Transparent proxy single machine question

Transparent proxy single machine question

[ken scott]

I am trying to build a single machine that  performs web filtering 
(using DansGuardian)  for several users.
The box (Morphix/Debian system) will be behind a cable router and has 
five users (kids).  
I have running Dansguardian and Squid correctly in normal proxy mode.  
The next step is to make the proxy transparent
so that users cannot bypass the Danguardian/squid path simply by telling 
their browser to connect directly.
I have looked around and see instructions on this at several places 
(mostly for non-single machine implementations)
and know I need a line something like like:

 iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8181

       where 8181 is where Dansguardian is listening.

I also need to configure squid with (I think) :

 http_port 3128     # where squid is listening
 httpd_accel_host virtual
 httpd_accel_port 80
 httpd_accel_with_proxy  on
 httpd_accel_uses_host_header on        //
 httpd_accel_single_host off

The question is, on a single machine, will this work?  
The part I can't figure out pertains to when squid finally wants to send out the actual
request to the internet, isn't that a port 80 request that the above iptables rule will 
redirect back to Danguardian??
Please reply all as I am not quite sure than I have joined the list correctly.
Thanks in advance
Ken S.


                




                http_port 3128
                httpd_accel_host virtual
                httpd_accel_port 80
                httpd_accel_with_proxy  on
                httpd_accel_uses_host_header on
                

Squid 2.4 needs an /additional/ line added:

                httpd_accel_single_host off
                

Transparent proxy single machine question

[ken scott]

I am trying to build a single machine that  performs web filtering
(using DansGuardian)  for several users.
The box (Morphix/Debian system) will be behind a cable router and has
five users (kids).
I have running Dansguardian and Squid correctly in normal proxy mode.
The next step is to make the proxy transparent
so that users cannot bypass the Danguardian/squid path simply by telling
their browser to connect directly.
I have looked around and see instructions on this at several places
(mostly for non-single machine implementations)
and know I need a line something like like:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8181

       where 8181 is where Dansguardian is listening.

I also need to configure squid with (I think) :

http_port 3128     # where squid is listening
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy  on
httpd_accel_uses_host_header on
httpd_accel_single_host off

The question is, on a single machine, will this work?
The part I can't figure out pertains to when squid finally wants to send 
out the actual
request to the internet, isn't that a port 80 request that the above 
iptables rule will
redirect back to Dansguardian??
Please reply all as I am not quite sure than I have joined the list 
correctly.
Thanks in advance
Ken S.

Re: Transparent proxy single machine question

[Dimitar Katerinski]

ken scott wrote:
> I am trying to build a single machine that  performs web filtering
> (using DansGuardian)  for several users.
> The box (Morphix/Debian system) will be behind a cable router and has
> five users (kids).
> I have running Dansguardian and Squid correctly in normal proxy mode.
> The next step is to make the proxy transparent
> so that users cannot bypass the Danguardian/squid path simply by telling
> their browser to connect directly.
> I have looked around and see instructions on this at several places
> (mostly for non-single machine implementations)
> and know I need a line something like like:
> 
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8181
> 
>       where 8181 is where Dansguardian is listening.
> 
> I also need to configure squid with (I think) :
> 
> http_port 3128     # where squid is listening
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy  on
> httpd_accel_uses_host_header on
> httpd_accel_single_host off
> 
> The question is, on a single machine, will this work?
> The part I can't figure out pertains to when squid finally wants to send 
> out the actual
> request to the internet, isn't that a port 80 request that the above 
> iptables rule will
> redirect back to Dansguardian??
> Please reply all as I am not quite sure than I have joined the list 
> correctly.
> Thanks in advance
> Ken S.

Hello ken,

Yes, on single machine it will work with no problems. You should specify 
an incoming interface for the above iptables rule though. Do it like this:

iptables -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j 
REDIRECT --to-ports 8181

where $LAN_IFACE is the interface connected to your internal network.

And the scheme is as follows:
1. A client sends request for specific page
2. The linux box sees its a request for destination port 80 and 
redirects it to port 8181 where DG is listening.
3. DG takes the request, do what it does (content filtering, etc.), and 
sends it to Squid.
4. Squid request the specific page, and gives it back to DG, which again 
do what it does.
5. DG then, if everything is ok, server the request page to the client.


About your question:
 > ..when squid finally wants to send
 > out the actual
 > request to the internet, isn't that a port 80 request that the above
 > iptables rule will
 > redirect back to Dansguardian??

No basicly it won't. Unless you dont have same rule in the OUTPUT chain 
of the nat table. the PREROUTING chain applies to packets which hit the 
box coming from somewhere outside, and not packets which origin from the 
machine itself.
Hope I was able to clarify all this to you.



Regards,
Dimitar

-- 
"The only thing necessary for the triumph of evil is for good men to do 
nothing."
                                                   --Edmund Burke.

