Rachmat Hidayat Al Anshar wrote:
Hi Amos...
Mmmm...its giving an feedback after I issuing " iptables -A FORWARD --dport 80 -s $SQUID -j ACCEPT"
it says "unknown arg --dport", maybe the FORWARD chain can't proceed without any other
switch (parameter)...
Hmm, arg. I think after a closer look all I can think of is I got the
parameter order wrong :-(
It should probably be -s then --dport
Sorry
Amos
Thanks
Rachmat Hidayat Al Anshar
----- Original Message ----
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@xxxxxxxxx>
Cc: squid cache <squid-users@xxxxxxxxxxxxxxx>
Sent: Thursday, January 10, 2008 7:45:44 PM
Subject: Re: Re: [help] setting up firewall policy for transparent (single-homed host) proxy
Rachmat Hidayat Al Anshar wrote:
I am stuck on confuse...
I have no idea with this...
I trying to configure the iptables only with this following command
(with default policy set to ACCEPT)
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
--dport
80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box
-j
SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0
-p
tcp
--dport 3128 -j ACCEPT
note:
- eth0 -> internal device
Try JUST this (one command to a line, I've split them to wrapping
can
be
seen clearly):
SQUID=10.0.0.0 - or whatever the squid box IP is.
iptables -t nat -A PREROUTING -i eth0 -s !$SQUID -p tcp --dport 80 -j
DNAT --to $SQUID:3128
iptables -A FORWARD --dport 80 -s $SQUID -j ACCEPT
iptables -A FORWARD --dport 80 -j REJECT
Amos
My proxy box was ignored...
I have configured squid with some access control, to block
some
words, domains, an IPs.
I tested to access the web box outside the network, here's
the
result:
- the sites was opened successfully
- when i try to adding a "blocked word" (such as "porn")..
the sites also successfully open the page...
Squid was ignored...
What should I do...
Help me guys...
Thanks
Rachmat Hidayat Al Anshar
----- Original Message ----
From: Rachmat Hidayat Al Anshar
To: squid cache
Cc: Chris Zhang
Sent: Thursday, January 10, 2008 3:50:24 PM
Subject: Re: [help] setting up firewall policy
for
transparent (single-homed host) proxy
----- Original Message ----
From: Chris Zhang
To: Rachmat Hidayat Al Anshar
Sent: Thursday, January 10, 2008 2:12:48 PM
Subject: Re: [help] setting up firewall policy for
transparent
(single-homed host) proxy
Hi Rachmat,
Did you take that line out and then tried it again and it still
didn't work?
Yes I do, I have done with it, and the proxy box still ignored
I don't think you need to recompile Squid, you need to change
/etc/squid.conf file as suggested by the link I pointed to
you.
More
specifically, make sure you have these lines,
* httpd_accel_host virtual
* httpd_accel_port 80
* httpd_accel_with_proxy on
* httpd_accel_uses_host_header on
I also finish with it...
Also I am a bit confused with the setup you had there. Does
your
squid
machine have a public IP? My understanding is that all your
computers
that are behind the firewall are NATed, this also includes
your
Squid.
All of this deployed at vmware, the virtual environment.
There is only an example of public environment. And you're
correct, my squid box located behind firewall (also act as
nat
device).
The idea with a transparent proxy is that you configure all client
computers to use the gateway, on the gateway you have rules which
say
if
the outgoing port is port 80, and the traffic is coming from
your
client
machines, redirect those traffic to your Squid machine on
port
3128.
'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
--dport
80 -j ACCEPT' is saying if the traffic is going INTO the gateway
(in
your case these traffic originate from the clients), and if
the
destination port is port 80, protocol is tcp, accept it.
Yep, its correct.
### Squid Transparent Proxy
iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
--dport
80
-j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
--dport
80
-j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
squid-box
-j
SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p
tcp --dport 3128 -j ACCEPT
But you really want this line '
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport
80
-j DNAT --to squid-box:3128' which is the line after the
first
line.
The result of having this first line before the second line (
iptables
-t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j
DNAT
--to squid-box:3128 ) is that the second line will never catch
any
traffic.
Please
see
http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3
.
It
is
exactly what you need.
Chris
I have done following steps on
this
http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6
But my proxy still ignored. How is it?
I'll try it once more...anyway...
Thanks
Rachmat Hidayat Al Anshar
Rachmat Hidayat Al Anshar wrote:
Hay ho Chris,
Thanks for replying.
First of all, I have reference to that link, but in other
disscussion
forum
I found someone out there says that...
