[clug] [help] setting up firewall policy for transparent (single-homed host) proxy

Rachmat Hidayat Al Anshar rachmat_hidayat_03 at yahoo.com
Wed Jan 9 06:24:22 GMT 2008 

var YAHOO = {'Shortcuts' : {}};
YAHOO.Shortcuts.hasSensitiveText = false;
YAHOO.Shortcuts.sensitivityType = [];
YAHOO.Shortcuts.doUlt = false;
YAHOO.Shortcuts.location = "us";
YAHOO.Shortcuts.document_id = 0;
YAHOO.Shortcuts.document_type = "";
YAHOO.Shortcuts.document_title = "[help] setting up firewall policy for transparent (single-homed host) proxy";
YAHOO.Shortcuts.document_publish_date = "";
YAHOO.Shortcuts.document_author = "rachmat_hidayat_03 at yahoo.com";
YAHOO.Shortcuts.document_url = "";
YAHOO.Shortcuts.document_tags = "";
YAHOO.Shortcuts.annotationSet = {
"lw_1199853885_0": {
"text": "Yahoo! Mobile",
"extended": 0,
"startchar": 1530,
"endchar": 1542,
"start": 1530,
"end": 1542,
"extendedFrom": "",
"predictedCategory": "ORGANIZATION",
"predictionProbability": "0.679211",
"weight": 0.661212,
"type": ["shortcuts:/us/instance/organization/company/yahoo_property"],
"category": ["ORGANIZATION"],
"context": "friend newshound and know-it-all with Yahoo Mobile Try it now",
"metaData": {
"yprop_name": "Yahoo! Mobile",
"yprop_url": "http://mobile.yahoo.com/"
}
 }
};

Hi all...

I am on my research deploying a transparent single-homed host proxy
 server on my virtual network. My squid box is not on the same box where the
 firewall applied.  I didn't have any idea how to set up the iptables running on
 the firewall, so I can redirect all client's web request to my proxy box,
 and make it as the only host on the network may request web services through
 firewall to the Internet...???


INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET
                                 ^
                                |
                                 v
                       
       squid web
                              proxies

I try to use this following firewall script...
                                                        
#!/bin/sh
# Firewall Script
###############################################################
### interfaces 
EXT_DEV=eth0
INT_DEV=eth1
INT_NET=10.1.1.0/24

### Loading firewall modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp

###############################################################
### Enable Packet Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

### Remove all previous rules, and delete any user defined chains
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

### Set the default policies to drop
iptables -P INPUT   DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD DROP

### Loopback device OK
iptables -A INPUT  -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
iptables -A INPUT   -p icmp --icmp-type any -j ACCEPT
iptables -A OUTPUT  -p icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT

### Allow all Internal traffic to Server
iptables -A INPUT  -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT

### OUTBOUND Rule: Allow ALL packets out the external device
iptables -A OUTPUT  -o $EXT_DEV -j ACCEPT
iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT

### INBOUND Rule: Allow ALL EXT packets if a connection already exists (See "NEW" Inbound Rules)
iptables -A INPUT   -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT

### Squid Transparent Proxy
iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128

iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

and the result is:
- client's web browser ignore the squid proxy
  the http service is directly passing through the firewall

All response will greatly appreciated.


Thanks in advance (^^,)
Rachmat Hidayat Al Anshar 
      
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.







      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

More information about the linux mailing list