From: ken scott <kscott9@triad.rr.com>
To: netfilter@lists.netfilter.org
Cc: Dimitar Katerinski <train@bofh.bg>
Subject: Re: Transparent proxy single machine question
Date: Sat, 26 Jun 2004 20:52:22 -0400 [thread overview]
Message-ID: <1088297542.4717.29.camel@Kenslinux> (raw)
In-Reply-To: <40DDFBD1.2090700@bofh.bg>
On Sat, 2004-06-26 at 18:42, Dimitar Katerinski wrote:
> Hello Ken,
>
> Ah just know I understand that this is a workstation with some users,
> and squid and DG running ot this machine. Okay, I did some tests and
> came up with a solution ;-)
> You can't redirect packets that origin from the machine itself, to some
> other local port (as far as i know). Maybe you can play with
> CONFIG_IP_NF_NAT_LOCAL option in the kernel, but as I understand it, it
> lets you to use destination NAT on connections originating from local
> processes on the nat box itself, but that is now we are looking for. So
> here is what you can do:
>
> 1. Leave the proxy setting as is in the browser properties (127.0.0.1:8181)
> 2. Allow outgoing requests to port 80 only for the UID that squid is
> running under.
> iptables -A OUTPUT -m owner ! --uid squid -p tcp --dport 80 -j DROP
> This rule can be more flexible, but I live this to you, I hope you get
> the idea.
> 3. And finally test, whether you can make requests as user with and
> without proxy set in the browser.
>
Dimitar,
Success!! (at least mostly.) Thanks greatly for your assistance.
I used WEBMIN firewall module to build the following rule:
-A OUTPUT -p tcp -m tcp --dport 80 -m owner ! --uid-owner squid -j
DROP
case 1- User requests (with browser set to no proxy) time out after
about a minute. [Desired outcome except timeout takes a long time]
case 2- User requests (with browser proxy set to the Dansguardian 8181
port) work fine. [Desired outcome]
case 3- User requests (with browser proxy set to the Squid 3128 port)
also work fine. [Not desired since webfiltering is bypassed]
So three things remain
1) Newbie question - How do I edit/change directly the iptable rules
without requiring webmin? (I can print them out with the iptables-save
command)
2) Can I get the request reject/timeout to occur more quickly?
3) Can I close the loop hole of someone pointing their browser to the
squid port (rather than the dg port)?
Thanks again!!
Ken
next prev parent reply other threads:[~2004-06-27 0:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-26 21:24 Transparent proxy single machine question ken scott
2004-06-26 21:51 ` Dimitar Katerinski
2004-06-26 22:09 ` ken scott
2004-06-26 22:42 ` Dimitar Katerinski
2004-06-27 0:52 ` ken scott [this message]
2004-06-27 1:16 ` Dimitar Katerinski
-- strict thread matches above, loose matches on Subject: below --
2004-06-26 21:14 ken scott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1088297542.4717.29.camel@Kenslinux \
--to=kscott9@triad.rr.com \
--cc=netfilter@lists.netfilter.org \
--cc=train@bofh.bg \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.