 -s $SQUID -j ACCEPT > > iptables -A FORWARD --dport 80 -j REJECT > > > Amos > > > > > My proxy box was ignored... > > I have configured squid with some access control, to block > some > words, domains, an IPs. > > I tested to access the web box outside the network, here's > the > result: > > - the sites was opened successfully > > - when i try to adding a "blocked word" (such as "porn").. > > the sites also successfully open the page... > > Squid was ignored... > > What should I do... > > Help me guys... > > > > > > Thanks > > Rachmat Hidayat Al Anshar > > > > > > > > > > ----- Original Message ---- > >> From: Rachmat Hidayat Al Anshar > >> To: squid cache > >> Cc: Chris Zhang > >> Sent: Thursday, January 10, 2008 3:50:24 PM > >> Subject: Re: [help] setting up firewall policy > for > transparent (single-homed host) proxy > >> > >> ----- Original Message ---- > >>> From: Chris Zhang > >>> To: Rachmat Hidayat Al Anshar > >>> Sent: Thursday, January 10, 2008 2:12:48 PM > >>> Subject: Re: [help] setting up firewall policy for > >> transparent > >> > > (single-homed host) proxy > >>> Hi Rachmat, > >>> > >>> > >>> Did you take that line out and then tried it again and it still > >>> didn't work? > >> Yes I do, I have done with it, and the proxy box still ignored > >> > >>> I don't think you need to recompile Squid, you need to change > >>> /etc/squid.conf file as suggested by the link I pointed to > you. > More > >>> specifically, make sure you have these lines, > >>> > >>> * httpd_accel_host virtual > >>> * httpd_accel_port 80 > >>> * httpd_accel_with_proxy on > >>> * httpd_accel_uses_host_header on > >>> > >> I also finish with it... > >> > >>> Also I am a bit confused with the setup you had there. Does > >> your > >> > > squid > >>> machine have a public IP? My understanding is that all your > >> computers > >> > > > >>> that are behind the firewall are NATed, this also includes > >> your > >> > > Squid. > >> > >> All of this deployed at vmware, the virtual environment. > >> There is only an example of public environment. And you're > >> correct, my squid box located behind firewall (also act as > nat > device). > >> > >>> The idea with a transparent proxy is that you configure all client > >>> computers to use the gateway, on the gateway you have rules which > >>> say > >>> > >> if > >>> the outgoing port is port 80, and the traffic is coming from > >>> your > >>> > >> client > >>> machines, redirect those traffic to your Squid machine on > port > 3128. > >>> > >>> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > >>> --dport > >>> > >> 80 -j ACCEPT' is saying if the traffic is going INTO the gateway > >>> (in > >>> > >> your case these traffic originate from the clients), and if > >>> the > >>> > >> destination port is port 80, protocol is tcp, accept it. > >> > >> Yep, its correct. > >> ### Squid Transparent Proxy > >> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > --dport > 80 > >> -j ACCEPT > >> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp > --dport > 80 > >> -j DNAT --to squid-box:3128 > >> > >> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d > squid-box > -j > >> SNAT --to iptables-box > >> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p > >> tcp --dport 3128 -j ACCEPT > >> > >>> But you really want this line ' > >>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport > >>> 80 > >>> > >> -j DNAT --to squid-box:3128' which is the line after the > first > line. > >>> > >>> The result of having this first line before the second line ( > >>> iptables > >>> > >> -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j > >>> DNAT > >>> > >> --to squid-box:3128 ) is that the second line will never catch > >>> any > >>> > >> traffic. > >>> > >>> Please > >>> see > >>> > >> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 > . > It > >>> is > >>> > >> exactly what you need. > >>> > >>> Chris > >>> > >>> > >> I have done following steps on > >> this > >> > > http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6 > >> But my proxy still ignored. How is it? > >> I'll try it once more...anyway... > >> > >> Thanks > >> Rachmat Hidayat Al Anshar > >> > >> > >>> > >>> > >>> > >>> > >>> > >>> > >>> Rachmat Hidayat Al Anshar wrote: > >>>> Hay ho Chris, > >>>> Thanks for