[clug] [help] setting up firewall policy for transparent
(single-homed host) proxy
Rachmat Hidayat Al Anshar
rachmat_hidayat_03 at yahoo.com
Wed Jan 9 06:24:22 GMT 2008
var YAHOO = {'Shortcuts' : {}};
YAHOO.Shortcuts.hasSensitiveText = false;
YAHOO.Shortcuts.sensitivityType = [];
YAHOO.Shortcuts.doUlt = false;
YAHOO.Shortcuts.location = "us";
YAHOO.Shortcuts.document_id = 0;
YAHOO.Shortcuts.document_type = "";
YAHOO.Shortcuts.document_title = "[help] setting up firewall policy for transparent (single-homed host) proxy";
YAHOO.Shortcuts.document_publish_date = "";
YAHOO.Shortcuts.document_author = "rachmat_hidayat_03 at yahoo.com";
YAHOO.Shortcuts.document_url = "";
YAHOO.Shortcuts.document_tags = "";
YAHOO.Shortcuts.annotationSet = {
"lw_1199853885_0": {
"text": "Yahoo! Mobile",
"extended": 0,
"startchar": 1530,
"endchar": 1542,
"start": 1530,
"end": 1542,
"extendedFrom": "",
"predictedCategory": "ORGANIZATION",
"predictionProbability": "0.679211",
"weight": 0.661212,
"type": ["shortcuts:/us/instance/organization/company/yahoo_property"],
"category": ["ORGANIZATION"],
"context": "friend newshound and know-it-all with Yahoo Mobile Try it now",
"metaData": {
"yprop_name": "Yahoo! Mobile",
"yprop_url": "http://mobile.yahoo.com/"
}
}
};
Hi all...
I am on my research deploying a transparent single-homed host proxy
server on my virtual network. My squid box is not on the same box where the
firewall applied. I didn't have any idea how to set up the iptables running on
the firewall, so I can redirect all client's web request to my proxy box,
and make it as the only host on the network may request web services through
firewall to the Internet...???
INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET
^
|
v
squid web
proxies
I try to use this following firewall script...
#!/bin/sh
# Firewall Script
###############################################################
### interfaces
EXT_DEV=eth0
INT_DEV=eth1
INT_NET=10.1.1.0/24
### Loading firewall modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
###############################################################
### Enable Packet Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
### Remove all previous rules, and delete any user defined chains
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
### Set the default policies to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
### Loopback device OK
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
### Allow all Internal traffic to Server
iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
### OUTBOUND Rule: Allow ALL packets out the external device
iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
### INBOUND Rule: Allow ALL EXT packets if a connection already exists (See "NEW" Inbound Rules)
iptables -A INPUT -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
### Squid Transparent Proxy
iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
and the result is:
- client's web browser ignore the squid proxy
the http service is directly passing through the firewall
All response will greatly appreciated.
Thanks in advance (^^,)
Rachmat Hidayat Al Anshar
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
More information about the linux
mailing list