Re: [squid-users] Re: [help] setting up firewall policy for transparent (single-homed host) proxy

Hi Jeffries...

Your thought was incorrect, I still got that message somehow.
The commands

iptables -t nat -A PREROUTING -i eth0 -s !$SQUID -p tcp --dport 80 -j
DNAT --to $SQUID:3128

iptables -A FORWARD -s $SQUID --dport 80 -j ACCEPT

I am using squid brought (by default) from Trustix Secure Linux 3.0
I thinking about...
- Is it I have to recompile the kernel to suit my needs?
- In this following command lines
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-boxiptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPTthat applied to firewall box only. Is it squid box will "understand" that it have to send all web services
(generated by clients and redirected by firewall-box) back to the firewall and vice versa??? is it nothing
to do by squid-box to doing this task?

- I don't know why this transparent become so difficult, what should I do guys???

Thanks in advance
Rachmat Hidayat Al Anshar

----- Original Message ----
> From: Amos Jeffries <squid3@treenet.co.nz>
> To: Rachmat Hidayat Al Anshar <rachmat_hidayat_03@yahoo.com>
> Cc: squid cache <squid-users@squid-cache.org>
> Sent: Friday, January 11, 2008 10:06:02 AM
> Subject: Re: [squid-users] Re: [help] setting up firewall policy for transparent (single-homed host) proxy
>
> Rachmat Hidayat Al Anshar wrote:
> > Hi Amos...
> >
> > Mmmm...its giving an feedback after I issuing " iptables -A
> FORWARD
>
 --dport 80 -s $SQUID -j ACCEPT"
> > it says "unknown arg --dport", maybe the FORWARD chain can't
> proceed
>
 without any other
> > switch (parameter)...
>
> Hmm, arg. I think after a closer look all I can think of is I got the
> parameter order wrong :-(
> It should probably be -s then --dport
>
> Sorry
> Amos
>
> >
> > Thanks
> > Rachmat Hidayat Al Anshar
> >
> >
> > ----- Original Message ----
> >> From: Amos Jeffries
> >> To: Rachmat Hidayat Al Anshar
> >> Cc: squid cache
> >> Sent: Thursday, January 10, 2008 7:45:44 PM
> >> Subject: Re: [squid-users] Re: [help] setting up firewall policy
> for
>
 transparent (single-homed host) proxy
> >>
> >> Rachmat Hidayat Al Anshar wrote:
> >>> I am stuck on confuse...
> >>> I have no idea with this...
> >>> I trying to configure the iptables only with this following
> command
>
 
