Re: [squid-users] Re: [help] setting up firewall policy for transparent (single-homed host) proxy

From: Amos Jeffries <squid3@dont-contact.us>
Date: Fri, 11 Jan 2008 16:06:02 +1300

Rachmat Hidayat Al Anshar wrote:
> Hi Amos...
>
> Mmmm...its giving an feedback after I issuing " iptables -A FORWARD --dport 80 -s $SQUID -j ACCEPT"
> it says "unknown arg --dport", maybe the FORWARD chain can't proceed without any other
> switch (parameter)...

Hmm, arg. I think after a closer look all I can think of is I got the
parameter order wrong :-(
It should probably be -s then --dport

Sorry
Amos

>
> Thanks
> Rachmat Hidayat Al Anshar
>
>
> ----- Original Message ----
>> From: Amos Jeffries <squid3@treenet.co.nz>
>> To: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@yahoo.com>
>> Cc: squid cache <squid-users@squid-cache.org>
>> Sent: Thursday, January 10, 2008 7:45:44 PM
>> Subject: Re: [squid-users] Re: [help] setting up firewall policy for transparent (single-homed host) proxy
>>
>> Rachmat Hidayat Al Anshar wrote:
>>> I am stuck on confuse...
>>> I have no idea with this...
>>> I trying to configure the iptables only with this following command
>>> (with default policy set to ACCEPT)
>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
>> --dport
>>
> 80 -j DNAT --to squid-box:3128
>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box
>> -j
>>
>
>> SNAT --to iptables-box
>>
>> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0
>> -p
>>
> tcp
>> --dport 3128 -j ACCEPT
>>
>> note:
>>> - eth0 -> internal device
>>
>> Try JUST this (one command to a line, I've split them to wrapping
>> can
>>
> be
>> seen clearly):
>>
>> SQUID=10.0.0.0 - or whatever the squid box IP is.
>>
>> iptables -t nat -A PREROUTING -i eth0 -s !$SQUID -p tcp --dport 80 -j
>> DNAT --to $SQUID:3128
>>
>> iptables -A FORWARD --dport 80 -s $SQUID -j ACCEPT
>>
>> iptables -A FORWARD --dport 80 -j REJECT
>>
>>
>> Amos
>>
>>> My proxy box was ignored...
>>> I have configured squid with some access control, to block
>> some
>>
> words, domains, an IPs.
>>> I tested to access the web box outside the network, here's
>> the
>>
> result:
>>> - the sites was opened successfully
>>> - when i try to adding a "blocked word" (such as "porn")..
>>> the sites also successfully open the page...
>>> Squid was ignored...
>>> What should I do...
>>> Help me guys...
>>>
>>>
>>> Thanks
>>> Rachmat Hidayat Al Anshar
>>>
>>>
>>>
>>>
>>> ----- Original Message ----
>>>> From: Rachmat Hidayat Al Anshar
>>>> To: squid cache
>>>> Cc: Chris Zhang
>>>> Sent: Thursday, January 10, 2008 3:50:24 PM
>>>> Subject: [squid-users] Re: [help] setting up firewall policy
>> for
>>
> transparent (single-homed host) proxy
>>>> ----- Original Message ----
>>>>> From: Chris Zhang
>>>>> To: Rachmat Hidayat Al Anshar
>>>>> Sent: Thursday, January 10, 2008 2:12:48 PM
>>>>> Subject: Re: [help] setting up firewall policy for
>>>> transparent
>>>>
>>> (single-homed host) proxy
>>>>> Hi Rachmat,
>>>>>
>>>>>
>>>>> Did you take that line out and then tried it again and it still
>>>>> didn't work?
>>>> Yes I do, I have done with it, and the proxy box still ignored
>>>>
>>>>> I don't think you need to recompile Squid, you need to change
>>>>> /etc/squid.conf file as suggested by the link I pointed to
>> you.
>>
> More
>>>>> specifically, make sure you have these lines,
>>>>>
>>>>> * httpd_accel_host virtual
>>>>> * httpd_accel_port 80
>>>>> * httpd_accel_with_proxy on
>>>>> * httpd_accel_uses_host_header on
>>>>>
>>>> I also finish with it...
>>>>
>>>>> Also I am a bit confused with the setup you had there. Does
>>>> your
>>>>
>>> squid
>>>>> machine have a public IP? My understanding is that all your
>>>> computers
>>>>
>>>
>>>>> that are behind the firewall are NATed, this also includes
>>>> your
>>>>
>>> Squid.
