Search squid archive

Re: Re: [help] setting up firewall policy for transparent (single-homed host) proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



var YAHOO = {'Shortcuts' : {}};
YAHOO.Shortcuts.hasSensitiveText = true;
YAHOO.Shortcuts.sensitivityType = ["adult"];
YAHOO.Shortcuts.doUlt = false;
YAHOO.Shortcuts.location = "us";
YAHOO.Shortcuts.document_id = 0;
YAHOO.Shortcuts.document_type = "";
YAHOO.Shortcuts.document_title = "Re:  Re: [help] setting up firewall policy for transparent (single-homed host) proxy";
YAHOO.Shortcuts.document_publish_date = "";
YAHOO.Shortcuts.document_author = "rachmat_hidayat_03@xxxxxxxxx";
YAHOO.Shortcuts.document_url = "";
YAHOO.Shortcuts.document_tags = "";
YAHOO.Shortcuts.annotationSet = {
"lw_1200282841_0": {
"text": "squid3@xxxxxxxxxxxxx",
"extended": 0,
"startchar": 1307,
"endchar": 1326,
"start": 1307,
"end": 1326,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/mailto"],
"category": ["IDENTIFIER"],
"context": "Original Message From Amos Jeffries squid3@xxxxxxxxxxxxx To Rachmat Hidayat Al Anshar",
"metaData": {
"linkHref": "mailto:squid3@xxxxxxxxxxxxx";,
"linkProtocol": "mailto",
"linkYmailto": "mailto:squid3@xxxxxxxxxxxxx";
}
 },
"lw_1200282841_1": {
"text": "rachmat_hidayat_03@xxxxxxxxx",
"extended": 0,
"startchar": 1470,
"endchar": 1497,
"start": 1470,
"end": 1497,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/mailto"],
"category": ["IDENTIFIER"],
"context": "To Rachmat Hidayat Al Anshar rachmat_hidayat_03@xxxxxxxxx Cc squid cache squid-users@xxxxxxxxxxxxxxx Sent",
"metaData": {
"linkHref": "mailto:rachmat_hidayat_03@xxxxxxxxx";,
"linkProtocol": "mailto",
"linkYmailto": "mailto:rachmat_hidayat_03@xxxxxxxxx";
}
 },
"lw_1200282841_2": {
"text": "squid-users@xxxxxxxxxxxxxxx",
"extended": 0,
"startchar": 1625,
"endchar": 1651,
"start": 1625,
"end": 1651,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/mailto"],
"category": ["IDENTIFIER"],
"context": "Anshar rachmat_hidayat_03@xxxxxxxxx Cc squid cache squid-users@xxxxxxxxxxxxxxx Sent Friday January 11 2008",
"metaData": {
"linkHref": "mailto:squid-users@xxxxxxxxxxxxxxx";,
"linkProtocol": "mailto",
"linkYmailto": "mailto:squid-users@xxxxxxxxxxxxxxx";
}
 },
"lw_1200282841_3": {
"text": "http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3";,
"extended": 0,
"startchar": 11552,
"endchar": 11614,
"start": 11552,
"end": 11614,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/http"],
"category": ["IDENTIFIER"],
"context": "catch any traffic Please see http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 It is exactly what you",
"metaData": {
"linkHref": "http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3";,
"linkProtocol": "http",
"linkTarget": "_blank"
}
 },
"lw_1200282841_4": {
"text": "http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6";,
"extended": 0,
"startchar": 12110,
"endchar": 12169,
"start": 12110,
"end": 12169,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/http"],
"category": ["IDENTIFIER"],
"context": "done following steps on this http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6 But my proxy still ignored",
"metaData": {
"linkHref": "http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6";,
"linkProtocol": "http",
"linkTarget": "_blank"
}
 },
"lw_1200282841_5": {
"text": "linux@xxxxxxxxxxxxxxx",
"extended": 0,
"startchar": 14987,
"endchar": 15007,
"start": 14987,
"end": 15007,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/mailto"],
"category": ["IDENTIFIER"],
"context": "Rachmat Hidayat Al Anshar Cc linux@xxxxxxxxxxxxxxx Sent Wednesday January 9 2008",
"metaData": {
"linkHref": "mailto:linux@xxxxxxxxxxxxxxx";,
"linkProtocol": "mailto",
"linkYmailto": "mailto:linux@xxxxxxxxxxxxxxx";
}
 },
"lw_1200282841_6": {
"text": "http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3";,
"extended": 0,
"startchar": 16268,
"endchar": 16330,
"start": 16268,
"end": 16330,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/http"],
"category": ["IDENTIFIER"],
"context": "to change squid.conf file see http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 Chris Rachmat Hidayat Al Anshar",
"metaData": {
"linkHref": "http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3";,
"linkProtocol": "http",
"linkTarget": "_blank"
}
 },
"lw_1200282841_7": {
"text": "rachmat_hidayat_03@xxxxxxxxx",
"extended": 0,
"startchar": 17924,
"endchar": 17951,
"start": 17924,
"end": 17951,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/mailto"],
"category": ["IDENTIFIER"],
"context": "single-homed host proxy YAHOO.Shortcuts.document_publish_date YAHOO.Shortcuts.document_author rachmat_hidayat_03@xxxxxxxxx YAHOO.Shortcuts.document_url YAHOO.Shortcuts.document_tags YAHOO.Shortcuts.annotationSet lw_1199853885_0 text",
"metaData": {
"linkHref": "mailto:rachmat_hidayat_03@xxxxxxxxx";,
"linkProtocol": "mailto",
"linkYmailto": "mailto:rachmat_hidayat_03@xxxxxxxxx";
}
 },
"lw_1200282841_8": {
"text": "Yahoo! Mobile",
"extended": 0,
"startchar": 18299,
"endchar": 18311,
"start": 18299,
"end": 18311,
"extendedFrom": "",
"predictedCategory": "PLACE",
"predictionProbability": "0.291087",
"weight": 0.494954,
"type": ["shortcuts:/us/instance/organization/company/yahoo_property"],
"category": ["ORGANIZATION"],
"context": "YAHOO.Shortcuts.document_url YAHOO.Shortcuts.document_tags YAHOO.Shortcuts.annotationSet lw_1199853885_0 text Yahoo Mobile extended 0 startchar 1530 endchar",
"metaData": {
"yprop_name": "Yahoo! Mobile",
"yprop_url": "http://mobile.yahoo.com/";
}
 },
"lw_1200282841_9": {
"text": "Yahoo! Mobile",
"extended": 0,
"startchar": 19905,
"endchar": 19917,
"start": 19905,
"end": 19917,
"extendedFrom": "",
"predictedCategory": "ORGANIZATION",
"predictionProbability": "0.255015",
"weight": 0.494954,
