Hi Jeffries... Your thought was incorrect, I still got that message somehow. The commands iptables -t nat -A PREROUTING -i eth0 -s !$SQUID -p tcp --dport 80 -j DNAT --to $SQUID:3128 iptables -A FORWARD -s $SQUID --dport 80 -j ACCEPT I am using squid brought (by default) from Trustix Secure Linux 3.0 I thinking about... - Is it I have to recompile the kernel to suit my needs? - In this following command lines iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-boxiptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPTthat applied to firewall box only. Is it squid box will "understand" that it have to send all web services (generated by clients and redirected by firewall-box) back to the firewall and vice versa??? is it nothing to do by squid-box to doing this task? - I don't know why this transparent become so difficult, what should I do guys??? Thanks in advance Rachmat Hidayat Al Anshar ----- Original Message ---- > From: Amos Jeffries <squid3@xxxxxxxxxxxxx> > To: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@xxxxxxxxx> > Cc: squid cache <squid-users@xxxxxxxxxxxxxxx> > Sent: Friday, January 11, 2008 10:06:02 AM > Subject: Re: Re: [help] setting up firewall policy for transparent (single-homed host) proxy > > Rachmat Hidayat Al Anshar wrote: > > Hi Amos... > > > > Mmmm...its giving an feedback after I issuing " iptables -A > FORWARD > --dport 80 -s $SQUID -j ACCEPT" > > it says "unknown arg --dport", maybe the FORWARD chain can't > proceed > without any other > > switch (parameter)... > > Hmm, arg. I think after a closer look all I can think of is I got the > parameter order wrong :-( > It should probably be -s then --dport > > Sorry > Amos > > > > > Thanks > > Rachmat Hidayat Al Anshar > > > > > > ----- Original Message ---- > >> From: Amos Jeffries > >> To: Rachmat Hidayat Al Anshar > >> Cc: squid cache > >> Sent: Thursday, January 10, 2008 7:45:44 PM > >> Subject: Re: Re: [help] setting up firewall policy > for > transparent (single-homed host) proxy > >> > >> Rachmat Hidayat Al Anshar wrote: > >>> I am stuck on confuse... > >>> I have no idea with this... > >>> I trying to configure the iptables only with this following > command > > >>> (with default policy set to ACCEPT) > >>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp > >> --dport > >> > > 80 -j DNAT --to squid-box:3128 > >> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box > >> -j > >> > > > >> SNAT --to iptables-box > >> > >> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 > >> -p > >> > > tcp > >> --dport 3128 -j ACCEPT > >> > >> note: > >>> - eth0 -> internal device > >> > >> Try JUST this (one command to a line, I've split them to wrapping > >> can > >> > > be > >> seen clearly): > >> > >> SQUID=10.0.0.0 - or whatever the squid box IP is. > >> > >> iptables -t nat -A PREROUTING -i eth0 -s !$SQUID -p tcp --dport > 80 > -j > >> DNAT --to $SQUID:3128 > >> > >> iptables -A FORWARD --dport 80 -s $SQUID -j ACCEPT > >> > >> iptables -A FORWARD --dport 80 -j REJECT > >> > >> > >> Amos > >> > >>> My proxy box was ignored... > >>> I have configured squid with some access control, to block > >> some > >> > > words, domains, an IPs. > >>> I tested to access the web box outside the network, here's > >> the > >> > > result: > >>> - the sites was opened successfully > >>> - when i try to adding a "blocked word" (such as "porn").. > >>> the sites also successfully open the page... > >>> Squid was ignored... > >>> What