Re: Transparent proxy single machine question

[ken scott]

On Sat, 2004-06-26 at 17:51, Dimitar Katerinski wrote:

> 
> Hello ken,
> 
> Yes, on single machine it will work with no problems. You should specify 
> an incoming interface for the above iptables rule though. Do it like this:
> 
> iptables -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j 
> REDIRECT --to-ports 8181
> 
> where $LAN_IFACE is the interface connected to your internal network.
> 
I only have a single network card/interface on this box (eth0 , I guess)
Does that matter in this proxy context? 

> And the scheme is as follows:
> 1. A client sends request for specific page
> 2. The linux box sees its a request for destination port 80 and 
> redirects it to port 8181 where DG is listening.
> 3. DG takes the request, do what it does (content filtering, etc.), and 
> sends it to Squid.
> 4. Squid request the specific page, and gives it back to DG, which again 
> do what it does.
> 5. DG then, if everything is ok, server the request page to the client.
> 
> 
> About your question:
>  > ..when squid finally wants to send
>  > out the actual
>  > request to the internet, isn't that a port 80 request that the above
>  > iptables rule will
>  > redirect back to Dansguardian??
> 
> No basicly it won't. Unless you dont have same rule in the OUTPUT chain 
> of the nat table. the PREROUTING chain applies to packets which hit the 
> box coming from somewhere outside, and not packets which origin from the 
> machine itself.
Dimitar,
Your explanation here is great but it throws me a bit since the packet
requests coming from the browsers will all be internal requests (ie on
the same machine) so is a PREROUTING rule the right choice?  In other
words I want to apply a routing rule to internal requests (except those
from squid).
I appreciate your detailed response and I have looked for a "life of a
packet" explanation such as you provided but have not found it as yet. 
In your 5-step explanation, when are the iptables rules applied?
Thanks
Ken 

Re: Transparent proxy single machine question

[Dimitar Katerinski]

ken scott wrote:
> On Sat, 2004-06-26 at 17:51, Dimitar Katerinski wrote:
> 
> 
>>Hello ken,
>>
>>Yes, on single machine it will work with no problems. You should specify 
>>an incoming interface for the above iptables rule though. Do it like this:
>>
>>iptables -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j 
>>REDIRECT --to-ports 8181
>>
>>where $LAN_IFACE is the interface connected to your internal network.
>>
> 
> I only have a single network card/interface on this box (eth0 , I guess)
> Does that matter in this proxy context? 
> 
> 
>>And the scheme is as follows:
>>1. A client sends request for specific page
>>2. The linux box sees its a request for destination port 80 and 
>>redirects it to port 8181 where DG is listening.
>>3. DG takes the request, do what it does (content filtering, etc.), and 
>>sends it to Squid.
>>4. Squid request the specific page, and gives it back to DG, which again 
>>do what it does.
>>5. DG then, if everything is ok, server the request page to the client.
>>
>>
>>About your question:
>> > ..when squid finally wants to send
>> > out the actual
>> > request to the internet, isn't that a port 80 request that the above
>> > iptables rule will
>> > redirect back to Dansguardian??
>>
>>No basicly it won't. Unless you dont have same rule in the OUTPUT chain 
>>of the nat table. the PREROUTING chain applies to packets which hit the 
>>box coming from somewhere outside, and not packets which origin from the 
>>machine itself.
> 
> Dimitar,
> Your explanation here is great but it throws me a bit since the packet
> requests coming from the browsers will all be internal requests (ie on
> the same machine) so is a PREROUTING rule the right choice?  In other
> words I want to apply a routing rule to internal requests (except those
> from squid).
> I appreciate your detailed response and I have looked for a "life of a
> packet" explanation such as you provided but have not found it as yet. 
> In your 5-step explanation, when are the iptables rules applied?
> Thanks
> Ken 
> 

Hello Ken,

Ah just know I understand that this is a workstation with some users, 
and squid and DG running ot this machine. Okay, I did some tests and 
came up with a solution ;-)
You can't redirect packets that origin from the machine itself, to some 
other local port (as far as i know). Maybe you can play with 
CONFIG_IP_NF_NAT_LOCAL option in the kernel, but as I understand it, it 
lets you to use destination NAT on connections originating from local 
processes on the nat box itself, but that is now we are looking for. So
here is what you can do:

1. Leave the proxy setting as is in the browser properties (127.0.0.1:8181)
2. Allow outgoing requests to port 80 only for the UID that squid is 
running under.
iptables -A OUTPUT -m owner ! --uid squid -p tcp --dport 80 -j DROP
This rule can be more flexible, but I live this to you, I hope you get 
the idea.
3. And finally test, whether you can make requests as user with and 
without proxy set in the browser.


I hope this helps you. Maybe someone will come up with different idea, 
but this seems to work for me (tm) ;-)


Regards,
Dimitar

-- 
"The only thing necessary for the triumph of evil is for good men to do 
nothing."
                                                   --Edmund Burke.

Re: Transparent proxy single machine question

[ken scott]

On Sat, 2004-06-26 at 18:42, Dimitar Katerinski wrote:

> Hello Ken,
> 
> Ah just know I understand that this is a workstation with some users, 
> and squid and DG running ot this machine. Okay, I did some tests and 
> came up with a solution ;-)
> You can't redirect packets that origin from the machine itself, to some 
> other local port (as far as i know). Maybe you can play with 
> CONFIG_IP_NF_NAT_LOCAL option in the kernel, but as I understand it, it 
> lets you to use destination NAT on connections originating from local 
> processes on the nat box itself, but that is now we are looking for. So
> here is what you can do:
> 
> 1. Leave the proxy setting as is in the browser properties (127.0.0.1:8181)
> 2. Allow outgoing requests to port 80 only for the UID that squid is 
> running under.
> iptables -A OUTPUT -m owner ! --uid squid -p tcp --dport 80 -j DROP
> This rule can be more flexible, but I live this to you, I hope you get 
> the idea.
> 3. And finally test, whether you can make requests as user with and 
> without proxy set in the browser.
> 
Dimitar,

Success!! (at least mostly.)  Thanks greatly for your assistance.
I used WEBMIN firewall module to build the following rule:
-A OUTPUT -p tcp -m tcp --dport 80 -m owner ! --uid-owner squid -j
DROP    

case 1- User requests (with browser set to no proxy) time out after
about a minute.    [Desired outcome except timeout takes a long time]
case 2- User requests (with browser proxy set to the Dansguardian 8181
port) work fine.  [Desired outcome]
case 3- User requests (with browser proxy set to the Squid 3128 port)
also work fine.  [Not desired since webfiltering is bypassed]

So three things remain
1) Newbie question - How do I edit/change directly the iptable rules
without requiring webmin?  (I can print them out with the iptables-save
command)
2) Can I get the request reject/timeout to occur more quickly?
3) Can I close the loop hole of someone pointing their browser to the
squid port (rather than the dg port)?

Thanks again!!
Ken

Re: Transparent proxy single machine question

[Dimitar Katerinski]

ken scott wrote:
> On Sat, 2004-06-26 at 18:42, Dimitar Katerinski wrote:
> 
> 
>>Hello Ken,
>>
>>Ah just know I understand that this is a workstation with some users, 
>>and squid and DG running ot this machine. Okay, I did some tests and 
>>came up with a solution ;-)
>>You can't redirect packets that origin from the machine itself, to some 
>>other local port (as far as i know). Maybe you can play with 
>>CONFIG_IP_NF_NAT_LOCAL option in the kernel, but as I understand it, it 
>>lets you to use destination NAT on connections originating from local 
>>processes on the nat box itself, but that is now we are looking for. So
>>here is what you can do:
>>
>>1. Leave the proxy setting as is in the browser properties (127.0.0.1:8181)
>>2. Allow outgoing requests to port 80 only for the UID that squid is 
>>running under.
>>iptables -A OUTPUT -m owner ! --uid squid -p tcp --dport 80 -j DROP
>>This rule can be more flexible, but I live this to you, I hope you get 
>>the idea.
>>3. And finally test, whether you can make requests as user with and 
>>without proxy set in the browser.
>>
> 
> Dimitar,
> 
> Success!! (at least mostly.)  Thanks greatly for your assistance.
> I used WEBMIN firewall module to build the following rule:
> -A OUTPUT -p tcp -m tcp --dport 80 -m owner ! --uid-owner squid -j
> DROP    
> 
> case 1- User requests (with browser set to no proxy) time out after
> about a minute.    [Desired outcome except timeout takes a long time]
> case 2- User requests (with browser proxy set to the Dansguardian 8181
> port) work fine.  [Desired outcome]
> case 3- User requests (with browser proxy set to the Squid 3128 port)
> also work fine.  [Not desired since webfiltering is bypassed]
> 
> So three things remain
> 1) Newbie question - How do I edit/change directly the iptable rules
> without requiring webmin?  (I can print them out with the iptables-save
> command)
> 2) Can I get the request reject/timeout to occur more quickly?
> 3) Can I close the loop hole of someone pointing their browser to the
> squid port (rather than the dg port)?
> 
> Thanks again!!
> Ken

Hello Ken,


First about the indesired timeout, you could do -j REJECT instead of -j 
DROP as REJECT target send tcp rst to the connection.
iptables -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner squid -j 
REJECT --reject-with tcp-reset

As for bypassing DG, you could easily allow only DG to be able to 
connect to 3128.
iptables -A OUTPUT -p tcp --dport 3128 -m owner ! --uid-owner 
dansguardian -j REJECT --reject-with tcp-reset

About asking me how to modify iptables rules, well it would be nice to 
read some howtos on netfilter.org ;-) The commands I'm giving you can be 
executed directly from the console, so no need for webmin. You can put 
them in your startup scripts, so they can be executed everytime the box 
starts. And finally, if you want to delete the above rules, you can 
substitute -A with -D, just my 2cents :-).

I wish you luck with the issue you have. I think we almost or fully 
resolve it ;-), so I may go to sleep now, because its 04:00 am here.

Regards,
Dimitar

-- 
"The only thing necessary for the triumph of evil is for good men to do 
nothing."
                                                   --Edmund Burke.