masquerading and access

masquerading and access

[Payal]

Hi,
	I want to implement a masquerading proxy ( I hope I am clear
here ) on a network of 50 machines. Out of this only 25 machines say
192.168.0.1-192.168.0.25 need to connect to net. Squid will be the
caching proxy.
I just want to know whether I have to put a rule as,

1. #iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Then I redirect all request to port 80 to port 3128 of squid
Then I make necessary acl changes in squid.conf to allow only
192.168.0.1-192.168.0.25.
And then for ftp I put  iptables ACCEPT rules for these ips in iptables ruleset
and block rest.
				OR

2. #iptables -t nat -A POSTROUTING -s 192.168.0.1/xx -j MASQUERADE
Will this rule do? Also what to put in place of xx for allowing
192.168.0.1-192.168.0.25. I also I will have to put port redirection of
80 to 3128 and use squid access list.

Can someone tell me which of the solution should I implement and if they
are right.

Thanks a lot in advance and bye.
-Payal

Re: masquerading and access

[Antony Stone]

On Wednesday 30 October 2002 7:02 am, Payal wrote:

> Hi,
> 	I want to implement a masquerading proxy ( I hope I am clear
> here )

Not quite, no :-)

Masquerading is a technique for forwarding packets *through* a machine which 
has a public IP address, from a bunch of machines with private IP addresses, 
such that the source address on the packets is changed to the public IP, so 
that replies can get back again.

Proxying is the use of a single machine acting as a combined server and 
client to accept requests, decide whether to allow them or not, and then to 
generate new requests which go out to the Internet.   Proxies do not forward 
packets; they generate new ones, with the source address of the proxy machine.

Therefore depending on where you propose to put a proxy server, these two 
might accomplish a similar objective, but they're certainly different as far 
as the flow of packets is concerned (which is where netfilter comes in).

> Squid will be the caching proxy.

Okay, in that case you definitely do mean a proxy, the remaining question is 
whether you also mean masquerading, and the answer to that depends on whether 
the Squid server has a public IP address or a private one.

If Squid has a public IP then you do not need to masquerade as well.

If Squid has a private IP then you do need to masquerade as well.

> I just want to know whether I have to put a rule as,
>
> 1. #iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Are you trying to send packets *through* the box this rule would be running 
on ?

If this *is* the box running Squid, then the answer may be no, although you 
have to think about things other than http here, such as DNS, SMTP, POP3, 
which you may still want to forward directly from internal clients to the 
Internet ?

> Then I redirect all request to port 80 to port 3128 of squid
> Then I make necessary acl changes in squid.conf to allow only
> 192.168.0.1-192.168.0.25.

Those rules sound good.

> And then for ftp I put  iptables ACCEPT rules for these ips in iptables
> ruleset and block rest.
> 				OR
>
> 2. #iptables -t nat -A POSTROUTING -s 192.168.0.1/xx -j MASQUERADE
> Will this rule do? Also what to put in place of xx for allowing
> 192.168.0.1-192.168.0.25.

There is no xx which will do that range for you.

/28 will give you 192.168.0.0-192.168.0.15
/27 will give you 192.168.0.0-192.168.0.31

You can't do anything between those ranges in a single rule.

Do you have other machines in 1928.168.0.0 addresses which you do not want to 
allow access to Squid, or which you do not want to allow access to the 
Internet ?

Antony.

-- 

Having been asked to provide a reference for this man,
I can confidently state that you will be very lucky indeed
if you can get him to work for you.

RE: masquerading and access

[R. Sterenborg]

> 	I want to implement a masquerading proxy ( I hope I am clear
> here ) on a network of 50 machines. Out of this only 25 machines say
> 192.168.0.1-192.168.0.25 need to connect to net. Squid will be the
> caching proxy.
> I just want to know whether I have to put a rule as,

Since there's no /xx for your 25 IP's, I'd just REDIRECT everything
sent to port 80 (and 443 and maybe others you might need) to 3128, and
then use squid's acls to restrict access by IP address range which is
quite easy. That is, if you have the whole /24 netblock for yourself.

# iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j
REDIRECT --to-ports 3128


Rob

Re: masquerading and access

[Payal]

Hi,
Thanks a lot for the mails. Well, my requirement is simple. I have one
Linux box (connected to net) and say 50 Windows clients. On the Linux box I will put squid,
qmail, dnscache. Now out of these 50 email clients only some i.e
192.168.0.1-192.168.0.25 need to use net directly i.e. browse sites and
ftp outside & use SMTP. The rest just need to use the SMTP for email.
Please do not have a picture of a complex setup in mind.

In short,
192.168.0.1-192.168.0.25 --> www, ftp and smtp(which is on say 192.168.0.1)
192.168.0.26-192.168.0.50 --> just use SMTP on 192.168.0.1 to send mails
outside, but no strict other internet access.

Now what rules should I put? I want to use squid as http proxy.
I am still unable to get how you figure what 192.168.0.0/27 thing. I can
get some help here for this specific problem, but it might cause a
problem if I were to increase/decrease the above ip range a bit. So,
please tell me how to calculate this.

Please also do tell the rules I have to put for masquerading (I need it
for ftp atleast, right?)

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
This is the box which runs squid and is connected to internet.
Any help here please? I think this rule will masquerade for all
machines, then I have to use DROP/REJECT for machines 192.168.0.26
onwards. Is there any better and less clumsy way?

Thanks a lot and bye.
With regards.
-Payal