"type": ["shortcuts:/us/instance/organization/company/yahoo_property"],
"category": ["ORGANIZATION"],
"context": "Try it now metaData yprop_name Yahoo Mobile yprop_url http://mobile.yahoo.com Hi all I",
"metaData": {
"yprop_name": "Yahoo! Mobile",
"yprop_url": "http://mobile.yahoo.com/";
}
 },
"lw_1200282841_10": {
"text": "http://mobile.yahoo.com/";,
"extended": 0,
"startchar": 20026,
"endchar": 20049,
"start": 20026,
"end": 20049,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/http"],
"category": ["IDENTIFIER"],
"context": "",
"metaData": {
"linkHref": "http://mobile.yahoo.com/";,
"linkProtocol": "http",
"linkTarget": "_blank"
}
 },
"lw_1200282841_11": {
"text": "Yahoo! Mobile",
"extended": 0,
"startchar": 30644,
"endchar": 30656,
"start": 30644,
"end": 30656,
"extendedFrom": "",
"predictedCategory": "ORGANIZATION",
"predictionProbability": "0.679211",
"weight": 0.35,
"type": ["shortcuts:/us/instance/organization/company/yahoo_property"],
"category": ["ORGANIZATION"],
"context": "friend newshound and know-it-all with Yahoo Mobile Try it now Never miss",
"metaData": {
"yprop_name": "Yahoo! Mobile",
"yprop_url": "http://mobile.yahoo.com/";
}
 },
"lw_1200282841_12": {
"text": "http://www.yahoo.com/r/hs";,
"extended": 0,
"startchar": 31569,
"endchar": 31593,
"start": 31569,
"end": 31593,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/http"],
"category": ["IDENTIFIER"],
"context": "Make Yahoo your home page http://www.yahoo.com/r/hs Be a better friend newshound",
"metaData": {
"linkHref": "http://www.yahoo.com/r/hs";,
"linkProtocol": "http",
"linkTarget": "_blank"
}
 },
"lw_1200282841_13": {
"text": "Yahoo! Mobile",
"extended": 0,
"startchar": 32203,
"endchar": 32215,
"start": 32203,
"end": 32215,
"extendedFrom": "",
"predictedCategory": "ORGANIZATION",
"predictionProbability": "0.679211",
"weight": 0.494954,
"type": ["shortcuts:/us/instance/organization/company/yahoo_property"],
"category": ["ORGANIZATION"],
"context": "friend newshound and know-it-all with Yahoo Mobile Try it now http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ Never",
"metaData": {
"yprop_name": "Yahoo! Mobile",
"yprop_url": "http://mobile.yahoo.com/";
}
 },
"lw_1200282841_14": {
"text": "http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ";,
"extended": 0,
"startchar": 32410,
"endchar": 32467,
"start": 32410,
"end": 32467,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/http"],
"category": ["IDENTIFIER"],
"context": "Yahoo Mobile Try it now http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ Never miss a thing Make",
"metaData": {
"linkHref": "http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ";,
"linkProtocol": "http",
"linkTarget": "_blank"
}
 },
"lw_1200282841_15": {
"text": "http://www.yahoo.com/r/hs";,
"extended": 0,
"startchar": 32977,
"endchar": 33001,
"start": 32977,
"end": 33001,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/http"],
"category": ["IDENTIFIER"],
"context": "Make Yahoo your home page http://www.yahoo.com/r/hs Never miss a thing Make",
"metaData": {
"linkHref": "http://www.yahoo.com/r/hs";,
"linkProtocol": "http",
"linkTarget": "_blank"
}
 },
"lw_1200282841_16": {
"text": "http://www.yahoo.com/r/hs";,
"extended": 0,
"startchar": 33442,
"endchar": 33466,
"start": 33442,
"end": 33466,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/http"],
"category": ["IDENTIFIER"],
"context": "Make Yahoo your home page http://www.yahoo.com/r/hs Please use Squid 2.6STABLE17 or",
"metaData": {
"linkHref": "http://www.yahoo.com/r/hs";,
"linkProtocol": "http",
"linkTarget": "_blank"
}
 },
"lw_1200282841_17": {
"text": "Yahoo! Mobile",
"extended": 0,
"startchar": 33981,
"endchar": 33993,
"start": 33981,
"end": 33993,
"extendedFrom": "",
"predictedCategory": "ORGANIZATION",
"predictionProbability": "0.679211",
"weight": 0.35,
"type": ["shortcuts:/us/instance/organization/company/yahoo_property"],
"category": ["ORGANIZATION"],
"context": "friend newshound and know-it-all with Yahoo Mobile Try it now http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ Please",
"metaData": {
"yprop_name": "Yahoo! Mobile",
"yprop_url": "http://mobile.yahoo.com/";
}
 },
"lw_1200282841_18": {
"text": "http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ";,
"extended": 0,
"startchar": 34125,
"endchar": 34182,
"start": 34125,
"end": 34182,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/http"],
"category": ["IDENTIFIER"],
"context": "Yahoo Mobile Try it now http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ Please use Squid 2.6STABLE17 or",
"metaData": {
"linkHref": "http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ";,
"linkProtocol": "http",
"linkTarget": "_blank"
}
 },
"lw_1200282841_19": {
"text": "Yahoo! Mobile",
"extended": 0,
"startchar": 34577,
"endchar": 34589,
"start": 34577,
"end": 34589,
"extendedFrom": "",
"predictedCategory": "ORGANIZATION",
"predictionProbability": "0.679211",
"weight": 0.35,
"type": ["shortcuts:/us/instance/organization/company/yahoo_property"],
"category": ["ORGANIZATION"],
"context": "friend newshound and know-it-all with Yahoo Mobile Try it now http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ";,
"metaData": {
"yprop_name": "Yahoo! Mobile",
"yprop_url": "http://mobile.yahoo.com/";
}
 },
"lw_1200282841_20": {
"text": "http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ";,
"extended": 0,
"startchar": 34701,
"endchar": 34758,
"start": 34701,
"end": 34758,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/hyperlink/http"],
"category": ["IDENTIFIER"],
"context": "Yahoo Mobile Try it now http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ";,
"metaData": {
"linkHref": "http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ";,
"linkProtocol": "http",
"linkTarget": "_blank"
}
 }
};

