Re: [squid-users] Re: [help] setting up firewall policy for transparent (single-homed host) proxy

Rachmat Hidayat Al Anshar wrote:
> I am stuck on confuse...
> I have no idea with this...
> I trying to configure the iptables only with this following command
> (with default policy set to ACCEPT)
> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128

iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j
SNAT --to iptables-box

iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp
--dport 3128 -j ACCEPT

note:
> - eth0 -> internal device

Try JUST this (one command to a line, I've split them to wrapping can be
seen clearly):

SQUID=10.0.0.0 - or whatever the squid box IP is.

iptables -t nat -A PREROUTING -i eth0 -s !$SQUID -p tcp --dport 80 -j
DNAT --to $SQUID:3128

iptables -A FORWARD --dport 80 -s $SQUID -j ACCEPT

iptables -A FORWARD --dport 80 -j REJECT

Amos

>
> My proxy box was ignored...
> I have configured squid with some access control, to block some words, domains, an IPs.
> I tested to access the web box outside the network, here's the result:
> - the sites was opened successfully
> - when i try to adding a "blocked word" (such as "porn")..
> the sites also successfully open the page...
> Squid was ignored...
> What should I do...
> Help me guys...
>
>
> Thanks
> Rachmat Hidayat Al Anshar
>
>
>
>
> ----- Original Message ----
>> From: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@yahoo.com>
>> To: squid cache <squid-users@squid-cache.org>
>> Cc: Chris Zhang <abnamro.chris@gmail.com>
>> Sent: Thursday, January 10, 2008 3:50:24 PM
>> Subject: [squid-users] Re: [help] setting up firewall policy for transparent (single-homed host) proxy
>>
>> ----- Original Message ----
>>> From: Chris Zhang
>>> To: Rachmat Hidayat Al Anshar
>>> Sent: Thursday, January 10, 2008 2:12:48 PM
>>> Subject: Re: [help] setting up firewall policy for
>> transparent
>>
> (single-homed host) proxy
>>> Hi Rachmat,
>>>
>>>
>>> Did you take that line out and then tried it again and it still
>>> didn't work?
>> Yes I do, I have done with it, and the proxy box still ignored
>>
>>> I don't think you need to recompile Squid, you need to change
>>> /etc/squid.conf file as suggested by the link I pointed to you. More
>>> specifically, make sure you have these lines,
>>>
>>> * httpd_accel_host virtual
>>> * httpd_accel_port 80
>>> * httpd_accel_with_proxy on
>>> * httpd_accel_uses_host_header on
>>>
>> I also finish with it...
>>
>>> Also I am a bit confused with the setup you had there. Does
>> your
>>
> squid
>>> machine have a public IP? My understanding is that all your
>> computers
>>
>
>>> that are behind the firewall are NATed, this also includes
>> your
>>
> Squid.
>>
>> All of this deployed at vmware, the virtual environment.
>> There is only an example of public environment. And you're
>> correct, my squid box located behind firewall (also act as nat device).
>>
>>> The idea with a transparent proxy is that you configure all client
>>> computers to use the gateway, on the gateway you have rules which
>>> say
>>>
>> if
>>> the outgoing port is port 80, and the traffic is coming from
>>> your
>>>
>> client
>>> machines, redirect those traffic to your Squid machine on port 3128.
>>>
>>> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
>>> --dport
>>>
>> 80 -j ACCEPT' is saying if the traffic is going INTO the gateway
>>> (in
>>>
>> your case these traffic originate from the clients), and if
>>> the
>>>
>> destination port is port 80, protocol is tcp, accept it.
>>
>> Yep, its correct.
>> ### Squid Transparent Proxy
>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp --dport 80
>> -j ACCEPT
>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80
>> -j DNAT --to squid-box:3128
>>
>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j
>> SNAT --to iptables-box
>> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p
>> tcp --dport 3128 -j ACCEPT
>>
>>> But you really want this line '
>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport
>>> 80
>>>
>> -j DNAT --to squid-box:3128' which is the line after the first line.
>>>
>>> The result of having this first line before the second line (
>>> iptables
>>>