>>>>
>>>> All of this deployed at vmware, the virtual environment.
>>>> There is only an example of public environment. And you're
>>>> correct, my squid box located behind firewall (also act as
>> nat
>>
> device).
>>>>> The idea with a transparent proxy is that you configure all client
>>>>> computers to use the gateway, on the gateway you have rules which
>>>>> say
>>>>>
>>>> if
>>>>> the outgoing port is port 80, and the traffic is coming from
>>>>> your
>>>>>
>>>> client
>>>>> machines, redirect those traffic to your Squid machine on
>> port
>>
> 3128.
>>>>> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
>>>>> --dport
>>>>>
>>>> 80 -j ACCEPT' is saying if the traffic is going INTO the gateway
>>>>> (in
>>>>>
>>>> your case these traffic originate from the clients), and if
>>>>> the
>>>>>
>>>> destination port is port 80, protocol is tcp, accept it.
>>>>
>>>> Yep, its correct.
>>>> ### Squid Transparent Proxy
>>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
>> --dport
>>
> 80
>>>> -j ACCEPT
>>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
>> --dport
>>
> 80
>>>> -j DNAT --to squid-box:3128
>>>>
>>>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
>> squid-box
>>
> -j
>>>> SNAT --to iptables-box
>>>> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p
>>>> tcp --dport 3128 -j ACCEPT
>>>>
>>>>> But you really want this line '
>>>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport
>>>>> 80
>>>>>
>>>> -j DNAT --to squid-box:3128' which is the line after the
>> first
>>
> line.
>>>>> The result of having this first line before the second line (
>>>>> iptables
>>>>>
>>>> -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j
>>>>> DNAT
>>>>>
>>>> --to squid-box:3128 ) is that the second line will never catch
>>>>> any
>>>>>
>>>> traffic.
>>>>> Please
>>>>> see
>>>>>
>>>> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3
>> .
>>
> It
>>>>> is
>>>>>
>>>> exactly what you need.
>>>>> Chris
>>>>>
>>>>>
>>>> I have done following steps on
>>>> this
>>>>
>>> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6
>>>> But my proxy still ignored. How is it?
>>>> I'll try it once more...anyway...
>>>>
>>>> Thanks
>>>> Rachmat Hidayat Al Anshar
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Rachmat Hidayat Al Anshar wrote:
>>>>>> Hay ho Chris,
>>>>>> Thanks for replying.
>>>>>>
>>>>>> First of all, I have reference to that link, but in other
>>>>> disscussion
>>>>>
>>>> forum
>>>>>> I found someone out there says that...
>>>>>> " The traffic is being caught by the first rule, since
>>>> the
>>>>
>>> connection
>>>>>> probably isn't coming from the squid box. Before that rule,
>>>> you
>>>>
>>> need
>>>>>> to put in an ACCEPT for http packets aimed at the firewall box:
>>>>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \
>>>>>> --dport 80 -j ACCEPT"..something like that...
>>>>>> I have been trying for many times, and I still can't solve
>>>>> this
>>>>>
>>>> problem.
>>>>>> Is it about compiling options,
>>>>>> What command that I have to issue to get informed, what configure
>>>>>> option that squid used to compile at compiling process for a
>>>>> first
>>>>>
>>>> time???
>>>>>> Can we re-compile squid? If so, what should I do?
>>>>>>
>>>>>> Thanks in advance
>>>>>> Rachmat Hidayat Al Anshar
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----- Original Message ----
>>>>>>
>>>>>>> From: Chris Zhang
>>>>>>> To: Rachmat Hidayat Al Anshar
>>>>>>> Cc: linux@lists.samba.org
>>>>>>> Sent: Wednesday, January 9, 2008 7:11:46 PM
>>>>>>> Subject: Re: [clug] [help] setting up firewall policy
>>>>> for
>>>>>
>>>> transparent (single-homed host) proxy
>>>>>>> Hi Rachmat,
>>>>>>>
>>>>>>>
>>>>>>> Maybe you want to try it again without this line
>>>>>>>
>>>>>>>
>>>>>>> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
>>>>>>> --dport
>>>>>>>
>>>>>>>
>>>>>> 80
>>>>>>
>>>>>>> -j ACCEPT'
>>>>>>>
>>>>>>>
>>>>>>> Also I think you will have to change squid.conf file (see
>>>>>>> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 )
>>>>>>>
>>>>>>>
>>>>>>> Chris
>>>>>>>
>>>>>>>
>>>>>>> Rachmat Hidayat Al Anshar wrote:
>>>>>>>
>>>>>>>> var YAHOO = {'Shortcuts' : {}};
>>>>>>>> YAHOO.Shortcuts.hasSensitiveText = false;
>>>>>>>> YAHOO.Shortcuts.sensitivityType = [];
>>>>>>>> YAHOO.Shortcuts.doUlt = false;
>>>>>>>> YAHOO.Shortcuts.location = "us";
>>>>>>>> YAHOO.Shortcuts.document_id = 0;
>>>>>>>> YAHOO.Shortcuts.document_type = "";
>>>>>>>> YAHOO.Shortcuts.document_title = "[help] setting up firewall
>>>>>>>>
>>>>>>> policy
>>>>>>>
>>>>>>>
>>>>>> for transparent (single-homed host) proxy";
>>>>>>
>>>>>>>> YAHOO.Shortcuts.document_publish_date = "";
>>>>>>>> YAHOO.Shortcuts.document_author
>> =
>>
> "rachmat_hidayat_03@yahoo.com";
>>>>>>>> YAHOO.Shortcuts.document_url = "";
>>>>>>>> YAHOO.Shortcuts.document_tags = "";
>>>>>>>> YAHOO.Shortcuts.annotationSet = {
>>>>>>>> "lw_1199853885_0": {
>>>>>>>> "text": "Yahoo! Mobile",
>>>>>>>> "extended": 0,
>>>>>>>> "startchar": 1530,
>>>>>>>> "endchar": 1542,
>>>>>>>> "start": 1530,
>>>>>>>> "end": 1542,
>>>>>>>> "extendedFrom": "",
>>>>>>>> "predictedCategory": "ORGANIZATION",
>>>>>>>> "predictionProbability": "0.679211",
>>>>>>>> "weight": 0.661212,
>>>>>>>>
>>>>>>>>
>>>>>>> "type":
>>>>>>>
>>>>>>>
>>>>>> ["shortcuts:/us/instance/organization/company/yahoo_property"],
>>>>>>
>>>>>>>> "category": ["ORGANIZATION"],
>>>>>>>> "context": "friend newshound and know-it-all with Yahoo
>>>> Mobile
>>>>
>>> Try
>>>>>>>>
>>>>>>> it
>>>>>>>
>>>>>>>
>>>>>> now",
>>>>>>
>>>>>>>> "metaData": {
>>>>>>>> "yprop_name": "Yahoo! Mobile",
>>>>>>>> "yprop_url": "http://mobile.yahoo.com/"
>>>>>>>> }
>>>>>>>> }
>>>>>>>> };
>>>>>>>>
>>>>>>>> Hi all...
>>>>>>>>
>>>>>>>> I am on my research deploying a transparent single-homed
>>>> host
>>>>
>>> proxy
>>>>>>>> server on my virtual network. My squid box is not on the same
>>>>>>>>
>>>>>>> box
>>>>>>>
>>>>>>>
>>>>>> where the
>>>>>>
>>>>>>>> firewall applied. I didn't have any idea how to set up the
>>>>>>>>
>>>>>>> iptables
>>>>>>>
>>>>>>>
>>>>>> running on
>>>>>>
>>>>>>>> the firewall, so I can redirect all client's web request to my
>>>>>>>>
>>>>>>> proxy
>>>>>>>
>>>>>>>
>>>>>> box,
>>>>>>
>>>>>>>> and make it as the only host on the network may request web
>>>>>>>>
>>>>>>> services
>>>>>>>
>>>>>>>
>>>>>> through
>>>>>>
>>>>>>>> firewall to the Internet...???
>>>>>>>>
>>>>>>>>
>>>>>>>> INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET
>>>>>>>> ^
>>>>>>>> |
>>>>>>>> v
>>>>>>>>
>>>>>>>> squid web
>>>>>>>> proxies
>>>>>>>>
>>>>>>>> I try to use this following firewall script...
>>>>>>>>
>>>>>>>> #!/bin/sh
>>>>>>>> # Firewall Script
>>>>>>>> ###############################################################
>>>>>>>> ### interfaces
>>>>>>>> EXT_DEV=eth0
>>>>>>>> INT_DEV=eth1
>>>>>>>> INT_NET=10.1.1.0/24
>>>>>>>>
>>>>>>>> ### Loading firewall modules
>>>>>>>> modprobe ip_conntrack
>>>>>>>> modprobe ip_conntrack_ftp
>>>>>>>>
>>>>>>>> ###############################################################
>>>>>>>> ### Enable Packet Forwarding
>>>>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>>>>>
>>>>>>>> ### Remove all previous rules, and delete any user
>> defined
>>
> chains
>>>>>>>> iptables -F
>>>>>>>> iptables -X
>>>>>>>> iptables -t nat -F
>>>>>>>> iptables -t nat -X
>>>>>>>>
>>>>>>>> ### Set the default policies to drop
>>>>>>>> iptables -P INPUT DROP
>>>>>>>> iptables -P OUTPUT DROP
>>>>>>>> iptables -P FORWARD DROP
>>>>>>>>
>>>>>>>> ### Loopback device OK
>>>>>>>> iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
>>>>>>>> iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
>>>>>>>>
>>>>>>>> ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
>>>>>>>> iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
>>>>>>>> iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
>>>>>>>> iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
>>>>>>>>
>>>>>>>> ### Allow all Internal traffic to Server
>>>>>>>> iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
>>>>>>>> iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
>>>>>>>>
>>>>>>>> ### OUTBOUND Rule: Allow ALL packets out the external device
>>>>>>>> iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
>>>>>>>> iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
>>>>>>>>
>>>>>>>> ### INBOUND Rule: Allow ALL EXT packets if a connection
>>>>>>>>
>>>>>>> already
>>>>>>>
>>>>>>>
>>>>>> exists (See "NEW" Inbound Rules)
>>>>>>
>>>>>>>> iptables -A INPUT -i $EXT_DEV -m state --state
>>>>>>>>
>>>>>>> RELATED,ESTABLISHED
>>>>>>>
>>>>>>>
>>>>>> -j ACCEPT
>>>>>>
>>>>>>>> iptables -A FORWARD -i $EXT_DEV -m state --state
>>>>>>>>
>>>>>>> RELATED,ESTABLISHED
>>>>>>>
>>>>>>>
>>>>>> -j ACCEPT
>>>>>>
>>>>>>>> ### Squid Transparent Proxy
>>>>>>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
>>>>>>>>
>>>>>>> --dport
>>>>>>>
>>>>>>>
>>>>>> 80 -j ACCEPT
>>>>>>
>>>>>>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
>>>>>>>>
>>>>>>> --dport
>>>>>>>
>>>>>>>
>>>>>> 80 -j DNAT --to squid-box:3128
>>>>>>
>>>>>>>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
>>>>>>>>
>>>>>>> squid-box
>>>>>>>
>>>>>>>
>>>>>> -j SNAT --to iptables-box
>>>>>>
>>>>>>>> iptables -A FORWARD -s local-network -d squid-box -i eth0
>> -o
>>
> eth0
>>>>>>>>
>>>>>>> -p
>>>>>>>
>>>>>>>
>>>>>> tcp --dport 3128 -j ACCEPT
>>>>>>
>>>>>>>> and the result is:
>>>>>>>> - client's web browser ignore the squid proxy
>>>>>>>> the http service is directly passing through the firewall
>>>>>>>>
>>>>>>>> All response will greatly appreciated.
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks in advance (^^,)
>>>>>>>> Rachmat Hidayat Al Anshar
>>>>>>>>
>>>>>>>> Be a better friend, newshound, and
>>>>>>>> know-it-all with Yahoo! Mobile. Try it now.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>
>
>> _______________________________________________________________________________
>>>>>>
>>>>>>> _____
>>>>>>>
>>>>>>>> Never miss a thing. Make Yahoo your home page.
>>>>>>>> http://www.yahoo.com/r/hs
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>
>> _______________________________________________________________________________
>>>>> _____
>>>>>> Be a better friend, newshound, and
>>>>>> know-it-all with Yahoo! Mobile. Try it
>>>>> now.
>>>>>
>>>> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
> _______________________________________________________________________________
>> _
>>>> ____
>>>> Never miss a thing. Make Yahoo your home page.
>>>> http://www.yahoo.com/r/hs
>>>>
>>>>
>>>
>>>
>>>
>>>
> _______________________________________________________________________________
>> _____
>>> Never miss a thing. Make Yahoo your home page.
>>> http://www.yahoo.com/r/hs
>>>
>>
>> --
>> Please use Squid 2.6STABLE17 or 3.0STABLE1.
>> There are serious security advisories out on all earlier releases.
>>
>>
>
>
>
>
> ____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>

-- 
Please use Squid 2.6STABLE17 or 3.0STABLE1.
There are serious security advisories out on all earlier releases.
Received on Thu Jan 10 2008 - 20:05:48 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:04 MST