Re: [squid-users] Re: [help] setting up firewall policy for transparent (single-homed host) proxy

From: Rachmat Hidayat Al Anshar <[email protected]>
Date: Thu, 10 Jan 2008 09:02:53 -0800 (PST)

Hi Amos...

Mmmm...its giving an feedback after I issuing " iptables -A FORWARD --dport 80 -s $SQUID -j ACCEPT"
it says "unknown arg --dport", maybe the FORWARD chain can't proceed without any other
switch (parameter)...

Thanks
Rachmat Hidayat Al Anshar

----- Original Message ----
> From: Amos Jeffries <squid3@treenet.co.nz>
> To: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@yahoo.com>
> Cc: squid cache <squid-users@squid-cache.org>
> Sent: Thursday, January 10, 2008 7:45:44 PM
> Subject: Re: [squid-users] Re: [help] setting up firewall policy for transparent (single-homed host) proxy
>
> Rachmat Hidayat Al Anshar wrote:
> > I am stuck on confuse...
> > I have no idea with this...
> > I trying to configure the iptables only with this following command
> > (with default policy set to ACCEPT)
> > iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> --dport
>
 80 -j DNAT --to squid-box:3128
>
> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box
> -j
>
 
> SNAT --to iptables-box
>
> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0
> -p
>
 tcp
> --dport 3128 -j ACCEPT
>
> note:
> > - eth0 -> internal device
>
>
> Try JUST this (one command to a line, I've split them to wrapping
> can
>
 be
> seen clearly):
>
> SQUID=10.0.0.0 - or whatever the squid box IP is.
>
> iptables -t nat -A PREROUTING -i eth0 -s !$SQUID -p tcp --dport 80 -j
> DNAT --to $SQUID:3128
>
> iptables -A FORWARD --dport 80 -s $SQUID -j ACCEPT
>
> iptables -A FORWARD --dport 80 -j REJECT
>
>
> Amos
>
> >
> > My proxy box was ignored...
> > I have configured squid with some access control, to block
> some
>
 words, domains, an IPs.
> > I tested to access the web box outside the network, here's
> the
>
 result:
> > - the sites was opened successfully
> > - when i try to adding a "blocked word" (such as "porn")..
> > the sites also successfully open the page...
> > Squid was ignored...
> > What should I do...
> > Help me guys...
> >
> >
> > Thanks
> > Rachmat Hidayat Al Anshar
> >
> >
> >
> >
> > ----- Original Message ----
> >> From: Rachmat Hidayat Al Anshar
> >> To: squid cache
> >> Cc: Chris Zhang
> >> Sent: Thursday, January 10, 2008 3:50:24 PM
> >> Subject: [squid-users] Re: [help] setting up firewall policy
> for
>
 transparent (single-homed host) proxy
> >>
> >> ----- Original Message ----
> >>> From: Chris Zhang
> >>> To: Rachmat Hidayat Al Anshar
> >>> Sent: Thursday, January 10, 2008 2:12:48 PM
> >>> Subject: Re: [help] setting up firewall policy for
> >> transparent
> >>
> > (single-homed host) proxy
> >>> Hi Rachmat,
> >>>
> >>>
> >>> Did you take that line out and then tried it again and it still
> >>> didn't work?
> >> Yes I do, I have done with it, and the proxy box still ignored
> >>
> >>> I don't think you need to recompile Squid, you need to change
> >>> /etc/squid.conf file as suggested by the link I pointed to
> you.
>
 More
> >>> specifically, make sure you have these lines,
> >>>
> >>> * httpd_accel_host virtual
> >>> * httpd_accel_port 80
> >>> * httpd_accel_with_proxy on
> >>> * httpd_accel_uses_host_header on
> >>>
> >> I also finish with it...
> >>
> >>> Also I am a bit confused with the setup you had there. Does
> >> your
> >>
> > squid
> >>> machine have a public IP? My understanding is that all your
> >> computers
> >>
> >
> >>> that are behind the firewall are NATed, this also includes
> >> your
> >>
> > Squid.
> >>
> >> All of this deployed at vmware, the virtual environment.