should I do... > >>> Help me guys... > >>> > >>> > >>> Thanks > >>> Rachmat Hidayat Al Anshar > >>> > >>> > >>> > >>> > >>> ----- Original Message ---- > >>>> From: Rachmat Hidayat Al Anshar > >>>> To: squid cache > >>>> Cc: Chris Zhang > >>>> Sent: Thursday, January 10, 2008 3:50:24 PM > >>>> Subject: Re: [help] setting up firewall policy > >> for > >> > > transparent (single-homed host) proxy > >>>> ----- Original Message ---- > >>>>> From: Chris Zhang > >>>>> To: Rachmat Hidayat Al Anshar > >>>>> Sent: Thursday, January 10, 2008 2:12:48 PM > >>>>> Subject: Re: [help] setting up firewall policy for > >>>> transparent > >>>> > >>> (single-homed host) proxy > >>>>> Hi Rachmat, > >>>>> > >>>>> > >>>>> Did you take that line out and then tried it again and it still > >>>>> didn't work? > >>>> Yes I do, I have done with it, and the proxy box still ignored > >>>> > >>>>> I don't think you need to recompile Squid, you need to change > >>>>> /etc/squid.conf file as suggested by the link I pointed to > >> you. > >> > > More > >>>>> specifically, make sure you have these lines, > >>>>> > >>>>> * httpd_accel_host virtual > >>>>> * httpd_accel_port 80 > >>>>> * httpd_accel_with_proxy on > >>>>> * httpd_accel_uses_host_header on > >>>>> > >>>> I also finish with it... > >>>> > >>>>> Also I am a bit confused with the setup you had there. Does > >>>> your > >>>> > >>> squid > >>>>> machine have a public IP? My understanding is that all your > >>>> computers > >>>> > >>> > >>>>> that are behind the firewall are NATed, this also includes > >>>> your > >>>> > >>> Squid. > >>>> > >>>> All of this deployed at vmware, the virtual environment. > >>>> There is only an example of public environment. And you're > >>>> correct, my squid box located behind firewall (also act as > >> nat > >> > > device). > >>>>> The idea with a transparent proxy is that you configure > all > client > >>>>> computers to use the gateway, on the gateway you have rules which > >>>>> say > >>>>> > >>>> if > >>>>> the outgoing port is port 80, and the traffic is coming from > >>>>> your > >>>>> > >>>> client > >>>>> machines, redirect those traffic to your Squid machine on > >> port > >> > > 3128. > >>>>> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > >>>>> --dport > >>>>> > >>>> 80 -j ACCEPT' is saying if the traffic is going INTO the gateway > >>>>> (in > >>>>> > >>>> your case these traffic originate from the clients), and if > >>>>> the > >>>>> > >>>> destination port is port 80, protocol is tcp, accept it. > >>>> > >>>> Yep, its correct. > >>>> ### Squid Transparent Proxy > >>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > >> --dport > >> > > 80 > >>>> -j ACCEPT > >>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp > >> --dport > >> > > 80 > >>>> -j DNAT --to squid-box:3128 > >>>> > >>>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d > >> squid-box > >> > > -j > >>>> SNAT --to iptables-box > >>>> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o > eth0 > -p > >>>> tcp --dport 3128 -j ACCEPT > >>>> > >>>>> But you really want this line ' > >>>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p > tcp > --dport > >>>>> 80 > >>>>> > >>>> -j DNAT --to squid-box:3128' which is the line after the > >> first > >> > > line. > >>>>> The result of having this first line before the second line ( > >>>>> iptables > >>>>> > >>>> -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j > >>>>> DNAT > >>>>> > >>>> --to