Hi Jeffries...

Your thought was incorrect, I still got that message somehow.
The commands

iptables -t nat -A PREROUTING -i eth0 -s !$SQUID -p tcp --dport 80 -j 
DNAT --to $SQUID:3128

iptables -A FORWARD -s $SQUID --dport 80 -j ACCEPT

I am using squid brought (by default) from Trustix Secure Linux 3.0
I thinking about...
- Is it I have to recompile the kernel to suit my needs?
- In this following command lines: 

        iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80
 -j DNAT --to squid-box:3128
        iptables -t nat -A POSTROUTING -o eth0 -s
 local-network -d squid-box -j SNAT --to iptables-box
        iptables -A FORWARD
 -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j
 ACCEPT

that applied to firewall box only. Is it squid box will "understand"
 that it have to send all web services
(generated by clients and redirected by firewall-box) back to the
 firewall and vice versa???
is it squid-box didn't have do nothing to doing this task?

- I don't know why this transparent become so difficult, what should I
 do guys??? 

Thanks in advance
Rachmat Hidayat Al Anshar



----- Original Message ----
> From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
> To: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@xxxxxxxxx>
> Cc: squid cache <squid-users@xxxxxxxxxxxxxxx>
> Sent: Friday, January 11, 2008 10:06:02 AM
> Subject: Re:  Re: [help] setting up firewall policy for
 transparent (single-homed host) proxy
> 
> Rachmat Hidayat Al Anshar wrote:
> > Hi Amos...
> > 
> > Mmmm...its giving an feedback after I issuing " iptables -A
> FORWARD
> 
 --dport 80 -s $SQUID -j ACCEPT"
> > it says "unknown arg --dport", maybe the FORWARD chain can't
> proceed
> 
 without any other
> > switch (parameter)...
> 
> Hmm, arg. I think after a closer look all I can think of is I got the
 
> parameter order wrong :-(
> It should probably be -s then --dport
> 
> Sorry
> Amos
> 
> > 
> > Thanks 
> > Rachmat Hidayat Al Anshar
> > 
> > 
> > ----- Original Message ----
> >> From: Amos Jeffries 
> >> To: Rachmat Hidayat Al Anshar 
> >> Cc: squid cache 
> >> Sent: Thursday, January 10, 2008 7:45:44 PM
> >> Subject: Re:  Re: [help] setting up firewall policy
> for
> 
 transparent (single-homed host) proxy
> >>
> >> Rachmat Hidayat Al Anshar wrote:
> >>> I am stuck on confuse...
> >>> I have no idea with this...
> >>> I trying to configure the iptables only with this following
> command
> 
 