> >> There is only an example of public environment. And you're
> >> correct, my squid box located behind firewall (also act as
> nat
>
 device).
> >>
> >>> The idea with a transparent proxy is that you configure all client
> >>> computers to use the gateway, on the gateway you have rules which
> >>> say
> >>>
> >> if
> >>> the outgoing port is port 80, and the traffic is coming from
> >>> your
> >>>
> >> client
> >>> machines, redirect those traffic to your Squid machine on
> port
>
 3128.
> >>>
> >>> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> >>> --dport
> >>>
> >> 80 -j ACCEPT' is saying if the traffic is going INTO the gateway
> >>> (in
> >>>
> >> your case these traffic originate from the clients), and if
> >>> the
> >>>
> >> destination port is port 80, protocol is tcp, accept it.
> >>
> >> Yep, its correct.
> >> ### Squid Transparent Proxy
> >> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> --dport
>
 80
> >> -j ACCEPT
> >> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> --dport
>
 80
> >> -j DNAT --to squid-box:3128
> >>
> >> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
> squid-box
>
 -j
> >> SNAT --to iptables-box
> >> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p
> >> tcp --dport 3128 -j ACCEPT
> >>
> >>> But you really want this line '
> >>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport
> >>> 80
> >>>
> >> -j DNAT --to squid-box:3128' which is the line after the
> first
>
 line.
> >>>
> >>> The result of having this first line before the second line (
> >>> iptables
> >>>
> >> -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j
> >>> DNAT
> >>>
> >> --to squid-box:3128 ) is that the second line will never catch
> >>> any
> >>>
> >> traffic.
> >>>
> >>> Please
> >>> see
> >>>
> >> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3
> .
>
 It
> >>> is
> >>>
> >> exactly what you need.
> >>>
> >>> Chris
> >>>
> >>>
> >> I have done following steps on
> >> this
> >>
> > http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6
> >> But my proxy still ignored. How is it?
> >> I'll try it once more...anyway...
> >>
> >> Thanks
> >> Rachmat Hidayat Al Anshar
> >>
> >>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Rachmat Hidayat Al Anshar wrote:
> >>>> Hay ho Chris,
> >>>> Thanks for replying.
> >>>>
> >>>> First of all, I have reference to that link, but in other
> >>> disscussion
> >>>
> >> forum
> >>>> I found someone out there says that...
> >>>> " The traffic is being caught by the first rule, since
> >> the
> >>
> > connection
> >>>> probably isn't coming from the squid box. Before that rule,
> >> you
> >>
> > need
> >>>> to put in an ACCEPT for http packets aimed at the firewall box:
> >>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \
> >>>> --dport 80 -j ACCEPT"..something like that...
> >>>> I have been trying for many times, and I still can't solve
> >>> this
> >>>
> >> problem.
> >>>> Is it about compiling options,
> >>>> What command that I have to issue to get informed, what configure
> >>>> option that squid used to compile at compiling process for a
> >>> first
> >>>
> >> time???
> >>>> Can we re-compile squid? If so, what should I do?
> >>>>
> >>>> Thanks in advance
> >>>> Rachmat Hidayat Al Anshar
> >>>>
> >>>>
> >>>>
> >>>> ----- Original Message ----
> >>>>
> >>>>> From: Chris Zhang
> >>>>> To: Rachmat Hidayat Al Anshar
> >>>>> Cc: linux@lists.samba.org
> >>>>> Sent: Wednesday, January 9, 2008 7:11:46 PM
> >>>>> Subject: Re: [clug] [help] setting up firewall policy
> >>> for
> >>>
> >> transparent (single-homed host) proxy
> >>>>> Hi Rachmat,
> >>>>>
> >>>>>
> >>>>> Maybe you want to try it again without this line