squid-box:3128 ) is that the second line will never catch > >>>>> any > >>>>> > >>>> traffic. > >>>>> Please > >>>>> see > >>>>> > >>>> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 > >> . > >> > > It > >>>>> is > >>>>> > >>>> exactly what you need. > >>>>> Chris > >>>>> > >>>>> > >>>> I have done following steps on > >>>> this > >>>> > >>> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6 > >>>> But my proxy still ignored. How is it? > >>>> I'll try it once more...anyway... > >>>> > >>>> Thanks > >>>> Rachmat Hidayat Al Anshar > >>>> > >>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> Rachmat Hidayat Al Anshar wrote: > >>>>>> Hay ho Chris, > >>>>>> Thanks for replying. > >>>>>> > >>>>>> First of all, I have reference to that link, but in other > >>>>> disscussion > >>>>> > >>>> forum > >>>>>> I found someone out there says that... > >>>>>> " The traffic is being caught by the first rule, since > >>>> the > >>>> > >>> connection > >>>>>> probably isn't coming from the squid box. Before that rule, > >>>> you > >>>> > >>> need > >>>>>> to put in an ACCEPT for http packets aimed at the firewall box: > >>>>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \ > >>>>>> --dport 80 -j ACCEPT"..something like that... > >>>>>> I have been trying for many times, and I still can't solve > >>>>> this > >>>>> > >>>> problem. > >>>>>> Is it about compiling options, > >>>>>> What command that I have to issue to get informed, > what > configure > >>>>>> option that squid used to compile at compiling process for a > >>>>> first > >>>>> > >>>> time??? > >>>>>> Can we re-compile squid? If so, what should I do? > >>>>>> > >>>>>> Thanks in advance > >>>>>> Rachmat Hidayat Al Anshar > >>>>>> > >>>>>> > >>>>>> > >>>>>> ----- Original Message ---- > >>>>>> > >>>>>>> From: Chris Zhang > >>>>>>> To: Rachmat Hidayat Al Anshar > >>>>>>> Cc: linux@xxxxxxxxxxxxxxx > >>>>>>> Sent: Wednesday, January 9, 2008 7:11:46 PM > >>>>>>> Subject: Re: [clug] [help] setting up firewall policy > >>>>> for > >>>>> > >>>> transparent (single-homed host) proxy > >>>>>>> Hi Rachmat, > >>>>>>> > >>>>>>> > >>>>>>> Maybe you want to try it again without this line > >>>>>>> > >>>>>>> > >>>>>>> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > >>>>>>> --dport > >>>>>>> > >>>>>>> > >>>>>> 80 > >>>>>> > >>>>>>> -j ACCEPT' > >>>>>>> > >>>>>>> > >>>>>>> Also I think you will have to change squid.conf file (see > >>>>>>> > http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 > ) > >>>>>>> > >>>>>>> > >>>>>>> Chris > >>>>>>> > >>>>>>> > >>>>>>> Rachmat Hidayat Al Anshar wrote: > >>>>>>> > >>>>>>>> var YAHOO = {'Shortcuts' : {}}; > >>>>>>>> YAHOO.Shortcuts.hasSensitiveText = false; > >>>>>>>> YAHOO.Shortcuts.sensitivityType = []; > >>>>>>>> YAHOO.Shortcuts.doUlt = false; > >>>>>>>> YAHOO.Shortcuts.location = "us"; > >>>>>>>> YAHOO.Shortcuts.document_id = 0; > >>>>>>>> YAHOO.Shortcuts.document_type = ""; > >>>>>>>> YAHOO.Shortcuts.document_title = "[help] setting up firewall > >>>>>>>> > >>>>>>> policy > >>>>>>> > >>>>>>> > >>>>>> for transparent (single-homed host) proxy"; > >>>>>> > >>>>>>>> YAHOO.Shortcuts.document_publish_date = ""; > >>>>>>>> YAHOO.Shortcuts.document_author > >> = > >> > > "rachmat_hidayat_03@xxxxxxxxx"; > >>>>>>>> YAHOO.Shortcuts.document_url = ""; > >>>>>>>> YAHOO.Shortcuts.document_tags = ""; > >>>>>>>> YAHOO.Shortcuts.annotationSet = { > >>>>>>>> "lw_1199853885_0": { > >>>>>>>> "text": "Yahoo! Mobile", > >>>>>>>> "extended": 