> >>> (with default policy set to ACCEPT)
> >>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> >> --dport
> >>
> >  80 -j DNAT --to squid-box:3128
> >> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
 squid-box
> >> -j
> >>
> >  
> >> SNAT --to iptables-box
> >>
> >> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0
> >> -p
> >>
> >  tcp 
> >> --dport 3128 -j ACCEPT
> >>
> >> note:
> >>> - eth0 -> internal device
> >>
> >> Try JUST this (one command to a line, I've split them to wrapping
> >> can
> >>
> >  be 
> >> seen clearly):
> >>
> >> SQUID=10.0.0.0 - or whatever the squid box IP is.
> >>
> >> iptables -t nat -A PREROUTING -i eth0 -s !$SQUID -p tcp --dport
> 80
> 
 -j 
> >> DNAT --to $SQUID:3128
> >>
> >> iptables -A FORWARD --dport 80 -s $SQUID -j ACCEPT
> >>
> >> iptables -A FORWARD --dport 80 -j REJECT
> >>
> >>
> >> Amos
> >>
> >>> My proxy box was ignored...
> >>> I have configured squid with some access control, to block
> >> some
> >>
> >  words, domains, an IPs.
> >>> I tested to access the web box outside the network, here's
> >> the
> >>
> >  result:
> >>> - the sites  was opened successfully
> >>> - when i try to adding a "blocked word" (such as "porn")..
> >>>   the sites also successfully open the page...
> >>> Squid was ignored...
> >>> What should I do...
> >>> Help me guys...
> >>>
> >>>
> >>> Thanks
> >>> Rachmat Hidayat Al Anshar
> >>>
> >>>
> >>>
> >>>
> >>> ----- Original Message ----
> >>>> From: Rachmat Hidayat Al Anshar 
> >>>> To: squid cache 
> >>>> Cc: Chris Zhang 
> >>>> Sent: Thursday, January 10, 2008 3:50:24 PM
> >>>> Subject:  Re: [help] setting up firewall policy
> >> for
> >>
> >  transparent (single-homed host) proxy
> >>>> ----- Original Message ----
> >>>>> From: Chris Zhang 
> >>>>> To: Rachmat Hidayat Al Anshar 
> >>>>> Sent: Thursday, January 10, 2008 2:12:48 PM
> >>>>> Subject: Re: [help] setting up firewall policy for
> >>>> transparent
> >>>>
> >>>  (single-homed host) proxy
> >>>>> Hi Rachmat,
> >>>>>
> >>>>>
> >>>>> Did you take that line out and then tried it again and it still
> >>>>> didn't work?
> >>>> Yes I do, I have done with it, and the proxy box still ignored
> >>>>
> >>>>> I don't think you need to recompile Squid, you need to change 
> >>>>> /etc/squid.conf file as suggested by the link I pointed to
> >> you.
> >>
> >  More 
> >>>>> specifically, make sure you have these lines,
> >>>>>
> >>>>>     * httpd_accel_host virtual
> >>>>>     * httpd_accel_port 80
> >>>>>     * httpd_accel_with_proxy on
> >>>>>     * httpd_accel_uses_host_header on
> >>>>>
> >>>> I also finish with it...
> >>>>
> >>>>> Also I am a bit confused with the setup you had there. Does
> >>>> your
> >>>>
> >>>  squid 
> >>>>> machine have a public IP? My understanding is that all your
> >>>> computers
> >>>>
> >>>  
> >>>>> that are behind the firewall are NATed, this also includes
> >>>> your
> >>>>
> >>>  Squid.
> >>>>  
> >>>> All of this deployed at vmware, the virtual environment. 
> >>>> There is only an example of public environment. And you're
> >>>> correct, my squid box located behind firewall (also act as
> >> nat
> >>
> >  device).
> >>>>> The idea with a transparent proxy is that you configure
> all
> 
 client 
> >>>>> computers to use the gateway, on the gateway you have rules
 which
> >>>>> say
> >>>>>
> >>>>  if 
> >>>>> the outgoing port is port 80, and the traffic is coming from
> >>>>> your
> >>>>>
> >>>>  client 
> >>>>> machines, redirect those traffic to your Squid machine on
> >> port
> >>
> >  3128.
