• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1470
  • Last Modified:

Creating Transparent proxy on running fedora 5 system

Hi EE.  I have a fedora 5 system with iptables and squid setup separately.  for IP tables I modified a script I obtained from a guide to allow the linux box do routing and firewall.   It has two network cards.  One to the lan and the other to the wan.  This is fine.  Next I activated squid to restrict access and set the client machines (windows) to point to the proxy server on port 3128.  This works fine.  but of course once the users know what they are doing, they can simple connect directly , plus messenger, etc, if they setup themselves dont use the proxy.    Now, using webmin, there is an option to set transparent proxy.  However when I select this, it messes with my firewall settings (which I dont know how to configure either)   I have  pasted below, my squid.conf and my iptables.  Can anyone tell me how to incorporate transaparent proxying into my iptables below.

Iptables
-----------

# Generated by iptables-save v1.3.5 on Mon Oct  1 17:56:02 2007
*mangle
:PREROUTING ACCEPT [9656615:1494936740]
:INPUT ACCEPT [9397029:1281220210]
:FORWARD ACCEPT [259584:213716443]
:OUTPUT ACCEPT [18344908:25964430331]
:POSTROUTING ACCEPT [18605441:26178260701]
COMMIT
# Completed on Mon Oct  1 17:56:02 2007
# Generated by iptables-save v1.3.5 on Mon Oct  1 17:56:02 2007
*filter
:INPUT DROP [5305:675164]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:okay - [0:0]
-A INPUT -s 192.0.0.0/255.0.0.0 -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.0.100 -i lo -j ACCEPT
-A INPUT -s 41.222.17.14 -i lo -j ACCEPT
-A INPUT -d 192.168.0.255 -i eth1 -j ACCEPT
-A INPUT -d 41.222.17.14 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j okay
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 2074 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4000 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.0.100 -j ACCEPT
-A OUTPUT -s 41.222.17.14 -j ACCEPT
-A okay -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A okay -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A okay -p tcp -j DROP
COMMIT
# Completed on Mon Oct  1 17:56:02 2007
# Generated by iptables-save v1.3.5 on Mon Oct  1 17:56:02 2007
*nat
:PREROUTING ACCEPT [19943:1512450]
:POSTROUTING ACCEPT [296:40572]
:OUTPUT ACCEPT [8186:543441]
-A POSTROUTING -o eth0 -j SNAT --to-source 41.222.17.14
COMMIT
# Completed on Mon Oct  1 17:56:02 2007


Squid
-------

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

refresh_pattern ^ftp:            1440      20%      10080
refresh_pattern ^gopher:      1440      0%      1440
refresh_pattern .            0      20%      4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl turtle src 192.168.0.105 81.199.101.50
acl Safe_ports port 22 563 5000-5100
acl Yahoosites dstdomain "/data/utils/restrictports"

http_access allow manager localhost
http_access allow turtle
http_access allow localhost
http_access deny manager
#http_access deny to_localhost

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow Safe_ports CONNECT
http_access deny Yahoosites
http_access deny all

http_reply_access allow all

icp_access allow all

coredump_dir /var/spool/squid





visible_hostname turtle1
0
aduhwale
Asked:
aduhwale
1 Solution
 
WizRd-LinuxCommented:
If you are able to point your XP clients to port 3128 for squid this should work perfectly fine.

What you will need to do is modify IPtables to redirect all traffic for port 80, 443 and any other ports you want to allow them to use through squid and remove any natting you are doing.

Basically the two iptables commands you need to run are:

iptables -t nat -D POSTROUTING 1
-: This gets rid of the line -A POSTROUTING -o eth0 -j SNAT --to-source 41.222.17.14
COMMIT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128

Basically the above two commands will force any traffic coming in on eth1 (you lan side) to destined for port 80 or 443 will be forced into squid, where you ACL's will take control.

Continue to add lines like above for other ports you want forced through squid.  The first command will stop all traffic from being automatically natted so make sure you have access to the server incase you need to backout.  If you do simple type /etc/init.d/iptables restart

This will flush all current rules and return you to your previous working state.  If it is successful just type /etc/init.d/iptables save to make the changes stick across reboots.
0
 
aduhwaleAuthor Commented:
Hi.  Sorry about the long silence.   This fixed my problem!  now all users are forced to use proxy.  Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now