Transparent Proxy server

Transparent Proxy server

[Eugene Joubert]

[-- Attachment #1: Type: text/plain, Size: 688 bytes --]

Hi,

I have the following scenario: My default policy for INPUT and FORWARD is
drop. My default policy for OUTPUT is ACCEPT.
I am using transparent proxy server in my firewall rules.
When I try and access the Internet with proxy setting enabled on my browser
I can't get anywhere. When I make the default policy for INPUT ACCEPT my
proxy server settings work....

If I disable my proxy server on my browser, add the necessary rule in my
FORWARD chain I can access the Internet just fine...

My question is this, do you need to allow anything in the INPUT chain if
your default policy is DROP for squid to work?

Thanks in advance....

PS : If you need any other info please let me know



[-- Attachment #2: Type: text/html, Size: 1318 bytes --]

RE: Transparent Proxy server

[Omar Castaneda Acosta]

[-- Attachment #1: Type: text/plain, Size: 1126 bytes --]

The Transparent Proxy HOW-TO explains the setup properly
 
http://www.tldp.org/HOWTO/mini/TransparentProxy.html
 
the only rule you need is a REDIRECT and access from the local interface
to the outside world on port 80.
 
-----Original Message-----
From: Eugene Joubert [mailto:eugenej@centratel.co.za]
Sent: Wednesday, June 05, 2002 7:26 AM
To: 'netfilter@lists.samba.org'
Subject: Transparent Proxy server
 
Hi, 
I have the following scenario: My default policy for INPUT and FORWARD
is drop. My default policy for OUTPUT is ACCEPT. 
I am using transparent proxy server in my firewall rules. 
When I try and access the Internet with proxy setting enabled on my
browser I can't get anywhere. When I make the default policy for INPUT
ACCEPT my proxy server settings work....
If I disable my proxy server on my browser, add the necessary rule in my
FORWARD chain I can access the Internet just fine...
My question is this, do you need to allow anything in the INPUT chain if
your default policy is DROP for squid to work? 
Thanks in advance.... 
PS : If you need any other info please let me know 
 

[-- Attachment #2: Type: text/html, Size: 8066 bytes --]

Re: Transparent Proxy server

[Ramin Alidousti]

On Wed, Jun 05, 2002 at 09:25:23AM -0600, Omar Castaneda Acosta wrote:

> The Transparent Proxy HOW-TO explains the setup properly
>  
> http://www.tldp.org/HOWTO/mini/TransparentProxy.html
>  
> the only rule you need is a REDIRECT and access from the local interface
> to the outside world on port 80.

And, as opposed to what Eugene had said "with proxy setting enabled
on my browser", do not enable the proxy setting on your browser,
otherwise it cannot be called _transparent_ proxy ;-)

Ramin

>  
> -----Original Message-----
> From: Eugene Joubert [mailto:eugenej@centratel.co.za]
> Sent: Wednesday, June 05, 2002 7:26 AM
> To: 'netfilter@lists.samba.org'
> Subject: Transparent Proxy server
>  
> Hi, 
> I have the following scenario: My default policy for INPUT and FORWARD
> is drop. My default policy for OUTPUT is ACCEPT. 
> I am using transparent proxy server in my firewall rules. 
> When I try and access the Internet with proxy setting enabled on my
> browser I can't get anywhere. When I make the default policy for INPUT
> ACCEPT my proxy server settings work....
> If I disable my proxy server on my browser, add the necessary rule in my
> FORWARD chain I can access the Internet just fine...
> My question is this, do you need to allow anything in the INPUT chain if
> your default policy is DROP for squid to work? 
> Thanks in advance.... 
> PS : If you need any other info please let me know 
>  

Transparent Proxy server

[Hard__warE]

ok i have a TransParent Proxy server running Fine on my firewall / iptables
box

A Transparent Proxy is desiged for you to NOT have to set your Proxy in your
Internet Browser

have you checked you squid configuration ... here is some options you will
need ...

(this will allow al 80 traffic to get Proxied as well an Open Proxy for you
to establish connections from

Manually  ( ie go into your ICQ or Internet Browser and set the Proxy to use
Firewall box on Port 3128)


Copt the Script below and modify it to suit your squid configuration

-------------/etc/squid/squi.conf --Copy From Below This Line---------------

#squid.conf -  a very basic config file for squid

#Turn logging to it's lowest level
debug_options ALL,1

#defines a group (or Access Control List) that includes all IP
#addresses
acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl allowed_hosts src 172.16.0.0/255.255.0.0

#allow all sites to use connect to us via HTTP
http_access allow allowed_hosts
http_access deny all
http_access allow localhost
http_access deny manager

#allow all sites to use us as a sibling
icp_access allow allowed_hosts
icp_access deny  all
icp_access allow localhost

http_port 3128
httpd_accel_with_proxy on
cache_dir ufs /var/spool/squid 1024 16 256
cache_mem 32 MB
cache_effective_user squid
cache_effective_group squid
visible_hostname cache.dynamicaccess.net
httpd_accel_port 80
httpd_accel_host virtual
no_cache deny manager
httpd_accel_uses_host_header on
dns_nameservers 172.16.0.253
prefer_direct off
ie_refresh off


--------------END of Squid.conf--------------------------------


no other rules are needed unless you dont allow for Inernal Eth Device/IP
in  Input & Ouput
to talk back to the lan... make sure you allow these .. !!!

$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT


I USE this rule to Redirect my webtraffic to squid on the same box ...

$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 3128

how do i know it works , well do a    /sbin/iptables -L -n -v -t nat

and you will see if the packets have gone through the correct Chain ... :D

have a look ....

Chain PREROUTING (policy ACCEPT 6998 packets, 420K bytes)
 pkts bytes target     prot opt in     out     source
destination
   82  3904 REDIRECT   tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0          tcp dpt:80 redir ports 3128
    0     0 DNAT       tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0          tcp dpt:8888 to:172.16.0.111:80
    0     0 DNAT       tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0          tcp dpt:8860 to:172.16.0.111:443
    0     0 DNAT       udp  --  eth1   *       0.0.0.0/0
0.0.0.0/0          udp dpt:8860 to:172.16.0.111:443
    0     0 DNAT       tcp  --  eth1   *       0.0.0.0/0
192.168.0.212      tcp to:172.16.0.52
    0     0 DNAT       udp  --  eth1   *       0.0.0.0/0
192.168.0.212      udp to:172.16.0.52
    0     0 DNAT       tcp  --  eth1   *       0.0.0.0/0
192.168.0.213      tcp to:172.16.0.53
    0     0 DNAT       udp  --  eth1   *       0.0.0.0/0
192.168.0.213      udp to:172.16.0.53

Chain POSTROUTING (policy ACCEPT 110 packets, 21759 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 SNAT       all  --  *      eth1    172.16.0.52
0.0.0.0/0          to:192.168.0.212
    0     0 SNAT       all  --  *      eth1    172.16.0.53
0.0.0.0/0          to:192.168.0.213
  964 45950 SNAT       all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          to:192.168.0.253