> >>>>> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> >>>>> --dport
> >>>>>
> >>>>  80 -j ACCEPT' is saying if the traffic is going INTO the
 gateway
> >>>>> (in
> >>>>>
> >>>>  your case these traffic originate from the clients), and if
> >>>>> the
> >>>>>
> >>>>  destination port is port 80, protocol is tcp, accept it.
> >>>>
> >>>> Yep, its correct. 
> >>>> ### Squid Transparent Proxy
> >>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> >> --dport
> >>
> >  80
> >>>>  -j ACCEPT
> >>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> >> --dport
> >>
> >  80
> >>>>  -j DNAT --to squid-box:3128
> >>>>
> >>>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
> >> squid-box
> >>
> >  -j
> >>>>  SNAT --to iptables-box
> >>>> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o
> eth0
> 
 -p
> >>>>  tcp --dport 3128 -j ACCEPT
> >>>>
> >>>>> But you really want this line '
> >>>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p
> tcp
> 
 --dport
> >>>>> 80
> >>>>>
> >>>>  -j DNAT --to squid-box:3128' which is the line after the
> >> first
> >>
> >  line.
> >>>>> The result of having this first line before the second line (
> >>>>> iptables
> >>>>>
> >>>>  -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80
 -j
> >>>>> DNAT
> >>>>>
> >>>>  --to squid-box:3128 ) is that the second line will never catch
> >>>>> any
> >>>>>
> >>>>  traffic.
> >>>>> Please
> >>>>> see
> >>>>>
> >>>>  http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3
> >> .
> >>
> >  It
> >>>>> is
> >>>>>
> >>>>  exactly what you need.
> >>>>> Chris
> >>>>>
> >>>>>
> >>>> I have done following steps on
> >>>> this
> >>>>
> >>>  http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6
> >>>> But my proxy still ignored. How is it?
> >>>> I'll try it once more...anyway...
> >>>>
> >>>> Thanks
> >>>> Rachmat Hidayat Al Anshar
> >>>>
> >>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> Rachmat Hidayat Al Anshar wrote:
> >>>>>> Hay ho Chris, 
> >>>>>> Thanks for replying.
> >>>>>>
> >>>>>> First of all, I have reference to that link, but in other
> >>>>> disscussion
> >>>>>
> >>>>  forum
> >>>>>> I found someone out there says that...
> >>>>>> " The traffic is being caught by the first rule, since
> >>>> the
> >>>>
> >>>  connection
> >>>>>> probably isn't coming from the squid box.  Before that rule,
> >>>> you
> >>>>
> >>>  need
> >>>>>> to put in an ACCEPT for http packets aimed at the firewall
 box:
> >>>>>>   iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
 \
> >>>>>>     --dport 80 -j ACCEPT"..something like that...
> >>>>>>  I have been trying for many times, and I still can't solve
> >>>>> this
> >>>>>
> >>>>  problem.
> >>>>>> Is it about compiling options,  
> >>>>>> What command that I have to issue to get informed,
> what
> 
 configure
> >>>>>> option that squid used to compile at compiling process for a
> >>>>> first
> >>>>>
> >>>>  time???
> >>>>>> Can we re-compile squid? If so, what should I do?
> >>>>>>
> >>>>>> Thanks in advance
> >>>>>> Rachmat Hidayat Al Anshar
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> ----- Original Message ----
> >>>>>>   
> >>>>>>> From: Chris Zhang 
> >>>>>>> To: Rachmat Hidayat Al Anshar 
> >>>>>>> Cc: linux@xxxxxxxxxxxxxxx
> >>>>>>> Sent: Wednesday, January 9, 2008 7:11:46 PM
> >>>>>>> Subject: Re: [clug] [help] setting up firewall policy
> >>>>> for
> >>>>>
> >>>>  transparent (single-homed host) proxy
> >>>>>>> Hi Rachmat,
> >>>>>>>
> >>>>>>>
> >>>>>>> Maybe you want to try it again without this line
> >>>>>>>
> >>>>>>>
