[squid-users] Re: [help] setting up firewall policy for transparent (single-homed host) proxy

----- Original Message ----
> From: Chris Zhang <abnamro.chris@gmail.com>
> To: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@yahoo.com>
> Sent: Thursday, January 10, 2008 2:12:48 PM
> Subject: Re: [help] setting up firewall policy for transparent (single-homed host) proxy
>
> Hi Rachmat,
>
>
> Did you take that line out and then tried it again and it still
> didn't work?

Yes I do, I have done with it, and the proxy box still ignored

> I don't think you need to recompile Squid, you need to change
> /etc/squid.conf file as suggested by the link I pointed to you. More
> specifically, make sure you have these lines,
>
> * httpd_accel_host virtual
> * httpd_accel_port 80
> * httpd_accel_with_proxy on
> * httpd_accel_uses_host_header on
>
I also finish with it...

> Also I am a bit confused with the setup you had there. Does your squid
> machine have a public IP? My understanding is that all your computers
> that are behind the firewall are NATed, this also includes your Squid.
 
All of this deployed at vmware, the virtual environment.
There is only an example of public environment. And you're
correct, my squid box located behind firewall (also act as nat device).

> The idea with a transparent proxy is that you configure all client
> computers to use the gateway, on the gateway you have rules which
> say
>
 if
> the outgoing port is port 80, and the traffic is coming from
> your
>
 client
> machines, redirect those traffic to your Squid machine on port 3128.
>
> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> --dport
>
 80 -j ACCEPT' is saying if the traffic is going INTO the gateway
> (in
>
 your case these traffic originate from the clients), and if
> the
>
 destination port is port 80, protocol is tcp, accept it.

Yep, its correct.
### Squid Transparent Proxy
iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp --dport 80
 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80
 -j DNAT --to squid-box:3128

iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j
 SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p
 tcp --dport 3128 -j ACCEPT

> But you really want this line '
> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport
> 80
>
 -j DNAT --to squid-box:3128' which is the line after the first line.
>
>
> The result of having this first line before the second line (
> iptables
>
 -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j
> DNAT
>
 --to squid-box:3128 ) is that the second line will never catch
> any
>
 traffic.
>
>
> Please
> see
>
 http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 . It
> is
>
 exactly what you need.
>
>
> Chris
>
>
I have done following steps on this http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6
But my proxy still ignored. How is it?
I'll try it once more...anyway...