replying. > >>>> > >>>> First of all, I have reference to that link, but in other > >>> disscussion > >>> > >> forum > >>>> I found someone out there says that... > >>>> " The traffic is being caught by the first rule, since > >> the > >> > > connection > >>>> probably isn't coming from the squid box. Before that rule, > >> you > >> > > need > >>>> to put in an ACCEPT for http packets aimed at the firewall box: > >>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \ > >>>> --dport 80 -j ACCEPT"..something like that... > >>>> I have been trying for many times, and I still can't solve > >>> this > >>> > >> problem. > >>>> Is it about compiling options, > >>>> What command that I have to issue to get informed, what configure > >>>> option that squid used to compile at compiling process for a > >>> first > >>> > >> time??? > >>>> Can we re-compile squid? If so, what should I do? > >>>> > >>>> Thanks in advance > >>>> Rachmat Hidayat Al Anshar > >>>> > >>>> > >>>> > >>>> ----- Original Message ---- > >>>> > >>>>> From: Chris Zhang > >>>>> To: Rachmat Hidayat Al Anshar > >>>>> Cc: linux@xxxxxxxxxxxxxxx > >>>>> Sent: Wednesday, January 9, 2008 7:11:46 PM > >>>>> Subject: Re: [clug] [help] setting up firewall policy > >>> for > >>> > >> transparent (single-homed host) proxy > >>>>> Hi Rachmat, > >>>>> > >>>>> > >>>>> Maybe you want to try it again without this line > >>>>> > >>>>> > >>>>> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > >>>>> --dport > >>>>> > >>>>> > >>>> 80 > >>>> > >>>>> -j ACCEPT' > >>>>> > >>>>> > >>>>> Also I think you will have to change squid.conf file (see > >>>>> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 ) > >>>>> > >>>>> > >>>>> Chris > >>>>> > >>>>> > >>>>> Rachmat Hidayat Al Anshar wrote: > >>>>> > >>>>>> var YAHOO = {'Shortcuts' : {}}; > >>>>>> YAHOO.Shortcuts.hasSensitiveText = false; > >>>>>> YAHOO.Shortcuts.sensitivityType = []; > >>>>>> YAHOO.Shortcuts.doUlt = false; > >>>>>> YAHOO.Shortcuts.location = "us"; > >>>>>> YAHOO.Shortcuts.document_id = 0; > >>>>>> YAHOO.Shortcuts.document_type = ""; > >>>>>> YAHOO.Shortcuts.document_title = "[help] setting up firewall > >>>>>> > >>>>> policy > >>>>> > >>>>> > >>>> for transparent (single-homed host) proxy"; > >>>> > >>>>>> YAHOO.Shortcuts.document_publish_date = ""; > >>>>>> YAHOO.Shortcuts.document_author > = > "rachmat_hidayat_03@xxxxxxxxx"; > >>>>>> YAHOO.Shortcuts.document_url = ""; > >>>>>> YAHOO.Shortcuts.document_tags = ""; > >>>>>> YAHOO.Shortcuts.annotationSet = { > >>>>>> "lw_1199853885_0": { > >>>>>> "text": "Yahoo! Mobile", > >>>>>> "extended": 0, > >>>>>> "startchar": 1530, > >>>>>> "endchar": 1542, > >>>>>> "start": 1530, > >>>>>> "end": 1542, > >>>>>> "extendedFrom": "", > >>>>>> "predictedCategory": "ORGANIZATION", > >>>>>> "predictionProbability": "0.679211", > >>>>>> "weight": 0.661212, > >>>>>> > >>>>>> > >>>>> "type": > >>>>> > >>>>> > >>>> ["shortcuts:/us/instance/organization/company/yahoo_property"], > >>>> > >>>>>> "category": ["ORGANIZATION"], > >>>>>> "context": "friend newshound and know-it-all with Yahoo > >> Mobile > >> > > Try > >>>>>> > >>>>> it > >>>>> > >>>>> > >>>> now", > >>>> > >>>>>> "metaData": { > >>>>>> "yprop_name": "Yahoo! Mobile", > >>>>>> "yprop_url": "http://mobile.yahoo.com/"; > >>>>>> } > >>>>>> } > >>>>>> }; > >>>>>> > >>>>>> Hi all... > >>>>>> > >>>>>> I am on my research deploying a transparent single-homed > >> host > >> > > proxy > >>>>>> server on my virtual network. My squid box is not on the same > >>>>>> > >>>>> box > >>>>> > >>>>> > >>>> where the > >>>> > >>>>>> firewall applied. I didn't have any idea how to set up the > >>>>>> > >>>>> iptables > >>>>> > >>>>> > >>>> running on > >>>> > >>>>>> the firewall, so I can redirect all client's web request to my > >>>>>> > >>>>> proxy > >>>>> > >>>>> > >>>> box, > >>>> > >>>>>> and make it as the only host on the network may request web > >>>>>> > >>>>> services > >>>>> > >>>>> > >>>> through > >>>> > >>>>>> firewall to the Internet...??? > >>>>>> > >>>>>> > >>>>>> INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET > >>>>>> ^ > >>>>>> | > >>>>>> v > >>>>>> > >>>>>> squid web > >>>>>> proxies > >>>>>> > >>>>>> I try to use this following firewall script... > >>>>>> > >>>>>> #!