>> -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j
>>> DNAT
>>>
>> --to squid-box:3128 ) is that the second line will never catch
>>> any
>>>
>> traffic.
>>>
>>> Please
>>> see
>>>
>> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 . It
>>> is
>>>
>> exactly what you need.
>>>
>>> Chris
>>>
>>>
>> I have done following steps on
>> this
>>
> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6
>> But my proxy still ignored. How is it?
>> I'll try it once more...anyway...
>>
>> Thanks
>> Rachmat Hidayat Al Anshar
>>
>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Rachmat Hidayat Al Anshar wrote:
>>>> Hay ho Chris,
>>>> Thanks for replying.
>>>>
>>>> First of all, I have reference to that link, but in other
>>> disscussion
>>>
>> forum
>>>> I found someone out there says that...
>>>> " The traffic is being caught by the first rule, since
>> the
>>
> connection
>>>> probably isn't coming from the squid box. Before that rule,
>> you
>>
> need
>>>> to put in an ACCEPT for http packets aimed at the firewall box:
>>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \
>>>> --dport 80 -j ACCEPT"..something like that...
>>>> I have been trying for many times, and I still can't solve
>>> this
>>>
>> problem.
>>>> Is it about compiling options,
>>>> What command that I have to issue to get informed, what configure
>>>> option that squid used to compile at compiling process for a
>>> first
>>>
>> time???
>>>> Can we re-compile squid? If so, what should I do?
>>>>
>>>> Thanks in advance
>>>> Rachmat Hidayat Al Anshar
>>>>
>>>>
>>>>
>>>> ----- Original Message ----
>>>>
>>>>> From: Chris Zhang
>>>>> To: Rachmat Hidayat Al Anshar
>>>>> Cc: linux@lists.samba.org
>>>>> Sent: Wednesday, January 9, 2008 7:11:46 PM
>>>>> Subject: Re: [clug] [help] setting up firewall policy
>>> for
>>>
>> transparent (single-homed host) proxy
>>>>> Hi Rachmat,
>>>>>
>>>>>
>>>>> Maybe you want to try it again without this line
>>>>>
>>>>>
>>>>> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
>>>>> --dport
>>>>>
>>>>>
>>>> 80
>>>>
>>>>> -j ACCEPT'
>>>>>
>>>>>
>>>>> Also I think you will have to change squid.conf file (see
>>>>> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 )
>>>>>
>>>>>
>>>>> Chris
>>>>>
>>>>>
>>>>> Rachmat Hidayat Al Anshar wrote:
>>>>>
>>>>>> var YAHOO = {'Shortcuts' : {}};
>>>>>> YAHOO.Shortcuts.hasSensitiveText = false;
>>>>>> YAHOO.Shortcuts.sensitivityType = [];
>>>>>> YAHOO.Shortcuts.doUlt = false;
>>>>>> YAHOO.Shortcuts.location = "us";
>>>>>> YAHOO.Shortcuts.document_id = 0;
>>>>>> YAHOO.Shortcuts.document_type = "";
>>>>>> YAHOO.Shortcuts.document_title = "[help] setting up firewall
>>>>>>
>>>>> policy
>>>>>
>>>>>
>>>> for transparent (single-homed host) proxy";
>>>>
>>>>>> YAHOO.Shortcuts.document_publish_date = "";
>>>>>> YAHOO.Shortcuts.document_author = "rachmat_hidayat_03@yahoo.com";
>>>>>> YAHOO.Shortcuts.document_url = "";
>>>>>> YAHOO.Shortcuts.document_tags = "";
>>>>>> YAHOO.Shortcuts.annotationSet = {
>>>>>> "lw_1199853885_0": {
>>>>>> "text": "Yahoo! Mobile",
>>>>>> "extended": 0,
>>>>>> "startchar": 1530,
>>>>>> "endchar": 1542,
>>>>>> "start": 1530,
>>>>>> "end": 1542,
>>>>>> "extendedFrom": "",
>>>>>> "predictedCategory": "ORGANIZATION",
>>>>>> "predictionProbability": "0.679211",
>>>>>> "weight": 0.661212,
>>>>>>
>>>>>>
>>>>> "type":
>>>>>
>>>>>
>>>> ["shortcuts:/us/instance/organization/company/yahoo_property"],
>>>>
>>>>>> "category": ["ORGANIZATION"],
>>>>>> "context": "friend newshound and know-it-all with Yahoo
>> Mobile
>>
> Try
>>>>>>
>>>>> it
>>>>>
>>>>>
>>>> now",
>>>>
>>>>>> "metaData": {
>>>>>> "yprop_name": "Yahoo! Mobile",
>>>>>> "yprop_url": "http://mobile.yahoo.com/"
>>>>>> }
>>>>>> }
>>>>>> };
>>>>>>
>>>>>> Hi all...
>>>>>>
>>>>>> I am on my research deploying a transparent single-homed
>> host
>>
> proxy
>>>>>> server on my virtual network. My squid box is not on the same
>>>>>>
>>>>> box
>>>>>
>>>>>
>>>> where the
>>>>
>>>>>> firewall applied. I didn't have any idea how to set up the
>>>>>>
>>>>> iptables
>>>>>
>>>>>
>>>> running on
>>>>
>>>>>> the firewall, so I can redirect all client's web request to my
>>>>>>
>>>>> proxy
>>>>>
>>>>>
>>>> box,
>>>>
>>>>>> and make it as the only host on the network may request web