Thanks
Rachmat Hidayat Al Anshar

>
>
>
>
>
>
>
> Rachmat Hidayat Al Anshar wrote:
> > Hay ho Chris,
> > Thanks for replying.
> >
> > First of all, I have reference to that link, but in other
> disscussion
>
 forum
> > I found someone out there says that...
> > " The traffic is being caught by the first rule, since the connection
> > probably isn't coming from the squid box. Before that rule, you need
> > to put in an ACCEPT for http packets aimed at the firewall box:
> > iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \
> > --dport 80 -j ACCEPT"..something like that...
> > I have been trying for many times, and I still can't solve
> this
>
 problem.
> >
> > Is it about compiling options,
> > What command that I have to issue to get informed, what configure
> > option that squid used to compile at compiling process for a
> first
>
 time???
> >
> > Can we re-compile squid? If so, what should I do?
> >
> > Thanks in advance
> > Rachmat Hidayat Al Anshar
> >
> >
> >
> > ----- Original Message ----
> >
> >> From: Chris Zhang
> >> To: Rachmat Hidayat Al Anshar
> >> Cc: linux@lists.samba.org
> >> Sent: Wednesday, January 9, 2008 7:11:46 PM
> >> Subject: Re: [clug] [help] setting up firewall policy
> for
>
 transparent (single-homed host) proxy
> >>
> >> Hi Rachmat,
> >>
> >>
> >> Maybe you want to try it again without this line
> >>
> >>
> >> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> >> --dport
> >>
> >>
> > 80
> >
> >> -j ACCEPT'
> >>
> >>
> >> Also I think you will have to change squid.conf file (see
> >> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 )
> >>
> >>
> >> Chris
> >>
> >>
> >> Rachmat Hidayat Al Anshar wrote:
> >>
> >>> var YAHOO = {'Shortcuts' : {}};
> >>> YAHOO.Shortcuts.hasSensitiveText = false;
> >>> YAHOO.Shortcuts.sensitivityType = [];
> >>> YAHOO.Shortcuts.doUlt = false;
> >>> YAHOO.Shortcuts.location = "us";
> >>> YAHOO.Shortcuts.document_id = 0;
> >>> YAHOO.Shortcuts.document_type = "";
> >>> YAHOO.Shortcuts.document_title = "[help] setting up firewall
> >>>
> >> policy
> >>
> >>
> > for transparent (single-homed host) proxy";
> >
> >>> YAHOO.Shortcuts.document_publish_date = "";
> >>> YAHOO.Shortcuts.document_author = "rachmat_hidayat_03@yahoo.com";
> >>> YAHOO.Shortcuts.document_url = "";
> >>> YAHOO.Shortcuts.document_tags = "";
> >>> YAHOO.Shortcuts.annotationSet = {
> >>> "lw_1199853885_0": {
> >>> "text": "Yahoo! Mobile",
> >>> "extended": 0,
> >>> "startchar": 1530,
> >>> "endchar": 1542,
> >>> "start": 1530,
> >>> "end": 1542,
> >>> "extendedFrom": "",
> >>> "predictedCategory": "ORGANIZATION",
> >>> "predictionProbability": "0.679211",
> >>> "weight": 0.661212,
> >>>
> >>>
> >> "type":
> >>
> >>
> > ["shortcuts:/us/instance/organization/company/yahoo_property"],
> >
> >>> "category": ["ORGANIZATION"],
> >>> "context": "friend newshound and know-it-all with Yahoo Mobile Try
> >>>
> >> it
> >>
> >>
> > now",
> >
> >>> "metaData": {
> >>> "yprop_name": "Yahoo! Mobile",
> >>> "yprop_url": "http://mobile.yahoo.com/"
> >>> }
> >>> }
> >>> };
> >>>
> >>> Hi all...
> >>>
> >>> I am on my research deploying a transparent single-homed host proxy
> >>> server on my virtual network. My squid box is not on the same
> >>>
> >> box
> >>
> >>
> > where the
> >
> >>> firewall applied. I didn't have any idea how to set up the
> >>>
> >> iptables
> >>
> >>
> > running on
> >
> >>> the firewall, so I can redirect all client's web request to my
> >>>
> >> proxy
> >>
> >>
> > box,
> >
> >>> and make it as the only host on the network may request web
> >>>
> >> services
> >>
> >>
> > through
> >
> >>> firewall to the Internet...???
> >>>
> >>>
> >>> INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET
> >>> ^
> >>> |
> >>> v
> >>>
> >>> squid web
> >>> proxies
> >>>
> >>> I try to use this following firewall script...
> >>>
> >>> #!/bin/sh
> >>> # Firewall Script
> >>> ###############################################################
> >>> ### interfaces
> >>> EXT_DEV=eth0
> >>> INT_DEV=eth1
> >>> INT_NET=10.1.1.0/24
> >>>
> >>> ### Loading firewall modules
> >>> modprobe ip_conntrack
> >>> modprobe ip_conntrack_ftp
> >>>
> >>> ###############################################################
> >>> ### Enable Packet Forwarding
> >>> echo 1 > /proc/sys/net/ipv4/ip_forward
> >>>
> >>> ### Remove all previous rules, and delete any user defined chains
> >>> iptables -F
> >>> iptables -X
> >>> iptables -t nat -F
> >>> iptables -t nat -X
> >>>
> >>> ### Set the default policies to drop
> >>> iptables -P INPUT DROP
> >>> iptables -P OUTPUT DROP
> >>> iptables -P FORWARD DROP
> >>>
> >>> ### Loopback device OK
> >>> iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> >>> iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> >>>
> >>> ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
> >>> iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
> >>> iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
> >>> iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
> >>>
> >>> ### Allow all Internal traffic to Server
> >>> iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
> >>> iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
> >>>
> >>> ### OUTBOUND Rule: Allow ALL packets out the external device
> >>> iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
> >>> iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
> >>>
> >>> ### INBOUND Rule: Allow ALL EXT packets if a connection
> >>>
> >> already
> >>
> >>
> > exists (See "NEW" Inbound Rules)
> >
> >>> iptables -A INPUT -i $EXT_DEV -m state --state
> >>>
> >> RELATED,ESTABLISHED
> >>
> >>
> > -j ACCEPT
> >
> >>> iptables -A FORWARD -i $EXT_DEV -m state --state
> >>>
> >> RELATED,ESTABLISHED
> >>
> >>
> > -j ACCEPT
> >
> >>> ### Squid Transparent Proxy
> >>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> >>>
> >> --dport
> >>
> >>
> > 80 -j ACCEPT
> >
> >>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> >>>
> >> --dport
> >>
> >>
> > 80 -j DNAT --to squid-box:3128
> >
> >>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
> >>>
> >> squid-box
> >>
> >>
> > -j SNAT --to iptables-box
> >
> >>> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0
> >>>
> >> -p
> >>
> >>
> > tcp --dport 3128 -j ACCEPT
> >
> >>> and the result is:
> >>> - client's web browser ignore the squid proxy
> >>> the http service is directly passing through the firewall
> >>>
> >>> All response will greatly appreciated.
> >>>
> >>>
> >>> Thanks in advance (^^,)
> >>> Rachmat Hidayat Al Anshar
> >>>
> >>> Be a better friend, newshound, and
> >>> know-it-all with Yahoo! Mobile. Try it now.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >
>
 
> _______________________________________________________________________________
> >
> >> _____
> >>
> >>> Never miss a thing. Make Yahoo your home page.
> >>> http://www.yahoo.com/r/hs
> >>>
> >>>
> >>>
> >>
> >
> >
> >
> >
> >
>
 _______________________________________________________________________________
> _____
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile. Try it
> now.
>
  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> >
> >
> >
>
>

      ____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
Received on Thu Jan 10 2008 - 01:50:32 MST