> >>> (with default policy set to ACCEPT)
> >>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> >> --dport
> >>
> > 80 -j DNAT --to squid-box:3128
> >> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box
> >> -j
> >>
> >
> >> SNAT --to iptables-box
> >>
> >> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0
> >> -p
> >>
> > tcp
> >> --dport 3128 -j ACCEPT
> >>
> >> note:
> >>> - eth0 -> internal device
> >>
> >> Try JUST this (one command to a line, I've split them to wrapping
> >> can
> >>
> > be
> >> seen clearly):
> >>
> >> SQUID=10.0.0.0 - or whatever the squid box IP is.
> >>
> >> iptables -t nat -A PREROUTING -i eth0 -s !$SQUID -p tcp --dport
> 80
>
 -j
> >> DNAT --to $SQUID:3128
> >>
> >> iptables -A FORWARD --dport 80 -s $SQUID -j ACCEPT
> >>
> >> iptables -A FORWARD --dport 80 -j REJECT
> >>
> >>
> >> Amos
> >>
> >>> My proxy box was ignored...
> >>> I have configured squid with some access control, to block
> >> some
> >>
> > words, domains, an IPs.
> >>> I tested to access the web box outside the network, here's
> >> the
> >>
> > result:
> >>> - the sites was opened successfully
> >>> - when i try to adding a "blocked word" (such as "porn")..
> >>> the sites also successfully open the page...
> >>> Squid was ignored...
> >>> What should I do...
> >>> Help me guys...
> >>>
> >>>
> >>> Thanks
> >>> Rachmat Hidayat Al Anshar
> >>>
> >>>
> >>>
> >>>
> >>> ----- Original Message ----
> >>>> From: Rachmat Hidayat Al Anshar
> >>>> To: squid cache
> >>>> Cc: Chris Zhang
> >>>> Sent: Thursday, January 10, 2008 3:50:24 PM
> >>>> Subject: [squid-users] Re: [help] setting up firewall policy
> >> for
> >>
> > transparent (single-homed host) proxy
> >>>> ----- Original Message ----
> >>>>> From: Chris Zhang
> >>>>> To: Rachmat Hidayat Al Anshar
> >>>>> Sent: Thursday, January 10, 2008 2:12:48 PM
> >>>>> Subject: Re: [help] setting up firewall policy for
> >>>> transparent
> >>>>
> >>> (single-homed host) proxy
> >>>>> Hi Rachmat,
> >>>>>
> >>>>>
> >>>>> Did you take that line out and then tried it again and it still
> >>>>> didn't work?
> >>>> Yes I do, I have done with it, and the proxy box still ignored
> >>>>
> >>>>> I don't think you need to recompile Squid, you need to change
> >>>>> /etc/squid.conf file as suggested by the link I pointed to
> >> you.
> >>
> > More
> >>>>> specifically, make sure you have these lines,
> >>>>>
> >>>>> * httpd_accel_host virtual
> >>>>> * httpd_accel_port 80
> >>>>> * httpd_accel_with_proxy on
> >>>>> * httpd_accel_uses_host_header on
> >>>>>
> >>>> I also finish with it...
> >>>>
> >>>>> Also I am a bit confused with the setup you had there. Does
> >>>> your
> >>>>
> >>> squid
> >>>>> machine have a public IP? My understanding is that all your
> >>>> computers
> >>>>
> >>>
> >>>>> that are behind the firewall are NATed, this also includes
> >>>> your
> >>>>
> >>> Squid.
> >>>>
> >>>> All of this deployed at vmware, the virtual environment.
> >>>> There is only an example of public environment. And you're
> >>>> correct, my squid box located behind firewall (also act as
> >> nat
> >>
> > device).
> >>>>> The idea with a transparent proxy is that you configure
> all
>
 client
> >>>>> computers to use the gateway, on the gateway you have rules which
> >>>>> say
> >>>>>
> >>>> if
> >>>>> the outgoing port is port 80, and the traffic is coming from
> >>>>> your
> >>>>>
> >>>> client
> >>>>> machines, redirect those traffic to your Squid machine on
> >> port
> >>
> > 3128.
> >>>>> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> >>>>> --dport
> >>>>>
> >>>> 80 -j ACCEPT' is saying if the traffic is going INTO the gateway
> >>>>> (in
> >>>>>
> >>>> your case these traffic originate from the clients), and if
> >>>>> the
> >>>>>
> >>>> destination port is port 80, protocol is tcp, accept it.
> >>>>