> >>>>>>> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> >>>>>>> --dport
> >>>>>>>
> >>>>>>>     
> >>>>>>  80 
> >>>>>>   
> >>>>>>> -j ACCEPT'
> >>>>>>>
> >>>>>>>
> >>>>>>> Also I think you will have to change squid.conf file (see 
> >>>>>>>
> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3
> 
 )
> >>>>>>>
> >>>>>>>
> >>>>>>> Chris
> >>>>>>>
> >>>>>>>
> >>>>>>> Rachmat Hidayat Al Anshar wrote:
> >>>>>>>     
> >>>>>>>> var YAHOO = {'Shortcuts' : {}};
> >>>>>>>> YAHOO.Shortcuts.hasSensitiveText = false;
> >>>>>>>> YAHOO.Shortcuts.sensitivityType = [];
> >>>>>>>> YAHOO.Shortcuts.doUlt = false;
> >>>>>>>> YAHOO.Shortcuts.location = "us";
> >>>>>>>> YAHOO.Shortcuts.document_id = 0;
> >>>>>>>> YAHOO.Shortcuts.document_type = "";
> >>>>>>>> YAHOO.Shortcuts.document_title = "[help] setting up firewall
> >>>>>>>>       
> >>>>>>> policy
> >>>>>>>
> >>>>>>>     
> >>>>>>  for transparent (single-homed host) proxy";
> >>>>>>   
> >>>>>>>> YAHOO.Shortcuts.document_publish_date = "";
> >>>>>>>> YAHOO.Shortcuts.document_author
> >> =
> >>
> >  "rachmat_hidayat_03@xxxxxxxxx";
> >>>>>>>> YAHOO.Shortcuts.document_url = "";
> >>>>>>>> YAHOO.Shortcuts.document_tags = "";
> >>>>>>>> YAHOO.Shortcuts.annotationSet = {
> >>>>>>>> "lw_1199853885_0": {
> >>>>>>>> "text": "Yahoo! Mobile",
> >>>>>>>> "extended": 0,
> >>>>>>>> "startchar": 1530,
> >>>>>>>> "endchar": 1542,
> >>>>>>>> "start": 1530,
> >>>>>>>> "end": 1542,
> >>>>>>>> "extendedFrom": "",
> >>>>>>>> "predictedCategory": "ORGANIZATION",
> >>>>>>>> "predictionProbability": "0.679211",
> >>>>>>>> "weight": 0.661212,
> >>>>>>>>
> >>>>>>>>       
> >>>>>>> "type":
> >>>>>>>
> >>>>>>>     
> >>>>>>
  ["shortcuts:/us/instance/organization/company/yahoo_property"],
> >>>>>>   
> >>>>>>>> "category": ["ORGANIZATION"],
> >>>>>>>> "context": "friend newshound and know-it-all with Yahoo
> >>>> Mobile
> >>>>
> >>>  Try
> >>>>>>>>       
> >>>>>>> it
> >>>>>>>
> >>>>>>>     
> >>>>>>  now",
> >>>>>>   
> >>>>>>>> "metaData": {
> >>>>>>>> "yprop_name": "Yahoo! Mobile",
> >>>>>>>> "yprop_url": "http://mobile.yahoo.com/";
> >>>>>>>> }
> >>>>>>>>  }
> >>>>>>>> };
> >>>>>>>>
> >>>>>>>> Hi all...
> >>>>>>>>
> >>>>>>>> I am on my research deploying a transparent single-homed
> >>>> host
> >>>>
> >>>  proxy
> >>>>>>>>  server on my virtual network. My squid box is not on the
 same
> >>>>>>>>       
> >>>>>>> box
> >>>>>>>
> >>>>>>>     
> >>>>>>  where the
> >>>>>>   
> >>>>>>>>  firewall applied.  I didn't have any idea how to set up the
> >>>>>>>>       
> >>>>>>> iptables
> >>>>>>>
> >>>>>>>     
> >>>>>>  running on
> >>>>>>   
> >>>>>>>>  the firewall, so I can redirect all client's web request
> to
> 
 my
> >>>>>>>>       
> >>>>>>> proxy
> >>>>>>>
> >>>>>>>     
> >>>>>>  box,
> >>>>>>   
> >>>>>>>>  and make it as the only host on the network may request web
> >>>>>>>>       
> >>>>>>> services
> >>>>>>>
> >>>>>>>     
> >>>>>>  through
> >>>>>>   
> >>>>>>>>  firewall to the Internet...???
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> INTERNET <---> FIREWALL <---> switch <---> NAT
> DEV<--->
> 
 INTRANET
> >>>>>>>>                                  ^
> >>>>>>>>                                 |
> >>>>>>>>                                  v
> >>>>>>>>                        
> >>>>>>>>        squid web
> >>>>>>>>                               proxies
> >>>>>>>>
> >>>>>>>> I try to use this following firewall script...
> >>>>>>>>                                                         
> >>>>>>>> #!/bin/sh
> >>>>>>>> # Firewall Script
> >>>>>>>>
> 
 ###############################################################
