RE: [squid-users] tansparent proxy on a firewall

From: Carmelo A. Zizza <[email protected]>
Date: Tue, 22 Oct 2002 09:11:30 -0400

I had a similar problem and the way I was able to get around it was the
following:

In your firewall script, have these lines appear before the MASQ
directive,

Do_redirect_to_squid () {
        echo -e "\tAllow WEB redirect to Squid: \c"
        ipchains -A input -i $INTERNAL_INTERFACE -p tcp -s $LOCAL_NET_1
-d $LOCAL_IP --dport 3128 -j ACCEPT
        ipchains -A input -i $INTERNAL_INTERFACE -p udp -s $LOCAL_NET_1
-d $LOCAL_IP --dport 3128 -j ACCEPT
        ipchains -A input -i $INTERNAL_INTERFACE -p tcp -s $LOCAL_NET_2
-d $LOCAL_IP --dport 3128 -j ACCEPT
        ipchains -A input -i $INTERNAL_INTERFACE -p udp -s $LOCAL_NET_2
-d $LOCAL_IP --dport 3128 -j ACCEPT

        ipchains -A input -i $INTERNAL_INTERFACE -p tcp -s $LOCAL_NET_1
--dport http -j REDIRECT 3128
        ipchains -A input -i $INTERNAL_INTERFACE -p udp -s $LOCAL_NET_1
--dport http -j REDIRECT 3128

        # Accept returning web packets for squid
        ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $EXTERNAL_IP
--sport 1024:65535 --dport 80 -j ACCEPT
        ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $EXTERNAL_IP
--sport 1024:65535 --dport 80 -j ACCEPT
        ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -d $EXTERNAL_IP
--sport 80 --dport 1024:65535 -j ACCEPT
        ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $EXTERNAL_IP
--sport 80 --dport 1024:65535 -j ACCEPT
        echo -e "Done"
}

Then add or change the following lines in your MASQ routine:

Do_restricted_masq () {
        .
        .
        . Block other ports ... i.e. SNMP etc.
        .

        #Don't Masq Traffic from internal to HTTP use Squid instead
        ipchains -A forward -p tcp -s $LOCAL_NET_1 --dport http -j DENY
-l
        ipchains -A forward -p tcp -s $LOCAL_NET_2 --dport http -j DENY
-l

        # Masq All Other Traffic to anywhere
        ipchains -A forward -s $LOCAL_NET_1 -d $ALL_IPS -j MASQ
        ipchains -A forward -s $LOCAL_NET_2 -d $ALL_IPS -j MASQ
}

OK, In our configuration the $INTERNAL_INTERFACE is our secure link on
our local lan, the $EXTERNAL_INTERFACE is the link to the internet. We
use squid on 3128, you can change the port number to whatever you want
there. One thing I noticed is that this does not work to wee if you use
the names of the port as opposed to the numbers, that is why I don't say
"--sport www".

The do_redirect_to_squid is the whole routine we use in our firewall
configuration. The do_restricted_masq is an excerpt from our existing
script, hence the dots. It is important to do the above statements in
the order displayed and further, it is important to use -i
$INTERNAL_INTERFACE on the input rules.

What this does, is allow www traffic for our internal web site and
internet traffic to be sent to squid. The "deny" of http traffic from
the MASQ allows the input rules to be processed. I hope this helps, it
took a while for use to get this working.

Regards,
Carmelo

-----Original Message-----
From: Liu Mei [mailto:liumei4000@yahoo.com]
Sent: Tuesday, October 22, 2002 4:44 AM
To: squid-users@squid-cache.org
Subject: [squid-users] tansparent proxy on a firewall

Hi,

There are many posts about transparent proxy in the
mailing list. However I still could not find a
solution to my problem. I am sorry to disturb you for
the old common question.

Origianlly, our private subnet was 192.168.1.0/24. We
are using a cable modem to connect to the IPS's
gateway which is 192.168.1.254. I think ISP has done
something over its side because we don't need to setup
anything in our web browser.

Now things become complex. we used redhat 7.2 to build
our own firewall, which is sitting between the modem
and our LAN. And for some reasons, we have to divide
the lan into two subnets, which are 192.168.2.0/24 and
192.168.3.0/24.
Thus the firewall machine has three network cards.
Eth0 (1.253) connects to the modem, eth1(2.1) connects
to the subnet 2.0/24, eth2(3.1) connects to the subnet
3.0/24. By using two ipchains rules
  -A forward -s 192.168.2.0/24 -i eth0 -j MASQ
  -A forward -s 192.168.3.0/24 -i eth0 -j MASQ
,the two subnets can access internet properly.

Then we plan to setup a transparent proxy and caching
server on the same firewall machine as well.

After reading some menu, we followed the instructions
to setup the squid (2.5 stable1).

The options in squid.conf changed are:

http_port 8080
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Also two new ipchains rules have been added in front
of the MASQ rules.
-A input -s 192.168.2.0/24 -d 0/0 www -p tcp -i eth0
-j REDIRECT 8080
-A input -s 192.168.3.0/24 -d 0/0 www -p tcp -i eth0
-j REDIRECT 8080

However, it seems that no request will be sent to the
proxy by running cachemgr.cgi.

In terms of double checking, we moved http_access deny
all in front of other http_access allow rules and
restart the squid by running two commands
/usr/local/squid/sbin/squid -k kill
/usr/local/squid/sbin/squid.

But the workstations in the subnets can still access
the internet.

I guess the problem may be due to the forward ipchains
rules which MASQ the request from the two subnets to
eth0 and thus go directly to the internet. Then I
changed the previous REDIRECT rules to be one

-A input -d 0/0 www -p tcp -i eth0 -j REDIRECT 8080

but still no package can be sent to Squid.

How can I fix the problem? If you need more
information to help me to identify the problem, I will
be very glad to do that.

Many thanks.

Liumei

__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
Received on Tue Oct 22 2002 - 07:11:50 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:46 MST