> >>>> Yep, its correct.
> >>>> ### Squid Transparent Proxy
> >>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> >> --dport
> >>
> > 80
> >>>> -j ACCEPT
> >>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> >> --dport
> >>
> > 80
> >>>> -j DNAT --to squid-box:3128
> >>>>
> >>>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
> >> squid-box
> >>
> > -j
> >>>> SNAT --to iptables-box
> >>>> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o
> eth0
>
 -p
> >>>> tcp --dport 3128 -j ACCEPT
> >>>>
> >>>>> But you really want this line '
> >>>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p
> tcp
>
 --dport
> >>>>> 80
> >>>>>
> >>>> -j DNAT --to squid-box:3128' which is the line after the
> >> first
> >>
> > line.
> >>>>> The result of having this first line before the second line (
> >>>>> iptables
> >>>>>
> >>>> -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j
> >>>>> DNAT
> >>>>>
> >>>> --to squid-box:3128 ) is that the second line will never catch
> >>>>> any
> >>>>>
> >>>> traffic.
> >>>>> Please
> >>>>> see
> >>>>>
> >>>> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3
> >> .
> >>
> > It
> >>>>> is
> >>>>>
> >>>> exactly what you need.
> >>>>> Chris
> >>>>>
> >>>>>
> >>>> I have done following steps on
> >>>> this
> >>>>
> >>> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6
> >>>> But my proxy still ignored. How is it?
> >>>> I'll try it once more...anyway...
> >>>>
> >>>> Thanks
> >>>> Rachmat Hidayat Al Anshar
> >>>>
> >>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> Rachmat Hidayat Al Anshar wrote:
> >>>>>> Hay ho Chris,
> >>>>>> Thanks for replying.
> >>>>>>
> >>>>>> First of all, I have reference to that link, but in other
> >>>>> disscussion
> >>>>>
> >>>> forum
> >>>>>> I found someone out there says that...
> >>>>>> " The traffic is being caught by the first rule, since
> >>>> the
> >>>>
> >>> connection
> >>>>>> probably isn't coming from the squid box. Before that rule,
> >>>> you
> >>>>
> >>> need
> >>>>>> to put in an ACCEPT for http packets aimed at the firewall box:
> >>>>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \
> >>>>>> --dport 80 -j ACCEPT"..something like that...
> >>>>>> I have been trying for many times, and I still can't solve
> >>>>> this
> >>>>>
> >>>> problem.
> >>>>>> Is it about compiling options,
> >>>>>> What command that I have to issue to get informed,
> what
>
 configure
> >>>>>> option that squid used to compile at compiling process for a
> >>>>> first
> >>>>>
> >>>> time???
> >>>>>> Can we re-compile squid? If so, what should I do?
> >>>>>>
> >>>>>> Thanks in advance
> >>>>>> Rachmat Hidayat Al Anshar
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> ----- Original Message ----
> >>>>>>
> >>>>>>> From: Chris Zhang
> >>>>>>> To: Rachmat Hidayat Al Anshar
> >>>>>>> Cc: linux@lists.samba.org
> >>>>>>> Sent: Wednesday, January 9, 2008 7:11:46 PM
> >>>>>>> Subject: Re: [clug] [help] setting up firewall policy
> >>>>> for
> >>>>>
> >>>> transparent (single-homed host) proxy
> >>>>>>> Hi Rachmat,
> >>>>>>>
> >>>>>>>
> >>>>>>> Maybe you want to try it again without this line
> >>>>>>>
> >>>>>>>
> >>>>>>> 'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> >>>>>>> --dport
> >>>>>>>
> >>>>>>>
> >>>>>> 80
> >>>>>>
> >>>>>>> -j ACCEPT'
> >>>>>>>
> >>>>>>>
> >>>>>>> Also I think you will have to change squid.conf file (see
> >>>>>>>
> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3
>
 )
> >>>>>>>
> >>>>>>>
> >>>>>>> Chris
> >>>>>>>
> >>>>>>>
> >>>>>>> Rachmat Hidayat Al Anshar wrote:
> >>>>>>>
> >>>>>>>> var YAHOO = {'Shortcuts' : {}};
> >>>>>>>> YAHOO.Shortcuts.hasSensitiveText = false;
> >>>>>>>> YAHOO.Shortcuts.sensitivityType = [];
> >>>>>>>> YAHOO.Shortcuts.doUlt = false;
> >>>>>>>> YAHOO.Shortcuts.location = "us";
> >>>>>>>> YAHOO.Shortcuts.document_id = 0;