> >>>>>>>> ### interfaces 
> >>>>>>>> EXT_DEV=eth0
> >>>>>>>> INT_DEV=eth1
> >>>>>>>> INT_NET=10.1.1.0/24
> >>>>>>>>
> >>>>>>>> ### Loading firewall modules
> >>>>>>>> modprobe ip_conntrack
> >>>>>>>> modprobe ip_conntrack_ftp
> >>>>>>>>
> >>>>>>>>
> 
 ###############################################################
> >>>>>>>> ### Enable Packet Forwarding
> >>>>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
> >>>>>>>>
> >>>>>>>> ### Remove all previous rules, and delete any user
> >> defined
> >>
> >  chains
> >>>>>>>> iptables -F
> >>>>>>>> iptables -X
> >>>>>>>> iptables -t nat -F
> >>>>>>>> iptables -t nat -X
> >>>>>>>>
> >>>>>>>> ### Set the default policies to drop
> >>>>>>>> iptables -P INPUT   DROP
> >>>>>>>> iptables -P OUTPUT  DROP
> >>>>>>>> iptables -P FORWARD DROP
> >>>>>>>>
> >>>>>>>> ### Loopback device OK
> >>>>>>>> iptables -A INPUT  -i lo -s 127.0.0.0/8 -d 127.0.0.0/8
> -j
> 
 ACCEPT
> >>>>>>>> iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8
> -j
> 
 ACCEPT
> >>>>>>>>
> >>>>>>>> ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
> >>>>>>>> iptables -A INPUT   -p icmp --icmp-type any -j ACCEPT
> >>>>>>>> iptables -A OUTPUT  -p icmp --icmp-type any -j ACCEPT
> >>>>>>>> iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
> >>>>>>>>
> >>>>>>>> ### Allow all Internal traffic to Server
> >>>>>>>> iptables -A INPUT  -i $INT_DEV -s $INT_NET -d $INT_NET
> -j
> 
 ACCEPT
> >>>>>>>> iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET
> -j
> 
 ACCEPT
> >>>>>>>>
> >>>>>>>> ### OUTBOUND Rule: Allow ALL packets out the external device
> >>>>>>>> iptables -A OUTPUT  -o $EXT_DEV -j ACCEPT
> >>>>>>>> iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
> >>>>>>>>
> >>>>>>>> ### INBOUND Rule: Allow ALL EXT packets if a connection
> >>>>>>>>       
> >>>>>>> already
> >>>>>>>
> >>>>>>>     
> >>>>>>  exists (See "NEW" Inbound Rules)
> >>>>>>   
> >>>>>>>> iptables -A INPUT   -i $EXT_DEV -m state --state
> >>>>>>>>       
> >>>>>>> RELATED,ESTABLISHED
> >>>>>>>
> >>>>>>>     
> >>>>>>  -j ACCEPT
> >>>>>>   
> >>>>>>>> iptables -A FORWARD -i $EXT_DEV -m state --state
> >>>>>>>>       
> >>>>>>> RELATED,ESTABLISHED
> >>>>>>>
> >>>>>>>     
> >>>>>>  -j ACCEPT
> >>>>>>   
> >>>>>>>> ### Squid Transparent Proxy
> >>>>>>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> >>>>>>>>       
> >>>>>>> --dport
> >>>>>>>
> >>>>>>>     
> >>>>>>  80 -j ACCEPT
> >>>>>>   
> >>>>>>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> >>>>>>>>       
> >>>>>>> --dport
> >>>>>>>
> >>>>>>>     
> >>>>>>  80 -j DNAT --to squid-box:3128
> >>>>>>   
> >>>>>>>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
> >>>>>>>>       
> >>>>>>> squid-box
> >>>>>>>
> >>>>>>>     
> >>>>>>  -j SNAT --to iptables-box
> >>>>>>   
> >>>>>>>> iptables -A FORWARD -s local-network -d squid-box -i eth0
> >> -o
> >>
> >  eth0
> >>>>>>>>       
> >>>>>>> -p
> >>>>>>>
> >>>>>>>     
> >>>>>>  tcp --dport 3128 -j ACCEPT
> >>>>>>   
> >>>>>>>> and the result is:
> >>>>>>>> - client's web browser ignore the squid proxy
> >>>>>>>>   the http service is directly passing through the firewall
> >>>>>>>>
> >>>>>>>> All response will greatly appreciated.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Thanks in advance (^^,)
> >>>>>>>> Rachmat Hidayat Al Anshar 
> >>>>>>>>       
> >>>>>>>> Be a better friend, newshound, and 
> >>>>>>>> know-it-all with Yahoo! Mobile.  Try it now.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>     
> >>>>>>>>       
> >>>>  
> >  
> >>
> 

