Creating Transparent proxy on running fedora 5 system

Posted on 2007-10-01
Last Modified: 2013-12-16
Hi EE.  I have a fedora 5 system with iptables and squid setup separately.  for IP tables I modified a script I obtained from a guide to allow the linux box do routing and firewall.   It has two network cards.  One to the lan and the other to the wan.  This is fine.  Next I activated squid to restrict access and set the client machines (windows) to point to the proxy server on port 3128.  This works fine.  but of course once the users know what they are doing, they can simple connect directly , plus messenger, etc, if they setup themselves dont use the proxy.    Now, using webmin, there is an option to set transparent proxy.  However when I select this, it messes with my firewall settings (which I dont know how to configure either)   I have  pasted below, my squid.conf and my iptables.  Can anyone tell me how to incorporate transaparent proxying into my iptables below.


# Generated by iptables-save v1.3.5 on Mon Oct  1 17:56:02 2007
:PREROUTING ACCEPT [9656615:1494936740]
:INPUT ACCEPT [9397029:1281220210]
:FORWARD ACCEPT [259584:213716443]
:OUTPUT ACCEPT [18344908:25964430331]
:POSTROUTING ACCEPT [18605441:26178260701]
# Completed on Mon Oct  1 17:56:02 2007
# Generated by iptables-save v1.3.5 on Mon Oct  1 17:56:02 2007
:INPUT DROP [5305:675164]
:okay - [0:0]
-A INPUT -s -i eth1 -j ACCEPT
-A INPUT -s -i lo -j ACCEPT
-A INPUT -s -i lo -j ACCEPT
-A INPUT -s -i lo -j ACCEPT
-A INPUT -d -i eth1 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j okay
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 2074 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4000 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A okay -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A okay -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A okay -p tcp -j DROP
# Completed on Mon Oct  1 17:56:02 2007
# Generated by iptables-save v1.3.5 on Mon Oct  1 17:56:02 2007
:PREROUTING ACCEPT [19943:1512450]
:OUTPUT ACCEPT [8186:543441]
-A POSTROUTING -o eth0 -j SNAT --to-source
# Completed on Mon Oct  1 17:56:02 2007


hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

refresh_pattern ^ftp:            1440      20%      10080
refresh_pattern ^gopher:      1440      0%      1440
refresh_pattern .            0      20%      4320

acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl turtle src
acl Safe_ports port 22 563 5000-5100
acl Yahoosites dstdomain "/data/utils/restrictports"

http_access allow manager localhost
http_access allow turtle
http_access allow localhost
http_access deny manager
#http_access deny to_localhost

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow Safe_ports CONNECT
http_access deny Yahoosites
http_access deny all

http_reply_access allow all

icp_access allow all

coredump_dir /var/spool/squid

visible_hostname turtle1
Question by:aduhwale
    LVL 13

    Accepted Solution

    If you are able to point your XP clients to port 3128 for squid this should work perfectly fine.

    What you will need to do is modify IPtables to redirect all traffic for port 80, 443 and any other ports you want to allow them to use through squid and remove any natting you are doing.

    Basically the two iptables commands you need to run are:

    iptables -t nat -D POSTROUTING 1
    -: This gets rid of the line -A POSTROUTING -o eth0 -j SNAT --to-source

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128

    Basically the above two commands will force any traffic coming in on eth1 (you lan side) to destined for port 80 or 443 will be forced into squid, where you ACL's will take control.

    Continue to add lines like above for other ports you want forced through squid.  The first command will stop all traffic from being automatically natted so make sure you have access to the server incase you need to backout.  If you do simple type /etc/init.d/iptables restart

    This will flush all current rules and return you to your previous working state.  If it is successful just type /etc/init.d/iptables save to make the changes stick across reboots.
    LVL 2

    Author Comment

    Hi.  Sorry about the long silence.   This fixed my problem!  now all users are forced to use proxy.  Thanks!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    In this tutorial I will explain how to make squid prevent malwares in five easy steps: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-…
    rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
    Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
    Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now