> >>>>>>>> YAHOO.Shortcuts.document_type = "";
> >>>>>>>> YAHOO.Shortcuts.document_title = "[help] setting up firewall
> >>>>>>>>
> >>>>>>> policy
> >>>>>>>
> >>>>>>>
> >>>>>> for transparent (single-homed host) proxy";
> >>>>>>
> >>>>>>>> YAHOO.Shortcuts.document_publish_date = "";
> >>>>>>>> YAHOO.Shortcuts.document_author
> >> =
> >>
> > "rachmat_hidayat_03@yahoo.com";
> >>>>>>>> YAHOO.Shortcuts.document_url = "";
> >>>>>>>> YAHOO.Shortcuts.document_tags = "";
> >>>>>>>> YAHOO.Shortcuts.annotationSet = {
> >>>>>>>> "lw_1199853885_0": {
> >>>>>>>> "text": "Yahoo! Mobile",
> >>>>>>>> "extended": 0,
> >>>>>>>> "startchar": 1530,
> >>>>>>>> "endchar": 1542,
> >>>>>>>> "start": 1530,
> >>>>>>>> "end": 1542,
> >>>>>>>> "extendedFrom": "",
> >>>>>>>> "predictedCategory": "ORGANIZATION",
> >>>>>>>> "predictionProbability": "0.679211",
> >>>>>>>> "weight": 0.661212,
> >>>>>>>>
> >>>>>>>>
> >>>>>>> "type":
> >>>>>>>
> >>>>>>>
> >>>>>> ["shortcuts:/us/instance/organization/company/yahoo_property"],
> >>>>>>
> >>>>>>>> "category": ["ORGANIZATION"],
> >>>>>>>> "context": "friend newshound and know-it-all with Yahoo
> >>>> Mobile
> >>>>
> >>> Try
> >>>>>>>>
> >>>>>>> it
> >>>>>>>
> >>>>>>>
> >>>>>> now",
> >>>>>>
> >>>>>>>> "metaData": {
> >>>>>>>> "yprop_name": "Yahoo! Mobile",
> >>>>>>>> "yprop_url": "http://mobile.yahoo.com/"
> >>>>>>>> }
> >>>>>>>> }
> >>>>>>>> };
> >>>>>>>>
> >>>>>>>> Hi all...
> >>>>>>>>
> >>>>>>>> I am on my research deploying a transparent single-homed
> >>>> host
> >>>>
> >>> proxy
> >>>>>>>> server on my virtual network. My squid box is not on the same
> >>>>>>>>
> >>>>>>> box
> >>>>>>>
> >>>>>>>
> >>>>>> where the
> >>>>>>
> >>>>>>>> firewall applied. I didn't have any idea how to set up the
> >>>>>>>>
> >>>>>>> iptables
> >>>>>>>
> >>>>>>>
> >>>>>> running on
> >>>>>>
> >>>>>>>> the firewall, so I can redirect all client's web request
> to
>
 my
> >>>>>>>>
> >>>>>>> proxy
> >>>>>>>
> >>>>>>>
> >>>>>> box,
> >>>>>>
> >>>>>>>> and make it as the only host on the network may request web
> >>>>>>>>
> >>>>>>> services
> >>>>>>>
> >>>>>>>
> >>>>>> through
> >>>>>>
> >>>>>>>> firewall to the Internet...???
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> INTERNET <---> FIREWALL <---> switch <---> NAT
> DEV<--->
>
 INTRANET
> >>>>>>>> ^
> >>>>>>>> |
> >>>>>>>> v
> >>>>>>>>
> >>>>>>>> squid web
> >>>>>>>> proxies
> >>>>>>>>
> >>>>>>>> I try to use this following firewall script...
> >>>>>>>>
> >>>>>>>> #!/bin/sh
> >>>>>>>> # Firewall Script
> >>>>>>>>
>
 ###############################################################
> >>>>>>>> ### interfaces
> >>>>>>>> EXT_DEV=eth0
> >>>>>>>> INT_DEV=eth1
> >>>>>>>> INT_NET=10.1.1.0/24
> >>>>>>>>
> >>>>>>>> ### Loading firewall modules
> >>>>>>>> modprobe ip_conntrack
> >>>>>>>> modprobe ip_conntrack_ftp
> >>>>>>>>
> >>>>>>>>
>
 ###############################################################
> >>>>>>>> ### Enable Packet Forwarding
> >>>>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
> >>>>>>>>
> >>>>>>>> ### Remove all previous rules, and delete any user
> >> defined
> >>
> > chains
> >>>>>>>> iptables -F
> >>>>>>>> iptables -X
> >>>>>>>> iptables -t nat -F
> >>>>>>>> iptables -t nat -X
> >>>>>>>>
> >>>>>>>> ### Set the default policies to drop
> >>>>>>>> iptables -P INPUT DROP
> >>>>>>>> iptables -P OUTPUT DROP
> >>>>>>>> iptables -P FORWARD DROP
> >>>>>>>>
> >>>>>>>> ### Loopback device OK
> >>>>>>>> iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8
> -j
>
 ACCEPT
> >>>>>>>> iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8
> -j
>
 ACCEPT
> >>>>>>>>
> >>>>>>>> ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
> >>>>>>>> iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
> >>>>>>>> iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
