We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

How to Stop Transparent Proxy

aatif786
aatif786 asked
on
Medium Priority
416 Views
Last Modified: 2007-12-19
Dear Experts,

I have a serious issue. After upgradation From Redhat Linux 9 to Fedora Core 4 some of my clients using internet through gateway but they are not allowed in squid.conf.

I wasn't configured transparent proxy in squid.

I enabled IPForwarding through /etc/sysctl1.conf
net.ipv4.ip_forward = 1
Here is my iptables configuration.

touch /var/lock/subsys/local
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 202.147.191.10 --dport 25 -j DNAT --to 172.16.0.25:25
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 25 -j SNAT --to 172.16.0.99
iptables -t nat -A PREROUTING -p tcp -d 202.147.191.10 --dport 80 -j DNAT --to 172.16.0.25:80
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 80 -j SNAT --to 172.16.0.99
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 172.16.0.25 -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.16.0.25 -p tcp --sport 25 -j ACCEPT

Please help its urgent.

Comment
Watch Question

Top Expert 2005

Commented:
iptables -t nat -A PREROUTING -p tcp -d 202.147.191.10 --dport 80 -j DNAT --to 172.16.0.25:80
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 80 -j SNAT --to 172.16.0.99

those above deals with transparent redirection of http traffic to remote squid.
aatif786Cloud Infrastructure Architect

Author

Commented:
Dear Ravenpl,

I disabled that 2 lines from the iptables. But still client get access internet without proxy.

These two lines for forwarding the external traffic to my internal web server and the other 2 lines for forwarding the smtp traffic to my internal smtp server.

Top Expert 2005

Commented:
1. I assume, that apart from disabling those lines, You have restarted the firewall (or whole machine)

Wait - I was wrong. You right. Those lines does not redirects requests to proxy.

But then, what You mean by
> But still client get access internet without proxy.
Do they have to configure the proxy in their browsers, or they still are redirected transparently to the proxy?

In the first case, it's posibble, that firewall block (does not forward) traffic to internet port80. Is it?
In the second cacse, there must be another rule (You have not shown), which redirects requets (iptables -t nat -L -n)
aatif786Cloud Infrastructure Architect

Author

Commented:
I mean that client can access the internet without any proxy configuration. The client whose ip is not configured in squid.conf access internet through gateway addess.

In my setup clients can access internet when we configured proxy server address in internet explorer.

Means we forced to use proxy for accessing internet.

I diabled all forwarding.

But wait sorry once again when i check the status of iptables. the following things can be found. I ran the another script from /etc/rc.local in which another iptables command found.

Here is the status of iptables.
Table: nat
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0          

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        

Table: filter
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0          

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0          
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:113 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:113 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:113 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:113 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:135 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:135 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:135 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:135 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:136 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:136 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:136 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:136 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:137 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:137 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:137 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:137 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:138 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:138 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:138 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:138 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:139 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:139 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:139 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:445 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:445 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:445 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:113 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:113 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:113 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:113 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:135 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:135 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:135 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:135 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:136 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:136 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:136 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:136 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:137 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:137 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:137 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:137 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:138 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:138 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:138 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:138 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:139 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:139 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:139 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:445 reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:445 reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:445 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination        
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited


The command in the script are following.

iptables -A INPUT -i eth1 -p tcp --dport 113 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 113 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 113 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 113 -j REJECT

iptables -A INPUT -i eth1 -p tcp --dport 135 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 135 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 135 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 135 -j REJECT

iptables -A INPUT -i eth1 -p tcp --dport 136 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 136 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 136 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 136 -j REJECT

iptables -A INPUT -i eth1 -p tcp --dport 137 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 137 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 137 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 137 -j REJECT

iptables -A INPUT -i eth1 -p tcp --dport 138 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 138 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 138 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 138 -j REJECT

iptables -A INPUT -i eth1 -p tcp --dport 139 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 139 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 139 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 139 -j REJECT

iptables -A INPUT -i eth1 -p tcp --dport 445 -j REJECT
iptables -A INPUT -i eth1 -p udp --dport 445 -j REJECT
iptables -A INPUT -i eth1 -p tcp --sport 445 -j REJECT
iptables -A INPUT -i eth1 -p udp --sport 445 -j REJECT

iptables -A INPUT -i eth0 -p tcp --dport 113 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 113 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 113 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 113 -j REJECT

iptables -A INPUT -i eth0 -p tcp --dport 135 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 135 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 135 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 135 -j REJECT

iptables -A INPUT -i eth0 -p tcp --dport 136 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 136 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 136 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 136 -j REJECT

iptables -A INPUT -i eth0 -p tcp --dport 137 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 137 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 137 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 137 -j REJECT

iptables -A INPUT -i eth0 -p tcp --dport 138 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 138 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 138 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 138 -j REJECT

iptables -A INPUT -i eth0 -p tcp --dport 139 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 139 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 139 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 139 -j REJECT

iptables -A INPUT -i eth0 -p tcp --dport 445 -j REJECT
iptables -A INPUT -i eth0 -p udp --dport 445 -j REJECT
iptables -A INPUT -i eth0 -p tcp --sport 445 -j REJECT
iptables -A INPUT -i eth0 -p udp --sport 445 -j REJECT



Sorry this should a lenthy reply but might be it will help you.

Many many Thanks for helping me.
CERTIFIED EXPERT
Top Expert 2014

Commented:
I am assuming that the FC4/Squid box is physically inline and inbetween your network and the Internet Gateway?
Commented:
I guess your scenario is not due to "Transparent proxy".

I guess it's because of this line:-
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

This basically does the masquerading, when users try to access internet. Which means, ALLOW. It has nothing to do with squid.

Since your FORWARD default policy is ACCEPT, that's why users can access internet anyway they want.
To stop it.

iptables -I FORWARD -i eth0  -p tcp --dport 80 -j DROP
iptables -I FORWARD -i eth0  -p tcp --dport 443 -j DROP

I hope you should know that, a good firewall rules by default blocks everything, then you open one by one.
Spend some time to do experiment.
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

Make sure you are sitting in front the firewall and type those commands, just in case anything, change back to ACCEPT.
NEVER try experiment from network.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Gabriel OrozcoSolution Architect

Commented:
Dear aatif786

I believe your iptables configuration is not the most correct. So the problem with users accessing internet without your consent.

first of all, I would make squid to work in transparent mode. so no user can access internet without being redirect to squid, where you have your filters already.

how? with this rule in iptables  (make $LAN to be eth0,  eth1 or the one that is LAN for your linux box):
iptables -t nat -A PREROUTING -p tcp -i $LAN  --dport 80 -j REDIRECT --to-port 3128

now in squid you should have enabled these lines:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

This will fix the internet access problem thru http standard port (tcp/80) but not stop anything like msn messenger, irc, or any other thing. I think you need to develop furter your iptables script, use another one (ipcop can be of help, or shorewall has been recommended by most of my friends that I respect for their knowledge... I still prefer to make my own firewall scripts)
aatif786Cloud Infrastructure Architect

Author

Commented:
Thanks every one who contributed to solve my problem.

Special thanks to kitti. you are absolutely right your solotion perfectly ok.


aatif786Cloud Infrastructure Architect

Author

Commented:
Thanks Kitti and thanks every 1 Problem has been solved.

But I still shift my FC4 box to RH9 because I unable to resolve the FTP Problem.

Commented:
Your most welcome!

Happy Linuxing...
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.