?
Solved

Creating Transparent proxy on running fedora 5 system

Posted on 2007-10-01
2
Medium Priority
?
1,410 Views
Last Modified: 2013-12-16
Hi EE.  I have a fedora 5 system with iptables and squid setup separately.  for IP tables I modified a script I obtained from a guide to allow the linux box do routing and firewall.   It has two network cards.  One to the lan and the other to the wan.  This is fine.  Next I activated squid to restrict access and set the client machines (windows) to point to the proxy server on port 3128.  This works fine.  but of course once the users know what they are doing, they can simple connect directly , plus messenger, etc, if they setup themselves dont use the proxy.    Now, using webmin, there is an option to set transparent proxy.  However when I select this, it messes with my firewall settings (which I dont know how to configure either)   I have  pasted below, my squid.conf and my iptables.  Can anyone tell me how to incorporate transaparent proxying into my iptables below.

Iptables
-----------

# Generated by iptables-save v1.3.5 on Mon Oct  1 17:56:02 2007
*mangle
:PREROUTING ACCEPT [9656615:1494936740]
:INPUT ACCEPT [9397029:1281220210]
:FORWARD ACCEPT [259584:213716443]
:OUTPUT ACCEPT [18344908:25964430331]
:POSTROUTING ACCEPT [18605441:26178260701]
COMMIT
# Completed on Mon Oct  1 17:56:02 2007
# Generated by iptables-save v1.3.5 on Mon Oct  1 17:56:02 2007
*filter
:INPUT DROP [5305:675164]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:okay - [0:0]
-A INPUT -s 192.0.0.0/255.0.0.0 -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.0.100 -i lo -j ACCEPT
-A INPUT -s 41.222.17.14 -i lo -j ACCEPT
-A INPUT -d 192.168.0.255 -i eth1 -j ACCEPT
-A INPUT -d 41.222.17.14 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j okay
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 2074 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4000 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.0.100 -j ACCEPT
-A OUTPUT -s 41.222.17.14 -j ACCEPT
-A okay -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A okay -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A okay -p tcp -j DROP
COMMIT
# Completed on Mon Oct  1 17:56:02 2007
# Generated by iptables-save v1.3.5 on Mon Oct  1 17:56:02 2007
*nat
:PREROUTING ACCEPT [19943:1512450]
:POSTROUTING ACCEPT [296:40572]
:OUTPUT ACCEPT [8186:543441]
-A POSTROUTING -o eth0 -j SNAT --to-source 41.222.17.14
COMMIT
# Completed on Mon Oct  1 17:56:02 2007


Squid
-------

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

refresh_pattern ^ftp:            1440      20%      10080
refresh_pattern ^gopher:      1440      0%      1440
refresh_pattern .            0      20%      4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl turtle src 192.168.0.105 81.199.101.50
acl Safe_ports port 22 563 5000-5100
acl Yahoosites dstdomain "/data/utils/restrictports"

http_access allow manager localhost
http_access allow turtle
http_access allow localhost
http_access deny manager
#http_access deny to_localhost

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow Safe_ports CONNECT
http_access deny Yahoosites
http_access deny all

http_reply_access allow all

icp_access allow all

coredump_dir /var/spool/squid





visible_hostname turtle1
0
Comment
Question by:aduhwale
2 Comments
 
LVL 13

Accepted Solution

by:
WizRd-Linux earned 1000 total points
ID: 19995350
If you are able to point your XP clients to port 3128 for squid this should work perfectly fine.

What you will need to do is modify IPtables to redirect all traffic for port 80, 443 and any other ports you want to allow them to use through squid and remove any natting you are doing.

Basically the two iptables commands you need to run are:

iptables -t nat -D POSTROUTING 1
-: This gets rid of the line -A POSTROUTING -o eth0 -j SNAT --to-source 41.222.17.14
COMMIT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128

Basically the above two commands will force any traffic coming in on eth1 (you lan side) to destined for port 80 or 443 will be forced into squid, where you ACL's will take control.

Continue to add lines like above for other ports you want forced through squid.  The first command will stop all traffic from being automatically natted so make sure you have access to the server incase you need to backout.  If you do simple type /etc/init.d/iptables restart

This will flush all current rules and return you to your previous working state.  If it is successful just type /etc/init.d/iptables save to make the changes stick across reboots.
0
 
LVL 2

Author Comment

by:aduhwale
ID: 20034052
Hi.  Sorry about the long silence.   This fixed my problem!  now all users are forced to use proxy.  Thanks!
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month16 days, 19 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question