Link to home
Start Free TrialLog in
Avatar of aduhwale
aduhwale

asked on

Creating Transparent proxy on running fedora 5 system

Hi EE.  I have a fedora 5 system with iptables and squid setup separately.  for IP tables I modified a script I obtained from a guide to allow the linux box do routing and firewall.   It has two network cards.  One to the lan and the other to the wan.  This is fine.  Next I activated squid to restrict access and set the client machines (windows) to point to the proxy server on port 3128.  This works fine.  but of course once the users know what they are doing, they can simple connect directly , plus messenger, etc, if they setup themselves dont use the proxy.    Now, using webmin, there is an option to set transparent proxy.  However when I select this, it messes with my firewall settings (which I dont know how to configure either)   I have  pasted below, my squid.conf and my iptables.  Can anyone tell me how to incorporate transaparent proxying into my iptables below.

Iptables
-----------

# Generated by iptables-save v1.3.5 on Mon Oct  1 17:56:02 2007
*mangle
:PREROUTING ACCEPT [9656615:1494936740]
:INPUT ACCEPT [9397029:1281220210]
:FORWARD ACCEPT [259584:213716443]
:OUTPUT ACCEPT [18344908:25964430331]
:POSTROUTING ACCEPT [18605441:26178260701]
COMMIT
# Completed on Mon Oct  1 17:56:02 2007
# Generated by iptables-save v1.3.5 on Mon Oct  1 17:56:02 2007
*filter
:INPUT DROP [5305:675164]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:okay - [0:0]
-A INPUT -s 192.0.0.0/255.0.0.0 -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.0.100 -i lo -j ACCEPT
-A INPUT -s 41.222.17.14 -i lo -j ACCEPT
-A INPUT -d 192.168.0.255 -i eth1 -j ACCEPT
-A INPUT -d 41.222.17.14 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j okay
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 2074 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4000 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.0.100 -j ACCEPT
-A OUTPUT -s 41.222.17.14 -j ACCEPT
-A okay -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A okay -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A okay -p tcp -j DROP
COMMIT
# Completed on Mon Oct  1 17:56:02 2007
# Generated by iptables-save v1.3.5 on Mon Oct  1 17:56:02 2007
*nat
:PREROUTING ACCEPT [19943:1512450]
:POSTROUTING ACCEPT [296:40572]
:OUTPUT ACCEPT [8186:543441]
-A POSTROUTING -o eth0 -j SNAT --to-source 41.222.17.14
COMMIT
# Completed on Mon Oct  1 17:56:02 2007


Squid
-------

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

refresh_pattern ^ftp:            1440      20%      10080
refresh_pattern ^gopher:      1440      0%      1440
refresh_pattern .            0      20%      4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl turtle src 192.168.0.105 81.199.101.50
acl Safe_ports port 22 563 5000-5100
acl Yahoosites dstdomain "/data/utils/restrictports"

http_access allow manager localhost
http_access allow turtle
http_access allow localhost
http_access deny manager
#http_access deny to_localhost

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow Safe_ports CONNECT
http_access deny Yahoosites
http_access deny all

http_reply_access allow all

icp_access allow all

coredump_dir /var/spool/squid





visible_hostname turtle1
ASKER CERTIFIED SOLUTION
Avatar of WizRd-Linux
WizRd-Linux
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of aduhwale
aduhwale

ASKER

Hi.  Sorry about the long silence.   This fixed my problem!  now all users are forced to use proxy.  Thanks!