Solved

Transparent proxy but no ip forwarding?

Posted on 2004-08-26
7
297 Views
Last Modified: 2010-03-18
Hi,

I have a proxy server, which currently is setup as the gateway for all machines on my network via DHCP.
This box currently forwards packets directly to the internet, however it's also setup so that any traffic for port 80 is redirected through squid.

>> Is it possible for me to keep this machine setup as the gateway, and pass on requests to port 80 and 21, but not forward anything else?

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Thanks,

Paul.
0
Comment
Question by:H4Inf
7 Comments
 
LVL 1

Assisted Solution

by:abhinaysinha
abhinaysinha earned 50 total points
Comment Utility
Yeah! Simple.

Just remove the DNAT/SNAT or Masquerading setting of the Iptables firewall.
0
 
LVL 17

Assisted Solution

by:owensleftfoot
owensleftfoot earned 100 total points
Comment Utility
You would also need to add another line to forward port 21, ie
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 3128
0
 

Assisted Solution

by:aurus
aurus earned 100 total points
Comment Utility

wait wait wait :)

the line above it good about syntax, but not for the thing that Paul wants, remember that squid is a proxy ... for web... not for telnet :)

I guess that you just need to MASQUERADE all the traffic to port 21, and deny the rest

iptables -t NAT-A PREROUTING -t eth0 -p tcp --dport 21 -j MASQUERADE

you can add -s $YOUR_LAN in the line abovejust to make sure that only your lan has access to forward the service.

Enjoy :)

Aurus tunes out.


0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 17

Expert Comment

by:owensleftfoot
Comment Utility
"the line above it good about syntax, but not for the thing that Paul wants, remember that squid is a proxy ... for web... not for telnet :)"


The port for telnet  is 23, not 21. 21 is for ftp which squid supports. Using "the line above", all outbound traffic for port 21 will be re-directed to squid. I believe this is what paul wants.
0
 
LVL 1

Accepted Solution

by:
gn0 earned 250 total points
Comment Utility
Paul, just remember that whatever you redirect will work normally. However, if someone (within your network) configures their browser with the correct port and ip address, they would be allowed to do not only ports 80 and 21, but also 443, 563, 70, 210 and much much more .... they just have to configure their browser.

If you need to ensure that they only do port 80 and 21 you need to :-
remove all lines from 'squid.conf' similar to
acl Safe_ports port <xx>
where <xx> is some port number - except the port 80 & 21 ones.
(you said that the proxy forwards packets directly to the internet - so i'm assuming that your network is all public ip addresses and you aren't doing and SNAT/DNAT or MASQUERADING).... you would also need to:-
block all other ports....
iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -j DROP

you would also need to redirect port 21 (as shown above) if you need the traffic to be proxied.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 3128

*NOTE: (1) if ppl on your network need to browse they would also need dns (you should also allow tcp and udp 53).
(2) if you need to do more than 'basic' port 21 ('basic' = http on port 21 or telnet on port 21) the above would give you problems - esp. with passive ftp. - i can't remember how i set that up - have to try it again - i will let you know tomorrow.....

good luck in the mean while....
0
 
LVL 1

Assisted Solution

by:gn0
gn0 earned 250 total points
Comment Utility
.... this works for ftp ......
iptables -t nat -I POSTROUTING -i eth0 -p tcp --dport 20:21 -j MASQUERADE

if you have real ip addresses in ur network, u just need to pass the ports 20 and 21 use....

iptables -I FORWARD -i eth0 -p tcp --dport 20:21 -j ACCEPT
(+ the other rules for the FORWARD table shown above)

good luck...

GN.
0
 

Author Comment

by:H4Inf
Comment Utility
I got it all sorted, thanks for your contributions, and sorry for taking so long to finalize this :)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now