Re: [squid-users] Re: [help] setting up firewall policy for transparent (single-homed host) proxy

I have been searching on the squid-user archive, there is some post

that similar with my needs, but there is nothing was succeed for me.

I don't know if someone (is already there) suggest this suggest...

It will be nice if squid developers spends a little time to make a

complete documentation about how-to transparently implementing

squid in a network. So if there is someone needs or having through

this problem, they just "redirect" to that documentation.

Thanks
Rachmat Hidayat Al Anshar

----- Original Message ----
> From: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@yahoo.com>
> To: squid cache <squid-users@squid-cache.org>
> Cc: Chris Zhang <abnamro.chris@gmail.com>
> Sent: Thursday, January 10, 2008 6:40:14 AM
> Subject: [squid-users] Re: [help] setting up firewall policy for transparent (single-homed host) proxy
>
> Hay ho Chris,
> Thanks for replying.
>
> First of all, I have reference to that link, but in other
> disscussion
>
 forum
> I found someone out there says that...
> " The traffic is being caught by the first rule, since the connection
> probably isn't coming from the squid box. Before that rule, you need
> to put in an ACCEPT for http packets aimed at the firewall box:
> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \
> --dport 80 -j ACCEPT"..something like that...
> I have been trying for many times, and I still can't solve
> this
>
 problem.
>
> Is it about compiling options,
> What command that I have to issue to get informed, what configure
> option that squid used to compile at compiling process for a
> first
>
 time???
>
> Can we re-compile squid? If so, what should I do?
>
> Thanks in advance
> Rachmat Hidayat Al Anshar
>
>
>
> ----- Original Message ----
> > From: Chris Zhang
> > To: Rachmat Hidayat Al Anshar
> > Cc: linux@lists.samba.org
> > Sent: Wednesday, January 9, 2008 7:11:46 PM
> > Subject: Re: [clug] [help] setting up firewall policy for
> transparent
>
 (single-homed host) proxy
> >
> > Hi Rachmat,
> >
> >
> > Maybe you want to try it again without this line
> >
> >
> > 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> > --dport
> >
> 80
> > -j ACCEPT'
> >
> >
> > Also I think you will have to change squid.conf file (see
> > http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 )
> >
> >
> > Chris
> >
> >
> > Rachmat Hidayat Al Anshar wrote:
> > > var YAHOO = {'Shortcuts' : {}};
> > > YAHOO.Shortcuts.hasSensitiveText = false;
> > > YAHOO.Shortcuts.sensitivityType = [];
> > > YAHOO.Shortcuts.doUlt = false;
> > > YAHOO.Shortcuts.location = "us";
> > > YAHOO.Shortcuts.document_id = 0;
> > > YAHOO.Shortcuts.document_type = "";
> > > YAHOO.Shortcuts.document_title = "[help] setting up firewall
> > policy
> >
> for transparent (single-homed host) proxy";
> > > YAHOO.Shortcuts.document_publish_date = "";
> > > YAHOO.Shortcuts.document_author = "rachmat_hidayat_03@yahoo.com";
> > > YAHOO.Shortcuts.document_url = "";
> > > YAHOO.Shortcuts.document_tags = "";
> > > YAHOO.Shortcuts.annotationSet = {
> > > "lw_1199853885_0": {
> > > "text": "Yahoo! Mobile",
> > > "extended": 0,
> > > "startchar": 1530,
> > > "endchar": 1542,
> > > "start": 1530,
> > > "end": 1542,
> > > "extendedFrom": "",
> > > "predictedCategory": "ORGANIZATION",
> > > "predictionProbability": "0.679211",
> > > "weight": 0.661212,
> > >
> > "type":
> >
> ["shortcuts:/us/instance/organization/company/yahoo_property"],
> > > "category": ["ORGANIZATION"],
> > > "context": "friend newshound and know-it-all with Yahoo Mobile Try
> > it
> >
> now",
> > > "metaData": {
> > > "yprop_name": "Yahoo! Mobile",
> > > "yprop_url": "http://mobile.yahoo.com/"
> > > }
> > > }
> > > };
> > >
> > > Hi all...
> > >
> > > I am on my research deploying a transparent single-homed host proxy
> > > server on my virtual network. My squid box is not on the same
> > box
> >
> where the
> > > firewall applied. I didn't have any idea how to set up the
> > iptables
> >
> running on
> > > the firewall, so I can redirect all client's web request to my
> > proxy
> >
> box,
> > > and make it as the only host on the network may request web
> > services
> >
> through
> > > firewall to the Internet...???
> > >
> > >
> > > INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET
> > > ^
> > > |
> > > v
> > >
> > > squid web
> > > proxies
> > >
> > > I try to use this following firewall script...
> > >
> > > #!/bin/sh
> > > # Firewall Script
> > > ###############################################################
> > > ### interfaces
> > > EXT_DEV=eth0
> > > INT_DEV=eth1
> > > INT_NET=10.1.1.0/24
> > >
> > > ### Loading firewall modules
> > > modprobe ip_conntrack
> > > modprobe ip_conntrack_ftp
> > >
> > > ###############################################################
> > > ### Enable Packet Forwarding
> > > echo 1 > /proc/sys/net/ipv4/ip_forward
> > >
> > > ### Remove all previous rules, and delete any user defined chains
> > > iptables -F
> > > iptables -X
> > > iptables -t nat -F
> > > iptables -t nat -X
> > >
> > > ### Set the default policies to drop
> > > iptables -P INPUT DROP
> > > iptables -P OUTPUT DROP
> > > iptables -P FORWARD DROP
> > >
> > > ### Loopback device OK
> > > iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> > > iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> > >
> > > ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
> > > iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
> > > iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
> > > iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
> > >
> > > ### Allow all Internal traffic to Server
> > > iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
> > > iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
> > >
> > > ### OUTBOUND Rule: Allow ALL packets out the external device
> > > iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
> > > iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
> > >
> > > ### INBOUND Rule: Allow ALL EXT packets if a connection
> > already
> >
> exists (See "NEW" Inbound Rules)
> > > iptables -A INPUT -i $EXT_DEV -m state --state
> > RELATED,ESTABLISHED
> >
> -j ACCEPT
> > > iptables -A FORWARD -i $EXT_DEV -m state --state
> > RELATED,ESTABLISHED
> >
> -j ACCEPT
> > >
> > > ### Squid Transparent Proxy
> > > iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> > --dport
> >
> 80 -j ACCEPT
> > > iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> > --dport
> >
> 80 -j DNAT --to squid-box:3128
> > >
> > > iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
> > squid-box
> >
> -j SNAT --to iptables-box
> > > iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0
> > -p
> >
> tcp --dport 3128 -j ACCEPT
> > >
> > > and the result is:
> > > - client's web browser ignore the squid proxy
> > > the http service is directly passing through the firewall
> > >
> > > All response will greatly appreciated.
> > >
> > >
> > > Thanks in advance (^^,)
> > > Rachmat Hidayat Al Anshar
> > >
> > > Be a better friend, newshound, and
> > > know-it-all with Yahoo! Mobile. Try it now.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
>
 _______________________________________________________________________________
> > _____
> > > Never miss a thing. Make Yahoo your home page.
> > > http://www.yahoo.com/r/hs
> > >
> > >
> >
> >
>
>
>
>
>
>
 
> ________________________________________________________________________________
> ____
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it
> now.
>
  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>
>

      ____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Received on Wed Jan 09 2008 - 22:43:06 MST