>>>>>>
>>>>> services
>>>>>
>>>>>
>>>> through
>>>>
>>>>>> firewall to the Internet...???
>>>>>>
>>>>>>
>>>>>> INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET
>>>>>> ^
>>>>>> |
>>>>>> v
>>>>>>
>>>>>> squid web
>>>>>> proxies
>>>>>>
>>>>>> I try to use this following firewall script...
>>>>>>
>>>>>> #!/bin/sh
>>>>>> # Firewall Script
>>>>>> ###############################################################
>>>>>> ### interfaces
>>>>>> EXT_DEV=eth0
>>>>>> INT_DEV=eth1
>>>>>> INT_NET=10.1.1.0/24
>>>>>>
>>>>>> ### Loading firewall modules
>>>>>> modprobe ip_conntrack
>>>>>> modprobe ip_conntrack_ftp
>>>>>>
>>>>>> ###############################################################
>>>>>> ### Enable Packet Forwarding
>>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>>>
>>>>>> ### Remove all previous rules, and delete any user defined chains
>>>>>> iptables -F
>>>>>> iptables -X
>>>>>> iptables -t nat -F
>>>>>> iptables -t nat -X
>>>>>>
>>>>>> ### Set the default policies to drop
>>>>>> iptables -P INPUT DROP
>>>>>> iptables -P OUTPUT DROP
>>>>>> iptables -P FORWARD DROP
>>>>>>
>>>>>> ### Loopback device OK
>>>>>> iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
>>>>>> iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
>>>>>>
>>>>>> ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
>>>>>> iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
>>>>>> iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
>>>>>> iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
>>>>>>
>>>>>> ### Allow all Internal traffic to Server
>>>>>> iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
>>>>>> iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
>>>>>>
>>>>>> ### OUTBOUND Rule: Allow ALL packets out the external device
>>>>>> iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
>>>>>> iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
>>>>>>
>>>>>> ### INBOUND Rule: Allow ALL EXT packets if a connection
>>>>>>
>>>>> already
>>>>>
>>>>>
>>>> exists (See "NEW" Inbound Rules)
>>>>
>>>>>> iptables -A INPUT -i $EXT_DEV -m state --state
>>>>>>
>>>>> RELATED,ESTABLISHED
>>>>>
>>>>>
>>>> -j ACCEPT
>>>>
>>>>>> iptables -A FORWARD -i $EXT_DEV -m state --state
>>>>>>
>>>>> RELATED,ESTABLISHED
>>>>>
>>>>>
>>>> -j ACCEPT
>>>>
>>>>>> ### Squid Transparent Proxy
>>>>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
>>>>>>
>>>>> --dport
>>>>>
>>>>>
>>>> 80 -j ACCEPT
>>>>
>>>>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
>>>>>>
>>>>> --dport
>>>>>
>>>>>
>>>> 80 -j DNAT --to squid-box:3128
>>>>
>>>>>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
>>>>>>
>>>>> squid-box
>>>>>
>>>>>
>>>> -j SNAT --to iptables-box
>>>>
>>>>>> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0
>>>>>>
>>>>> -p
>>>>>
>>>>>
>>>> tcp --dport 3128 -j ACCEPT
>>>>
>>>>>> and the result is:
>>>>>> - client's web browser ignore the squid proxy
>>>>>> the http service is directly passing through the firewall
>>>>>>
>>>>>> All response will greatly appreciated.
>>>>>>
>>>>>>
>>>>>> Thanks in advance (^^,)
>>>>>> Rachmat Hidayat Al Anshar
>>>>>>
>>>>>> Be a better friend, newshound, and
>>>>>> know-it-all with Yahoo! Mobile. Try it now.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>
> _______________________________________________________________________________
>>>>
>>>>> _____
>>>>>
>>>>>> Never miss a thing. Make Yahoo your home page.
>>>>>> http://www.yahoo.com/r/hs
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
> _______________________________________________________________________________
>>> _____
>>>> Be a better friend, newshound, and
>>>> know-it-all with Yahoo! Mobile. Try it
>>> now.
>>>
>> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>>>>
>>>>
>>>
>>
>>
>>
>>
>>
>
>> ________________________________________________________________________________
>> ____
>> Never miss a thing. Make Yahoo your home page.
>> http://www.yahoo.com/r/hs
>>
>>
>
>
>
>
> ____________________________________________________________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>

-- 
Please use Squid 2.6STABLE17 or 3.0STABLE1.
There are serious security advisories out on all earlier releases.