" The traffic is being caught by the first rule, since
the
connection
probably isn't coming from the squid box. Before that rule,
you
need
to put in an ACCEPT for http packets aimed at the firewall box:
iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \
--dport 80 -j ACCEPT"..something like that...
I have been trying for many times, and I still can't solve
this
problem.
Is it about compiling options,
What command that I have to issue to get informed, what configure
option that squid used to compile at compiling process for a
first
time???
Can we re-compile squid? If so, what should I do?
Thanks in advance
Rachmat Hidayat Al Anshar
----- Original Message ----
From: Chris Zhang
To: Rachmat Hidayat Al Anshar
Cc: linux@xxxxxxxxxxxxxxx
Sent: Wednesday, January 9, 2008 7:11:46 PM
Subject: Re: [clug] [help] setting up firewall policy
for
transparent (single-homed host) proxy
Hi Rachmat,
Maybe you want to try it again without this line
'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
--dport
80
-j ACCEPT'
Also I think you will have to change squid.conf file (see
http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 )
Chris
Rachmat Hidayat Al Anshar wrote:
var YAHOO = {'Shortcuts' : {}};
YAHOO.Shortcuts.hasSensitiveText = false;
YAHOO.Shortcuts.sensitivityType = [];
YAHOO.Shortcuts.doUlt = false;
YAHOO.Shortcuts.location = "us";
YAHOO.Shortcuts.document_id = 0;
YAHOO.Shortcuts.document_type = "";
YAHOO.Shortcuts.document_title = "[help] setting up firewall
policy
for transparent (single-homed host) proxy";
YAHOO.Shortcuts.document_publish_date = "";
YAHOO.Shortcuts.document_author
=
"rachmat_hidayat_03@xxxxxxxxx";
YAHOO.Shortcuts.document_url = "";
YAHOO.Shortcuts.document_tags = "";
YAHOO.Shortcuts.annotationSet = {
"lw_1199853885_0": {
"text": "Yahoo! Mobile",
"extended": 0,
"startchar": 1530,
"endchar": 1542,
"start": 1530,
"end": 1542,
"extendedFrom": "",
"predictedCategory": "ORGANIZATION",
"predictionProbability": "0.679211",
"weight": 0.661212,
"type":
["shortcuts:/us/instance/organization/company/yahoo_property"],
"category": ["ORGANIZATION"],
"context": "friend newshound and know-it-all with Yahoo
Mobile
Try
it
now",
"metaData": {
"yprop_name": "Yahoo! Mobile",
"yprop_url": "http://mobile.yahoo.com/";
}
}
};
Hi all...
I am on my research deploying a transparent single-homed
host
proxy
server on my virtual network. My squid box is not on the same
box
where the
firewall applied. I didn't have any idea how to set up the
iptables
running on
the firewall, so I can redirect all client's web request to my
proxy
box,
and make it as the only host on the network may request web
services
through
firewall to the Internet...???
INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET
^
|
v
squid web
proxies
I try to use this following firewall script...
#!/bin/sh
# Firewall Script
###############################################################
### interfaces
EXT_DEV=eth0
INT_DEV=eth1
INT_NET=10.1.1.0/24
### Loading firewall modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
###############################################################
### Enable Packet Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
### Remove all previous rules, and delete any user
defined
chains
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
### Set the default policies to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
### Loopback device OK
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
### Allow all Internal traffic to Server
iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
### OUTBOUND Rule: Allow ALL packets out the external device
iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
### INBOUND Rule: Allow ALL EXT packets if a connection
already
exists (See "NEW" Inbound Rules)
iptables -A INPUT -i $EXT_DEV -m state --state
RELATED,ESTABLISHED
-j ACCEPT
iptables -A FORWARD -i $EXT_DEV -m state --state
RELATED,ESTABLISHED
-j ACCEPT
### Squid Transparent Proxy
iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
--dport
80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
--dport
80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
squid-box
-j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0
-o
eth0
-p
tcp --dport 3128 -j ACCEPT
and the result is:
- client's web browser ignore the squid proxy
the http service is directly passing through the firewall
All response will greatly appreciated.
Thanks in advance (^^,)
Rachmat Hidayat Al Anshar
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
_______________________________________________________________________________
_____
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
_______________________________________________________________________________
_____
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it
now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
_______________________________________________________________________________
_
____
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
_______________________________________________________________________________
_____
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
--
Please use Squid 2.6STABLE17 or 3.0STABLE1.
There are serious security advisories out on all earlier releases.
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
--
Please use Squid 2.6STABLE17 or 3.0STABLE1.
There are serious security advisories out on all earlier releases.
