[clug] [help] setting up firewall policy for transparent (single-homed host) proxy

Chris Zhang abnamro.chris at gmail.com
Wed Jan 9 12:11:46 GMT 2008 

Hi Rachmat,


Maybe you want to try it again without this line


'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp --dport 80 
-j ACCEPT'


Also I think you will have to change squid.conf file (see 
http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 )


Chris


Rachmat Hidayat Al Anshar wrote:
> var YAHOO = {'Shortcuts' : {}};
> YAHOO.Shortcuts.hasSensitiveText = false;
> YAHOO.Shortcuts.sensitivityType = [];
> YAHOO.Shortcuts.doUlt = false;
> YAHOO.Shortcuts.location = "us";
> YAHOO.Shortcuts.document_id = 0;
> YAHOO.Shortcuts.document_type = "";
> YAHOO.Shortcuts.document_title = "[help] setting up firewall policy for transparent (single-homed host) proxy";
> YAHOO.Shortcuts.document_publish_date = "";
> YAHOO.Shortcuts.document_author = "rachmat_hidayat_03 at yahoo.com";
> YAHOO.Shortcuts.document_url = "";
> YAHOO.Shortcuts.document_tags = "";
> YAHOO.Shortcuts.annotationSet = {
> "lw_1199853885_0": {
> "text": "Yahoo! Mobile",
> "extended": 0,
> "startchar": 1530,
> "endchar": 1542,
> "start": 1530,
> "end": 1542,
> "extendedFrom": "",
> "predictedCategory": "ORGANIZATION",
> "predictionProbability": "0.679211",
> "weight": 0.661212,
> "type": ["shortcuts:/us/instance/organization/company/yahoo_property"],
> "category": ["ORGANIZATION"],
> "context": "friend newshound and know-it-all with Yahoo Mobile Try it now",
> "metaData": {
> "yprop_name": "Yahoo! Mobile",
> "yprop_url": "http://mobile.yahoo.com/"
> }
>  }
> };
>
> Hi all...
>
> I am on my research deploying a transparent single-homed host proxy
>  server on my virtual network. My squid box is not on the same box where the
>  firewall applied.  I didn't have any idea how to set up the iptables running on
>  the firewall, so I can redirect all client's web request to my proxy box,
>  and make it as the only host on the network may request web services through
>  firewall to the Internet...???
>
>
> INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET
>                                  ^
>                                 |
>                                  v
>                        
>        squid web
>                               proxies
>
> I try to use this following firewall script...
>                                                         
> #!/bin/sh
> # Firewall Script
> ###############################################################
> ### interfaces 
> EXT_DEV=eth0
> INT_DEV=eth1
> INT_NET=10.1.1.0/24
>
> ### Loading firewall modules
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
>
> ###############################################################
> ### Enable Packet Forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> ### Remove all previous rules, and delete any user defined chains
> iptables -F
> iptables -X
> iptables -t nat -F
> iptables -t nat -X
>
> ### Set the default policies to drop
> iptables -P INPUT   DROP
> iptables -P OUTPUT  DROP
> iptables -P FORWARD DROP
>
> ### Loopback device OK
> iptables -A INPUT  -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
>
> ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
> iptables -A INPUT   -p icmp --icmp-type any -j ACCEPT
> iptables -A OUTPUT  -p icmp --icmp-type any -j ACCEPT
> iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
>
> ### Allow all Internal traffic to Server
> iptables -A INPUT  -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
> iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
>
> ### OUTBOUND Rule: Allow ALL packets out the external device
> iptables -A OUTPUT  -o $EXT_DEV -j ACCEPT
> iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
>
> ### INBOUND Rule: Allow ALL EXT packets if a connection already exists (See "NEW" Inbound Rules)
> iptables -A INPUT   -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> ### Squid Transparent Proxy
> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
>
> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
>
> and the result is:
> - client's web browser ignore the squid proxy
>   the http service is directly passing through the firewall
>
> All response will greatly appreciated.
>
>
> Thanks in advance (^^,)
> Rachmat Hidayat Al Anshar 
>       
> Be a better friend, newshound, and 
> know-it-all with Yahoo! Mobile.  Try it now.
>
>
>
>
>
>
>
>       ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page. 
> http://www.yahoo.com/r/hs
>
>

More information about the linux mailing list