/bin/sh > >>>>>> # Firewall Script > >>>>>> ############################################################### > >>>>>> ### interfaces > >>>>>> EXT_DEV=eth0 > >>>>>> INT_DEV=eth1 > >>>>>> INT_NET=10.1.1.0/24 > >>>>>> > >>>>>> ### Loading firewall modules > >>>>>> modprobe ip_conntrack > >>>>>> modprobe ip_conntrack_ftp > >>>>>> > >>>>>> ############################################################### > >>>>>> ### Enable Packet Forwarding > >>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward > >>>>>> > >>>>>> ### Remove all previous rules, and delete any user > defined > chains > >>>>>> iptables -F > >>>>>> iptables -X > >>>>>> iptables -t nat -F > >>>>>> iptables -t nat -X > >>>>>> > >>>>>> ### Set the default policies to drop > >>>>>> iptables -P INPUT DROP > >>>>>> iptables -P OUTPUT DROP > >>>>>> iptables -P FORWARD DROP > >>>>>> > >>>>>> ### Loopback device OK > >>>>>> iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT > >>>>>> iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT > >>>>>> > >>>>>> ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH. > >>>>>> iptables -A INPUT -p icmp --icmp-type any -j ACCEPT > >>>>>> iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT > >>>>>> iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT > >>>>>> > >>>>>> ### Allow all Internal traffic to Server > >>>>>> iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT > >>>>>> iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT > >>>>>> > >>>>>> ### OUTBOUND Rule: Allow ALL packets out the external device > >>>>>> iptables -A OUTPUT -o $EXT_DEV -j ACCEPT > >>>>>> iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT > >>>>>> > >>>>>> ### INBOUND Rule: Allow ALL EXT packets if a connection > >>>>>> > >>>>> already > >>>>> > >>>>> > >>>> exists (See "NEW" Inbound Rules) > >>>> > >>>>>> iptables -A INPUT -i $EXT_DEV -m state --state > >>>>>> > >>>>> RELATED,ESTABLISHED > >>>>> > >>>>> > >>>> -j ACCEPT > >>>> > >>>>>> iptables -A FORWARD -i $EXT_DEV -m state --state > >>>>>> > >>>>> RELATED,ESTABLISHED > >>>>> > >>>>> > >>>> -j ACCEPT > >>>> > >>>>>> ### Squid Transparent Proxy > >>>>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > >>>>>> > >>>>> --dport > >>>>> > >>>>> > >>>> 80 -j ACCEPT > >>>> > >>>>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp > >>>>>> > >>>>> --dport > >>>>> > >>>>> > >>>> 80 -j DNAT --to squid-box:3128 > >>>> > >>>>>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d > >>>>>> > >>>>> squid-box > >>>>> > >>>>> > >>>> -j SNAT --to iptables-box > >>>> > >>>>>> iptables -A FORWARD -s local-network -d squid-box -i eth0 > -o > eth0 > >>>>>> > >>>>> -p > >>>>> > >>>>> > >>>> tcp --dport 3128 -j ACCEPT > >>>> > >>>>>> and the result is: > >>>>>> - client's web browser ignore the squid proxy > >>>>>> the http service is directly passing through the firewall > >>>>>> > >>>>>> All response will greatly appreciated. > >>>>>> > >>>>>> > >>>>>> Thanks in advance (^^,) > >>>>>> Rachmat Hidayat Al Anshar > >>>>>> > >>>>>> Be a better friend, newshound, and > >>>>>> know-it-all with Yahoo! Mobile. Try it now. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >> > > > > _______________________________________________________________________________ > >>>> > >>>>> _____ > >>>>> > >>>>>> Never miss a thing. Make Yahoo your home page. > >>>>>> http://www.yahoo.com/r/hs > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>> > >>>> > >>>> > >>>> > > > > _______________________________________________________________________________ > >>> _____ > >>>> Be a better friend, newshound, and > >>>> know-it-all with Yahoo! Mobile. Try it > >>> now. > >>> > >> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > >>>> > >>>> > >>> > >> > >> > >> > >> > >> > > > >> > _______________________________________________________________________________ > _ > >> ____ > >> Never miss a thing. Make Yahoo your home page. > >> http://www.yahoo.com/r/hs > >> > >> > > > > > > > > > > > _______________________________________________________________________________ > _____ > > Never miss a thing. Make Yahoo your home page. > > http://www.yahoo.com/r/hs > > > > > -- > Please use Squid 2.6STABLE17 or 3.0STABLE1. > There are serious security advisories out on all earlier releases. > > ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
