[clug] [help] setting up firewall policy for
transparent (single-homed host) proxy
Chris Zhang
abnamro.chris at gmail.com
Wed Jan 9 12:11:46 GMT 2008
Hi Rachmat,
Maybe you want to try it again without this line
'iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp --dport 80
-j ACCEPT'
Also I think you will have to change squid.conf file (see
http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 )
Chris
Rachmat Hidayat Al Anshar wrote:
> var YAHOO = {'Shortcuts' : {}};
> YAHOO.Shortcuts.hasSensitiveText = false;
> YAHOO.Shortcuts.sensitivityType = [];
> YAHOO.Shortcuts.doUlt = false;
> YAHOO.Shortcuts.location = "us";
> YAHOO.Shortcuts.document_id = 0;
> YAHOO.Shortcuts.document_type = "";
> YAHOO.Shortcuts.document_title = "[help] setting up firewall policy for transparent (single-homed host) proxy";
> YAHOO.Shortcuts.document_publish_date = "";
> YAHOO.Shortcuts.document_author = "rachmat_hidayat_03 at yahoo.com";
> YAHOO.Shortcuts.document_url = "";
> YAHOO.Shortcuts.document_tags = "";
> YAHOO.Shortcuts.annotationSet = {
> "lw_1199853885_0": {
> "text": "Yahoo! Mobile",
> "extended": 0,
> "startchar": 1530,
> "endchar": 1542,
> "start": 1530,
> "end": 1542,
> "extendedFrom": "",
> "predictedCategory": "ORGANIZATION",
> "predictionProbability": "0.679211",
> "weight": 0.661212,
> "type": ["shortcuts:/us/instance/organization/company/yahoo_property"],
> "category": ["ORGANIZATION"],
> "context": "friend newshound and know-it-all with Yahoo Mobile Try it now",
> "metaData": {
> "yprop_name": "Yahoo! Mobile",
> "yprop_url": "http://mobile.yahoo.com/"
> }
> }
> };
>
> Hi all...
>
> I am on my research deploying a transparent single-homed host proxy
> server on my virtual network. My squid box is not on the same box where the
> firewall applied. I didn't have any idea how to set up the iptables running on
> the firewall, so I can redirect all client's web request to my proxy box,
> and make it as the only host on the network may request web services through
> firewall to the Internet...???
>
>
> INTERNET <---> FIREWALL <---> switch <---> NAT DEV<---> INTRANET
> ^
> |
> v
>
> squid web
> proxies
>
> I try to use this following firewall script...
>
> #!/bin/sh
> # Firewall Script
> ###############################################################
> ### interfaces
> EXT_DEV=eth0
> INT_DEV=eth1
> INT_NET=10.1.1.0/24
>
> ### Loading firewall modules
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
>
> ###############################################################
> ### Enable Packet Forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> ### Remove all previous rules, and delete any user defined chains
> iptables -F
> iptables -X
> iptables -t nat -F
> iptables -t nat -X
>
> ### Set the default policies to drop
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> ### Loopback device OK
> iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
>
> ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
> iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
> iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
> iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
>
> ### Allow all Internal traffic to Server
> iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
> iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
>
> ### OUTBOUND Rule: Allow ALL packets out the external device
> iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
> iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT
>
> ### INBOUND Rule: Allow ALL EXT packets if a connection already exists (See "NEW" Inbound Rules)
> iptables -A INPUT -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> ### Squid Transparent Proxy
> iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
>
> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
>
> and the result is:
> - client's web browser ignore the squid proxy
> the http service is directly passing through the firewall
>
> All response will greatly appreciated.
>
>
> Thanks in advance (^^,)
> Rachmat Hidayat Al Anshar
>
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now.
>
>
>
>
>
>
>
> ____________________________________________________________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
>
More information about the linux
mailing list