• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 394
  • Last Modified:

How to Stop Transparent Proxy

Dear Experts,

I have a serious issue. After upgradation From Redhat Linux 9 to Fedora Core 4 some of my clients using internet through gateway but they are not allowed in squid.conf.

I wasn't configured transparent proxy in squid.

I enabled IPForwarding through /etc/sysctl1.conf
net.ipv4.ip_forward = 1
Here is my iptables configuration.

touch /var/lock/subsys/local
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 202.147.191.10 --dport 25 -j DNAT --to 172.16.0.25:25
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 25 -j SNAT --to 172.16.0.99
iptables -t nat -A PREROUTING -p tcp -d 202.147.191.10 --dport 80 -j DNAT --to 172.16.0.25:80
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 80 -j SNAT --to 172.16.0.99
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 172.16.0.25 -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.16.0.25 -p tcp --sport 25 -j ACCEPT

Please help its urgent.

0
aatif786
Asked:
aatif786
  • 4
  • 2
  • 2
  • +2
1 Solution
 
ravenplCommented:
iptables -t nat -A PREROUTING -p tcp -d 202.147.191.10 --dport 80 -j DNAT --to 172.16.0.25:80
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 80 -j SNAT --to 172.16.0.99

those above deals with transparent redirection of http traffic to remote squid.
0
 
aatif786Author Commented:
Dear Ravenpl,

I disabled that 2 lines from the iptables. But still client get access internet without proxy.

These two lines for forwarding the external traffic to my internal web server and the other 2 lines for forwarding the smtp traffic to my internal smtp server.

0
 
ravenplCommented:
1. I assume, that apart from disabling those lines, You have restarted the firewall (or whole machine)

Wait - I was wrong. You right. Those lines does not redirects requests to proxy.

But then, what You mean by
> But still client get access internet without proxy.
Do they have to configure the proxy in their browsers, or they still are redirected transparently to the proxy?

In the first case, it's posibble, that firewall block (does not forward) traffic to internet port80. Is it?
In the second cacse, there must be another rule (You have not shown), which redirects requets (iptables -t nat -L -n)
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
aatif786Author Commented:
I mean that client can access the internet without any proxy configuration. The client whose ip is not configured in squid.conf access internet through gateway addess.

In my setup clients can access internet when we configured proxy server address in internet explorer.

Means we forced to use proxy for accessing internet.

I diabled all forwarding.

But wait sorry once again when i check the status of iptables. the following things can be found. I ran the another script from /etc/rc.local in which another iptables command found.

Here is the status of iptables.
Table: nat
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0          

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        

Table: filter
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0          

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0          
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:113 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:113 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:113 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:113 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:135 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:135 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:135 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:135 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:136 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:136 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:136 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:136 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:137 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:137 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:137 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:137 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:138 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:138 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:138 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:138 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:139 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:139 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:139 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:445 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:445 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:445 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:113 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:113 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:113 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:113 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:135 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:135 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:135 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:135 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:136 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:136 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:136 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:136 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:137 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:137 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:137 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:137 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:138 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:138 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:138 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:138 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:139 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:139 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:139 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:445 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:445 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:445 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination        
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited


The command in the script are following.

iptables -A INPUT -i eth1 -p tcp --dport 113 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 113 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 113 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 113 -j REJECT

iptables -A INPUT -i eth1 -p tcp --dport 135 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 135 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 135 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 135 -j REJECT

iptables -A INPUT -i eth1 -p tcp --dport 136 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 136 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 136 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 136 -j REJECT

iptables -A INPUT -i eth1 -p tcp --dport 137 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 137 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 137 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 137 -j REJECT

iptables -A INPUT -i eth1 -p tcp --dport 138 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 138 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 138 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 138 -j REJECT

iptables -A INPUT -i eth1 -p tcp --dport 139 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 139 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 139 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 139 -j REJECT

iptables -A INPUT -i eth1 -p tcp --dport 445 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 445 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 445 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 445 -j REJECT

iptables -A INPUT -i eth0 -p tcp --dport 113 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 113 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 113 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 113 -j REJECT

iptables -A INPUT -i eth0 -p tcp --dport 135 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 135 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 135 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 135 -j REJECT

iptables -A INPUT -i eth0 -p tcp --dport 136 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 136 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 136 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 136 -j REJECT

iptables -A INPUT -i eth0 -p tcp --dport 137 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 137 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 137 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 137 -j REJECT

iptables -A INPUT -i eth0 -p tcp --dport 138 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 138 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 138 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 138 -j REJECT

iptables -A INPUT -i eth0 -p tcp --dport 139 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 139 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 139 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 139 -j REJECT

iptables -A INPUT -i eth0 -p tcp --dport 445 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 445 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 445 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 445 -j REJECT



Sorry this should a lenthy reply but might be it will help you.

Many many Thanks for helping me.
0
 
giltjrCommented:
I am assuming that the FC4/Squid box is physically inline and inbetween your network and the Internet Gateway?
0
 
kiitiiCommented:
I guess your scenario is not due to "Transparent proxy".

I guess it's because of this line:-
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

This basically does the masquerading, when users try to access internet. Which means, ALLOW. It has nothing to do with squid.

Since your FORWARD default policy is ACCEPT, that's why users can access internet anyway they want.
To stop it.

iptables -I FORWARD -i eth0  -p tcp --dport 80 -j DROP
iptables -I FORWARD -i eth0  -p tcp --dport 443 -j DROP

I hope you should know that, a good firewall rules by default blocks everything, then you open one by one.
Spend some time to do experiment.
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

Make sure you are sitting in front the firewall and type those commands, just in case anything, change back to ACCEPT.
NEVER try experiment from network.
0
 
Gabriel OrozcoSolution ArchitectCommented:
Dear aatif786

I believe your iptables configuration is not the most correct. So the problem with users accessing internet without your consent.

first of all, I would make squid to work in transparent mode. so no user can access internet without being redirect to squid, where you have your filters already.

how? with this rule in iptables  (make $LAN to be eth0,  eth1 or the one that is LAN for your linux box):
iptables -t nat -A PREROUTING -p tcp -i $LAN  --dport 80 -j REDIRECT --to-port 3128

now in squid you should have enabled these lines:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

This will fix the internet access problem thru http standard port (tcp/80) but not stop anything like msn messenger, irc, or any other thing. I think you need to develop furter your iptables script, use another one (ipcop can be of help, or shorewall has been recommended by most of my friends that I respect for their knowledge... I still prefer to make my own firewall scripts)
0
 
aatif786Author Commented:
Thanks every one who contributed to solve my problem.

Special thanks to kitti. you are absolutely right your solotion perfectly ok.


0
 
aatif786Author Commented:
Thanks Kitti and thanks every 1 Problem has been solved.

But I still shift my FC4 box to RH9 because I unable to resolve the FTP Problem.

0
 
kiitiiCommented:
Your most welcome!

Happy Linuxing...
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 4
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now