> >>>>>
> >>>>>
> >>>>> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> >>>>> --dport
> >>>>>
> >>>>>
> >>>> 80
> >>>>
> >>>>> -j ACCEPT'
> >>>>>
> >>>>>
> >>>>> Also I think you will have to change squid.conf file (see
> >>>>> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 )
> >>>>>
> >>>>>
> >>>>> Chris
> >>>>>
> >>>>>
> >>>>> Rachmat Hidayat Al Anshar wrote:
> >>>>>
> >>>>>> var YAHOO = {'Shortcuts' : {}};
> >>>>>> YAHOO.Shortcuts.hasSensitiveText = false;
> >>>>>> YAHOO.Shortcuts.sensitivityType = [];
> >>>>>> YAHOO.Shortcuts.doUlt = false;
> >>>>>> YAHOO.Shortcuts.location = "us";
> >>>>>> YAHOO.Shortcuts.document_id = 0;
> >>>>>> YAHOO.Shortcuts.document_type = "";
> >>>>>> YAHOO.Shortcuts.document_title = "[help] setting up firewall
> >>>>>>
> >>>>> policy
> >>>>>
> >>>>>
> >>>> for transparent (single-homed host) proxy";
> >>>>
> >>>>>> YAHOO.Shortcuts.document_publish_date = "";
> >>>>>> YAHOO.Shortcuts.document_author
> =
>
 "rachmat_hidayat_03@yahoo.com";
> >>>>>> YAHOO.Shortcuts.document_url = "";
> >>>>>> YAHOO.Shortcuts.document_tags = "";
> >>>>>> YAHOO.Shortcuts.annotationSet = {
> >>>>>> "lw_1199853885_0": {
> >>>>>> "text": "Yahoo! Mobile",
> >>>>>> "extended": 0,
> >>>>>> "startchar": 1530,
> >>>>>> "endchar": 1542,
> >>>>>> "start": 1530,
> >>>>>> "end": 1542,
> >>>>>> "extendedFrom": "",
> >>>>>> "predictedCategory": "ORGANIZATION",
> >>>>>> "predictionProbability": "0.679211",
> >>>>>> "weight": 0.661212,
> >>>>>>
> >>>>>>
> >>>>> "type":
> >>>>>
> >>>>>
> >>>> ["shortcuts:/us/instance/organization/company/yahoo_property"],
> >>>>
> >>>>>> "category": ["ORGANIZATION"],
> >>>>>> "context": "friend newshound and know-it-all with Yahoo
> >> Mobile
> >>
> > Try
> >>>>>>
> >>>>> it
> >>>>>
> >>>>>
> >>>> now",
> >>>>
> >>>>>> "metaData": {
> >>>>>> "yprop_name": "Yahoo! Mobile",
> >>>>>> "yprop_url": "http://mobile.yahoo.com/"
> >>>>>> }
> >>>>>> }
> >>>>>> };
> >>>>>>
> >>>>>> Hi all...
> >>>>>>
> >>>>>> I am on my research deploying a transparent single-homed
> >> host
> >>
> > proxy
> >>>>>> server on my virtual network. My squid box is not on the same
> >>>>>>
> >>>>> box
> >>>>>
> >>>>>
> >>>> where the
> >>>>
> >>>>>> firewall applied. I didn't have any idea how to set up the
> >>>>>>
> >>>>> iptables
> >>>>>
> >>>>>
> >>>> running on
> >>>>
> >>>>>> the firewall, so I can redirect all client's web request to my
> >>>>>>
> >>>>> proxy
> >>>>>
> >>>>>
> >>>> box,
> >>>>
> >>>>>> and make it as the only host on the network may request web
> >>>>>>
> >>>>> services
> >>>>>
> >>>>>
> >>>> through
> >>>>
> >>>>>> firewall to the Internet...???
> >>>>>>
> >>>>>>
> >>>>>> INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET
> >>>>>> ^
> >>>>>> |
> >>>>>> v
> >>>>>>
> >>>>>> squid web
> >>>>>> proxies
> >>>>>>
> >>>>>> I try to use this following firewall script...
> >>>>>>
> >>>>>> #!/bin/sh
> >>>>>> # Firewall Script
> >>>>>> ###############################################################
> >>>>>> ### interfaces
> >>>>>> EXT_DEV=eth0
> >>>>>> INT_DEV=eth1
> >>>>>> INT_NET=10.1.1.0/24
> >>>>>>
> >>>>>> ### Loading firewall modules
> >>>>>> modprobe ip_conntrack
> >>>>>> modprobe ip_conntrack_ftp
> >>>>>>
> >>>>>> ###############################################################
> >>>>>> ### Enable Packet Forwarding
> >>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
> >>>>>>
> >>>>>> ### Remove all previous rules, and delete any user
> defined
>
 chains
> >>>>>> iptables -F
> >>>>>> iptables -X
> >>>>>> iptables -t nat -F
> >>>>>> iptables -t nat -X
> >>>>>>
> >>>>>> ### Set the default policies to drop
> >>>>>> iptables -P INPUT DROP