0, > >>>>>>>> "startchar": 1530, > >>>>>>>> "endchar": 1542, > >>>>>>>> "start": 1530, > >>>>>>>> "end": 1542, > >>>>>>>> "extendedFrom": "", > >>>>>>>> "predictedCategory": "ORGANIZATION", > >>>>>>>> "predictionProbability": "0.679211", > >>>>>>>> "weight": 0.661212, > >>>>>>>> > >>>>>>>> > >>>>>>> "type": > >>>>>>> > >>>>>>> > >>>>>> ["shortcuts:/us/instance/organization/company/yahoo_property"], > >>>>>> > >>>>>>>> "category": ["ORGANIZATION"], > >>>>>>>> "context": "friend newshound and know-it-all with Yahoo > >>>> Mobile > >>>> > >>> Try > >>>>>>>> > >>>>>>> it > >>>>>>> > >>>>>>> > >>>>>> now", > >>>>>> > >>>>>>>> "metaData": { > >>>>>>>> "yprop_name": "Yahoo! Mobile", > >>>>>>>> "yprop_url": "http://mobile.yahoo.com/"; > >>>>>>>> } > >>>>>>>> } > >>>>>>>> }; > >>>>>>>> > >>>>>>>> Hi all... > >>>>>>>> > >>>>>>>> I am on my research deploying a transparent single-homed > >>>> host > >>>> > >>> proxy > >>>>>>>> server on my virtual network. My squid box is not on the same > >>>>>>>> > >>>>>>> box > >>>>>>> > >>>>>>> > >>>>>> where the > >>>>>> > >>>>>>>> firewall applied. I didn't have any idea how to set up the > >>>>>>>> > >>>>>>> iptables > >>>>>>> > >>>>>>> > >>>>>> running on > >>>>>> > >>>>>>>> the firewall, so I can redirect all client's web request > to > my > >>>>>>>> > >>>>>>> proxy > >>>>>>> > >>>>>>> > >>>>>> box, > >>>>>> > >>>>>>>> and make it as the only host on the network may request web > >>>>>>>> > >>>>>>> services > >>>>>>> > >>>>>>> > >>>>>> through > >>>>>> > >>>>>>>> firewall to the Internet...??? > >>>>>>>> > >>>>>>>> > >>>>>>>> INTERNET <---> FIREWALL <---> switch <---> NAT > DEV<---> > INTRANET > >>>>>>>> ^ > >>>>>>>> | > >>>>>>>> v > >>>>>>>> > >>>>>>>> squid web > >>>>>>>> proxies > >>>>>>>> > >>>>>>>> I try to use this following firewall script... > >>>>>>>> > >>>>>>>> #!/bin/sh > >>>>>>>> # Firewall Script > >>>>>>>> > ############################################################### > >>>>>>>> ### interfaces > >>>>>>>> EXT_DEV=eth0 > >>>>>>>> INT_DEV=eth1 > >>>>>>>> INT_NET=10.1.1.0/24 > >>>>>>>> > >>>>>>>> ### Loading firewall modules > >>>>>>>> modprobe ip_conntrack > >>>>>>>> modprobe ip_conntrack_ftp > >>>>>>>> > >>>>>>>> > ############################################################### > >>>>>>>> ### Enable Packet Forwarding > >>>>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward > >>>>>>>> > >>>>>>>> ### Remove all previous rules, and delete any user > >> defined > >> > > chains > >>>>>>>> iptables -F > >>>>>>>> iptables -X > >>>>>>>> iptables -t nat -F > >>>>>>>> iptables -t nat -X > >>>>>>>> > >>>>>>>> ### Set the default policies to drop > >>>>>>>> iptables -P INPUT DROP > >>>>>>>> iptables -P OUTPUT DROP > >>>>>>>> iptables -P FORWARD DROP > >>>>>>>> > >>>>>>>> ### Loopback device OK > >>>>>>>> iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 > -j > ACCEPT > >>>>>>>> iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 > -j > ACCEPT > >>>>>>>> > >>>>>>>> ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH. > >>>>>>>> iptables -A INPUT -p icmp --icmp-type any -j ACCEPT > >>>>>>>> iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT > >>>>>>>> iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT > >>>>>>>> > >>>>>>>> ### Allow all Internal traffic to Server > >>>>>>>> iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET > -j > ACCEPT > >>>>>>>> iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET > -j > ACCEPT > >>>>>>>> > >>>>>>>> ### OUTBOUND Rule: Allow ALL packets out the external device > >>>>>>>> iptables -A OUTPUT -o $EXT_DEV -j ACCEPT > >>>>>>>> iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT > >>>>>>>> > >>>>>>>> ### INBOUND Rule: Allow ALL EXT packets if a connection > >>>>>>>> > >>>>>>> already > >>>>>>> > >>>>>>> > >>>>>> exists (See "NEW" Inbound Rules) > >>>>>> > >>>>>>>> iptables -A INPUT -i $EXT_DEV -m state --state > >>>>>>>> > >>>>>>> RELATED,ESTABLISHED > >>>>>>> > >>>>>>> > >>>>>> -j ACCEPT > >>>>>> > >>>>>>>> iptables -A FORWARD -i $EXT_DEV -m state --state > >>>>>>>> > >>>>>>> RELATED,ESTABLISHED > >>>>>>> > >>>>>>> > >>>>>> -j ACCEPT > >>>>>> > >>>>>>>> ### Squid Transparent Proxy > >>>>>>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp > >>>>>>>> > >>>>>>> --dport > >>>>>>> > >>>>>>> > >>>>>> 80 -j ACCEPT > >>>>>> > >>>>>>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp > >>>>>>>> > >>>>>>> --dport > >>>>>>> > >>>>>>> > >>>>>> 80 -j DNAT --to squid-box:3128 > >>>>>> > >>>>>>>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d > >>>>>>>> > >>>>>>> squid-box > >>>>>>> > >>>>>>> > >>>>>> -j SNAT --to iptables-box > >>>>>> > >>>>>>>> iptables -A FORWARD -s local-network -d squid-box -i eth0 > >> -o > >> > > eth0 > >>>>>>>> > >>>>>>> -p > >>>>>>> > >>>>>>> > >>>>>> tcp --dport 3128 -j ACCEPT > >>>>>> > >>>>>>>> and the result is: > >>>>>>>> - client's web browser ignore the squid proxy > >>>>>>>> the http service is directly passing through the firewall > >>>>>>>> > >>>>>>>> All response will greatly appreciated. > >>>>>>>> > >>>>>>>> > >>>>>>>> Thanks in advance (^^,) > >>>>>>>> Rachmat Hidayat Al Anshar > >>>>>>>> > >>>>>>>> Be a better friend, newshound, and > >>>>>>>> know-it-all with Yahoo! Mobile. Try it now. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>> > > > >> > _______________________________________________________________________________ > >>>>>> > >>>>>>> _____ > >>>>>>> > >>>>>>>> Never miss a thing. Make Yahoo your home page. > >>>>>>>> http://www.yahoo.com/r/hs > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>>>> > >>>>>> > > > >> > _______________________________________________________________________________ > >>>>> _____ > >>>>>> Be a better friend, newshound, and > >>>>>> know-it-all with Yahoo! Mobile. Try it > >>>>> now. > >>>>> > >>>> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > >>>>>> > >>>> > >>>> > >>>> > >>>> > >>> > > > > _______________________________________________________________________________ > >> _ > >>>> ____ > >>>> Never miss a thing. Make Yahoo your home page. > >>>> http://www.yahoo.com/r/hs > >>>> > >>>> > >>> > >>> > >>> > >>> > > > > _______________________________________________________________________________ > >> _____ > >>> Never miss a thing. Make Yahoo your home page. > >>> http://www.yahoo.com/r/hs > >>> > >> > >> -- > >> Please use Squid 2.6STABLE17 or 3.0STABLE1. > >> There are serious security advisories out on all earlier releases. > >> > >> > > > > > > > > > > > _______________________________________________________________________________ > _____ > > Be a better friend, newshound, and > > know-it-all with Yahoo! Mobile. Try it > now. > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > > > > > > -- > Please use Squid 2.6STABLE17 or 3.0STABLE1. > There are serious security advisories out on all earlier releases. > > ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
