From: Bernardo Vieira <bernardo.vieira@terra.com.br>
To: netfilter@lists.netfilter.org
Subject: Allowing hosts to bypass transparent proxy (squid+netfilter) to port 80 for a specific netmask
Date: Thu, 14 Dec 2006 18:48:38 -0200 [thread overview]
Message-ID: <4581B8A6.4080504@terra.com.br> (raw)
[-- Attachment #1: Type: text/plain, Size: 1512 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all!
I need to setup my gateway (netfilter + squid) to allow allow lan hosts
direct access to the domain .caixa.gov.br (200.201.160/20). All requests
will go on port 80, tcp on the remote end but the protocol isn't http.
To achieve this I tried adding the following rules to iptables:
- -A FORWARD -s 192.168.1.0/255.255.255.0 -d 200.201.160.0/255.255.240.0\
- -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
The problem is that packets destined for that rule are still being
grabbed by squid, preventing the java app to load:
192.168.1.221 TCP_CLIENT_REFRESH_MISS/404 4244 GET
http://cmt.caixa.gov.br/COM/arx/pw/SlimCli.class - DIRECT/200.201.173.68
text/html
When I saw that I also tried the following squid.conf acls to allow
direct connections to the domain, but the problem persists:
acl Caixa dstdomain .caixa.gov.br
always_direct allow Caixa
Can anyone point me in the right direction?
My setup is:
Internet
|
+---------+-----------+
| eth0 (dynamic IP) |
| Squid + netfilter |
|eth1 (192.168.1.1/24)|
+---------+-----------+
|
Hosts
kernel version: 2.6.9-10
iptables v1.2.9
Squid Cache: Version 2.5.STABLE6
attached complete squid.conf & iptables rules
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFgbil2QVs8jsa1mQRAgl/AJ0U8s8CHJ/H/y3ghOHFoDOTjGtnzQCfWU3v
/y51lg/bmz84QUhZEUye9Q4=
=+Bmk
-----END PGP SIGNATURE-----
[-- Attachment #2: iptables.txt --]
[-- Type: text/plain, Size: 1547 bytes --]
-A PREROUTING -i ! eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j MASQUERADE
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! eth0 -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 169.254.0.0/255.255.0.0 -i eth0 -j drop-reserved
-A INPUT -s 224.0.0.0/240.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 240.0.0.0/240.0.0.0 -i eth0 -j drop-reserved
-A INPUT -d <external ip> -i eth0 -p udp -m udp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d <external ip> -i eth0 -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -s 192.168.1.0/255.255.255.0 -d 200.201.160.0/255.255.240.0 -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
-A FORWARD -i ! eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -s <external ip> -j ACCEPT
-A OUTPUT -o eth0 -j DROP
-A drop-lan -j DROP
-A drop-reserved -j DROP
[-- Attachment #3: squidconf.txt --]
[-- Type: text/plain, Size: 1413 bytes --]
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
maximum_object_size 4096 KB
cache_dir diskd /mnt/cache/squid 5120 16 256
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl private1 src 192.168.0.0/16
acl private2 src 10.0.0.0/8
acl private3 src 172.16.0.0/12
acl privoxy dstdomain config.privoxy.org
acl SSL_ports port 443 563
acl SSL_ports port 81 10000
acl CONNECT method CONNECT
acl Caixa dstdomain .caixa.gov.br
no_cache deny QUERY
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny privoxy
http_access allow localhost
http_access allow private1
http_access allow private2
http_access allow private3
http_access deny all
http_reply_access allow all
icp_access allow all
reply_body_max_size 0 allow all
cache_effective_user squid
cache_effective_group squid
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
always_direct allow Caixa
coredump_dir /var/spool/squid
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
next reply other threads:[~2006-12-14 20:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-14 20:48 Bernardo Vieira [this message]
2006-12-14 21:26 ` Allowing hosts to bypass transparent proxy (squid+netfilter) to port 80 for a specific netmask Andrew Beverley
2006-12-14 22:06 ` Bernardo Vieira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4581B8A6.4080504@terra.com.br \
--to=bernardo.vieira@terra.com.br \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.