> >>>>>> iptables -P OUTPUT DROP
> >>>>>> iptables -P FORWARD DROP
> >>>>>>
> >>>>>> ### Loopback device OK
> >>>>>> iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> >>>>>> iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> >>>>>>
> >>>>>> ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
> >>>>>> iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
> >>>>>> iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
> >>>>>> iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
> >>>>>>
> >>>>>> ### Allow all Internal traffic to Server
> >>>>>> iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
> >>>>>> iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
> >>>>>>
> >>>>>> ### OUTBOUND Rule: Allow ALL packets out the external device
> >>>>>> iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
> >>>>>> iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
> >>>>>>
> >>>>>> ### INBOUND Rule: Allow ALL EXT packets if a connection
> >>>>>>
> >>>>> already
> >>>>>
> >>>>>
> >>>> exists (See "NEW" Inbound Rules)
> >>>>
> >>>>>> iptables -A INPUT -i $EXT_DEV -m state --state
> >>>>>>
> >>>>> RELATED,ESTABLISHED
> >>>>>
> >>>>>
> >>>> -j ACCEPT
> >>>>
> >>>>>> iptables -A FORWARD -i $EXT_DEV -m state --state
> >>>>>>
> >>>>> RELATED,ESTABLISHED
> >>>>>
> >>>>>
> >>>> -j ACCEPT
> >>>>
> >>>>>> ### Squid Transparent Proxy
> >>>>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> >>>>>>
> >>>>> --dport
> >>>>>
> >>>>>
> >>>> 80 -j ACCEPT
> >>>>
> >>>>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> >>>>>>
> >>>>> --dport
> >>>>>
> >>>>>
> >>>> 80 -j DNAT --to squid-box:3128
> >>>>
> >>>>>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
> >>>>>>
> >>>>> squid-box
> >>>>>
> >>>>>
> >>>> -j SNAT --to iptables-box
> >>>>
> >>>>>> iptables -A FORWARD -s local-network -d squid-box -i eth0
> -o
>
 eth0
> >>>>>>
> >>>>> -p
> >>>>>
> >>>>>
> >>>> tcp --dport 3128 -j ACCEPT
> >>>>
> >>>>>> and the result is:
> >>>>>> - client's web browser ignore the squid proxy
> >>>>>> the http service is directly passing through the firewall
> >>>>>>
> >>>>>> All response will greatly appreciated.
> >>>>>>
> >>>>>>
> >>>>>> Thanks in advance (^^,)
> >>>>>> Rachmat Hidayat Al Anshar
> >>>>>>
> >>>>>> Be a better friend, newshound, and
> >>>>>> know-it-all with Yahoo! Mobile. Try it now.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>
> >
>
 
> _______________________________________________________________________________
> >>>>
> >>>>> _____
> >>>>>
> >>>>>> Never miss a thing. Make Yahoo your home page.
> >>>>>> http://www.yahoo.com/r/hs
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >
>
 
> _______________________________________________________________________________
> >>> _____
> >>>> Be a better friend, newshound, and
> >>>> know-it-all with Yahoo! Mobile. Try it
> >>> now.
> >>>
> >> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> >>>>
> >>>>
> >>>
> >>
> >>
> >>
> >>
> >>
> >
> >>
>
 _______________________________________________________________________________
> _
> >> ____
> >> Never miss a thing. Make Yahoo your home page.
> >> http://www.yahoo.com/r/hs
> >>
> >>
> >
> >
> >
> >
> >
>
 _______________________________________________________________________________
> _____
> > Never miss a thing. Make Yahoo your home page.
> > http://www.yahoo.com/r/hs
> >
>
>
> --
> Please use Squid 2.6STABLE17 or 3.0STABLE1.
> There are serious security advisories out on all earlier releases.
>
>

      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Received on Thu Jan 10 2008 - 10:03:05 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:04 MST