> >>>>>>>> iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
> >>>>>>>>
> >>>>>>>> ### Allow all Internal traffic to Server
> >>>>>>>> iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET
> -j
>
 ACCEPT
> >>>>>>>> iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET
> -j
>
 ACCEPT
> >>>>>>>>
> >>>>>>>> ### OUTBOUND Rule: Allow ALL packets out the external device
> >>>>>>>> iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
> >>>>>>>> iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
> >>>>>>>>
> >>>>>>>> ### INBOUND Rule: Allow ALL EXT packets if a connection
> >>>>>>>>
> >>>>>>> already
> >>>>>>>
> >>>>>>>
> >>>>>> exists (See "NEW" Inbound Rules)
> >>>>>>
> >>>>>>>> iptables -A INPUT -i $EXT_DEV -m state --state
> >>>>>>>>
> >>>>>>> RELATED,ESTABLISHED
> >>>>>>>
> >>>>>>>
> >>>>>> -j ACCEPT
> >>>>>>
> >>>>>>>> iptables -A FORWARD -i $EXT_DEV -m state --state
> >>>>>>>>
> >>>>>>> RELATED,ESTABLISHED
> >>>>>>>
> >>>>>>>
> >>>>>> -j ACCEPT
> >>>>>>
> >>>>>>>> ### Squid Transparent Proxy
> >>>>>>>> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp
> >>>>>>>>
> >>>>>>> --dport
> >>>>>>>
> >>>>>>>
> >>>>>> 80 -j ACCEPT
> >>>>>>
> >>>>>>>> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp
> >>>>>>>>
> >>>>>>> --dport
> >>>>>>>
> >>>>>>>
> >>>>>> 80 -j DNAT --to squid-box:3128
> >>>>>>
> >>>>>>>> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d
> >>>>>>>>
> >>>>>>> squid-box
> >>>>>>>
> >>>>>>>
> >>>>>> -j SNAT --to iptables-box
> >>>>>>
> >>>>>>>> iptables -A FORWARD -s local-network -d squid-box -i eth0
> >> -o
> >>
> > eth0
> >>>>>>>>
> >>>>>>> -p
> >>>>>>>
> >>>>>>>
> >>>>>> tcp --dport 3128 -j ACCEPT
> >>>>>>
> >>>>>>>> and the result is:
> >>>>>>>> - client's web browser ignore the squid proxy
> >>>>>>>> the http service is directly passing through the firewall
> >>>>>>>>
> >>>>>>>> All response will greatly appreciated.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Thanks in advance (^^,)
> >>>>>>>> Rachmat Hidayat Al Anshar
> >>>>>>>>
> >>>>>>>> Be a better friend, newshound, and
> >>>>>>>> know-it-all with Yahoo! Mobile. Try it now.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>
> >
> >>
>
 _______________________________________________________________________________
> >>>>>>
> >>>>>>> _____
> >>>>>>>
> >>>>>>>> Never miss a thing. Make Yahoo your home page.
> >>>>>>>> http://www.yahoo.com/r/hs
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >
> >>
>
 _______________________________________________________________________________
> >>>>> _____
> >>>>>> Be a better friend, newshound, and
> >>>>>> know-it-all with Yahoo! Mobile. Try it
> >>>>> now.
> >>>>>
> >>>> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> >>>>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >
>
 
> _______________________________________________________________________________
> >> _
> >>>> ____
> >>>> Never miss a thing. Make Yahoo your home page.
> >>>> http://www.yahoo.com/r/hs
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>
> >
>
 
> _______________________________________________________________________________
> >> _____
> >>> Never miss a thing. Make Yahoo your home page.
> >>> http://www.yahoo.com/r/hs
> >>>
> >>
> >> --
> >> Please use Squid 2.6STABLE17 or 3.0STABLE1.
> >> There are serious security advisories out on all earlier releases.
> >>
> >>
> >
> >
> >
> >
> >
>
 _______________________________________________________________________________
> _____
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile. Try it
> now.
>
  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> >
> >
>
>
> --
> Please use Squid 2.6STABLE17 or 3.0STABLE1.
> There are serious security advisories out on all earlier releases.
>
>

      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Received on Sun Jan 13 2008 - 20:51:52 MST