[squid-users] Re: [help] setting up firewall policy for transparent (single-homed host) proxy

From: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@dont-contact.us>
Date: Wed, 9 Jan 2008 15:40:14 -0800 (PST)

Hay ho Chris,
Thanks for replying.

First of all, I have reference to that link, but in other disscussion forum
I found someone out there says that...
" The traffic is being caught by the first rule, since the connection
probably isn't coming from the squid box. Before that rule, you need
to put in an ACCEPT for http packets aimed at the firewall box:
  iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \
    --dport 80 -j ACCEPT"..something like that...
 I have been trying for many times, and I still can't solve this problem.

Is it about compiling options,
What command that I have to issue to get informed, what configure
option that squid used to compile at compiling process for a first time???

Can we re-compile squid? If so, what should I do?

Thanks in advance
Rachmat Hidayat Al Anshar

----- Original Message ----
> From: Chris Zhang <abnamro.chris@gmail.com>
> To: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@yahoo.com>
> Cc: linux@lists.samba.org
> Sent: Wednesday, January 9, 2008 7:11:46 PM
> Subject: Re: [clug] [help] setting up firewall policy for transparent (single-homed host) proxy
>
> Hi Rachmat,
>
>
> Maybe you want to try it again without this line
>
>
> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> --dport
>
 80
> -j ACCEPT'
>
>
> Also I think you will have to change squid.conf file (see
> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 )
>
>
> Chris
>
>
> Rachmat Hidayat Al Anshar wrote:
> > var YAHOO = {'Shortcuts' : {}};
> > YAHOO.Shortcuts.hasSensitiveText = false;
> > YAHOO.Shortcuts.sensitivityType = [];
> > YAHOO.Shortcuts.doUlt = false;
> > YAHOO.Shortcuts.location = "us";
> > YAHOO.Shortcuts.document_id = 0;
> > YAHOO.Shortcuts.document_type = "";
> > YAHOO.Shortcuts.document_title = "[help] setting up firewall
> policy
>
 for transparent (single-homed host) proxy";
> > YAHOO.Shortcuts.document_publish_date = "";
> > YAHOO.Shortcuts.document_author = "rachmat_hidayat_03@yahoo.com";
> > YAHOO.Shortcuts.document_url = "";
> > YAHOO.Shortcuts.document_tags = "";
> > YAHOO.Shortcuts.annotationSet = {
> > "lw_1199853885_0": {
> > "text": "Yahoo! Mobile",
> > "extended": 0,
> > "startchar": 1530,
> > "endchar": 1542,
> > "start": 1530,
> > "end": 1542,
> > "extendedFrom": "",
> > "predictedCategory": "ORGANIZATION",
> > "predictionProbability": "0.679211",
> > "weight": 0.661212,
> >
> "type":
>
 ["shortcuts:/us/instance/organization/company/yahoo_property"],
> > "category": ["ORGANIZATION"],
> > "context": "friend newshound and know-it-all with Yahoo Mobile Try
> it
>
 now",
> > "metaData": {
> > "yprop_name": "Yahoo! Mobile",
> > "yprop_url": "http://mobile.yahoo.com/"
> > }
> > }
> > };
> >
> > Hi all...
> >
> > I am on my research deploying a transparent single-homed host proxy
> > server on my virtual network. My squid box is not on the same
> box
>
 where the
> > firewall applied. I didn't have any idea how to set up the
> iptables
>
 running on
> > the firewall, so I can redirect all client's web request to my
> proxy
>
 box,
> > and make it as the only host on the network may request web
> services
>
 through
> > firewall to the Internet...???
> >
> >
> > INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET
> > ^
> > |
> > v
> >
> > squid web
> > proxies
> >
> > I try to use this following firewall script...
> >
> > #!/bin/sh
> > # Firewall Script
> > ###############################################################
> > ### interfaces
> > EXT_DEV=eth0
> > INT_DEV=eth1
> > INT_NET=10.1.1.0/24
> >
> > ### Loading firewall modules
> > modprobe ip_conntrack
> > modprobe ip_conntrack_ftp
> >
> > ###############################################################
> > ### Enable Packet Forwarding
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> >
> > ### Remove all previous rules, and delete any user defined chains
> > iptables -F
> > iptables -X
> > iptables -t nat -F
> > iptables -t nat -X
> >
> > ### Set the default policies to drop
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> >
> > ### Loopback device OK
> > iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> > iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> >
> > ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
> > iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
> > iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
> > iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
> >
> > ### Allow all Internal traffic to Server
> > iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
> > iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
> >
> > ### OUTBOUND Rule: Allow ALL packets out the external device
> > iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
> > iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
> >
> > ### INBOUND Rule: Allow ALL EXT packets if a connection
> already
>
 exists (See "NEW" Inbound Rules)
> > iptables -A INPUT -i $EXT_DEV -m state --state
> RELATED,ESTABLISHED
>
 -j ACCEPT
> > iptables -A FORWARD -i $EXT_DEV -m state --state
> RELATED,ESTABLISHED
>
 -j ACCEPT
> >
> > ### Squid Transparent Proxy
> > iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> --dport
>
 80 -j ACCEPT
> > iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> --dport
>
 80 -j DNAT --to squid-box:3128
> >
> > iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
> squid-box
>
 -j SNAT --to iptables-box
> > iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0
> -p
>
 tcp --dport 3128 -j ACCEPT
> >
> > and the result is:
> > - client's web browser ignore the squid proxy
> > the http service is directly passing through the firewall
> >
> > All response will greatly appreciated.
> >
> >
> > Thanks in advance (^^,)
> > Rachmat Hidayat Al Anshar
> >
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile. Try it now.
> >
> >
> >
> >
> >
> >
> >
> >
>
 _______________________________________________________________________________
> _____
> > Never miss a thing. Make Yahoo your home page.
> > http://www.yahoo.com/r/hs
> >
> >
>
>

      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Received on Wed Jan 09 2008 - 16:40:22 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:04 MST