 _______________________________________________________________________________
> >>>>>>   
> >>>>>>> _____
> >>>>>>>     
> >>>>>>>> Never miss a thing.  Make Yahoo your home page. 
> >>>>>>>> http://www.yahoo.com/r/hs
> >>>>>>>>
> >>>>>>>>   
> >>>>>>>>       
> >>>>>>>     
> >>>>>>
> >>>>>>
> >>>>>>     
> >  
> >>
> 

 _______________________________________________________________________________
> >>>>> _____
> >>>>>> Be a better friend, newshound, and 
> >>>>>> know-it-all with Yahoo! Mobile.  Try it
> >>>>> now.
> >>>>>
> >>>>   http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 
> >>>>>>   
> >>>>
> >>>>
> >>>>    
> >>>>
> >>>  
> >
> 
 
>
 _______________________________________________________________________________
> >> _
> >>>> ____
> >>>> Never miss a thing.  Make Yahoo your home page. 
> >>>> http://www.yahoo.com/r/hs
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>     
> >
> 
 
>
 _______________________________________________________________________________
> >> _____
> >>> Never miss a thing.  Make Yahoo your home page. 
> >>> http://www.yahoo.com/r/hs
> >>>
> >>
> >> -- 
> >> Please use Squid 2.6STABLE17 or 3.0STABLE1.
> >> There are serious security advisories out on all earlier releases.
> >>
> >>
> > 
> > 
> > 
> > 
> >     
> 

 _______________________________________________________________________________
> _____
> > Be a better friend, newshound, and 
> > know-it-all with Yahoo! Mobile.  Try it
> now.
> 
  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 
> > 
> > 
> 
> 
> -- 
> Please use Squid 2.6STABLE17 or 3.0STABLE1.
> There are serious security advisories out on all earlier releases.
> 
> 




    
  ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.
  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 





squid3@xxxxxxxxxxxxx
Compose Email


Add to Contacts







      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux