From: Bernardo Vieira <bernardo.vieira@terra.com.br>
To: netfilter@lists.netfilter.org
Subject: Allowing hosts to bypass transparent proxy (squid+netfilter) to port 80 for a specific netmask
Date: Thu, 14 Dec 2006 18:48:38 -0200 [thread overview]
Message-ID: <4581B8A6.4080504@terra.com.br> (raw)
[-- Attachment #1: Type: text/plain, Size: 1512 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all!
I need to setup my gateway (netfilter + squid) to allow allow lan hosts
direct access to the domain .caixa.gov.br (200.201.160/20). All requests
will go on port 80, tcp on the remote end but the protocol isn't http.
To achieve this I tried adding the following rules to iptables:
- -A FORWARD -s 192.168.1.0/255.255.255.0 -d 200.201.160.0/255.255.240.0\
- -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
The problem is that packets destined for that rule are still being
grabbed by squid, preventing the java app to load:
192.168.1.221 TCP_CLIENT_REFRESH_MISS/404 4244 GET
http://cmt.caixa.gov.br/COM/arx/pw/SlimCli.class - DIRECT/200.201.173.68
text/html
When I saw that I also tried the following squid.conf acls to allow
direct connections to the domain, but the problem persists:
acl Caixa dstdomain .caixa.gov.br
always_direct allow Caixa
Can anyone point me in the right direction?
My setup is:
Internet
|
+---------+-----------+
| eth0 (dynamic IP) |
| Squid + netfilter |
|eth1 (192.168.1.1/24)|
+---------+-----------+
|
Hosts
kernel version: 2.6.9-10
iptables v1.2.9
Squid Cache: Version 2.5.STABLE6
attached complete squid.conf & iptables rules
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFgbil2QVs8jsa1mQRAgl/AJ0U8s8CHJ/H/y3ghOHFoDOTjGtnzQCfWU3v
/y51lg/bmz84QUhZEUye9Q4=
=+Bmk
-----END PGP SIGNATURE-----
[-- Attachment #2: iptables.txt --]
[-- Type: text/plain, Size: 1547 bytes --]
-A PREROUTING -i ! eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j MASQUERADE
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! eth0 -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 169.254.0.0/255.255.0.0 -i eth0 -j drop-reserved
-A INPUT -s 224.0.0.0/240.0.0.0 -i eth0 -j drop-reserved
-A INPUT -s 240.0.0.0/240.0.0.0 -i eth0 -j drop-reserved
-A INPUT -d <external ip> -i eth0 -p udp -m udp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d <external ip> -i eth0 -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -s 192.168.1.0/255.255.255.0 -d 200.201.160.0/255.255.240.0 -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
-A FORWARD -i ! eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -s <external ip> -j ACCEPT
-A OUTPUT -o eth0 -j DROP
-A drop-lan -j DROP
-A drop-reserved -j DROP
[-- Attachment #3: squidconf.txt --]
[-- Type: text/plain, Size: 1413 bytes --]
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
maximum_object_size 4096 KB
cache_dir diskd /mnt/cache/squid 5120 16 256
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl private1 src 192.168.0.0/16
acl private2 src 10.0.0.0/8
acl private3 src 172.16.0.0/12
acl privoxy dstdomain config.privoxy.org
acl SSL_ports port 443 563
acl SSL_ports port 81 10000
acl CONNECT method CONNECT
acl Caixa dstdomain .caixa.gov.br
no_cache deny QUERY
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny privoxy
http_access allow localhost
http_access allow private1
http_access allow private2
http_access allow private3
http_access deny all
http_reply_access allow all
icp_access allow all
reply_body_max_size 0 allow all
cache_effective_user squid
cache_effective_group squid
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
always_direct allow Caixa
coredump_dir /var/spool/squid
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
next reply other threads:[~2006-12-14 20:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-14 20:48 Bernardo Vieira [this message]
2006-12-14 21:26 ` Allowing hosts to bypass transparent proxy (squid+netfilter) to port 80 for a specific netmask Andrew Beverley
2006-12-14 22:06 ` Bernardo Vieira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4581B8A6.4080504@terra.com.br \
--to=bernardo.vieira@terra.com.br \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox