We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

How to configure a transparent proxy on ubuntu 8.10

Medium Priority
4,524 Views
Last Modified: 2013-11-15
I'm trying to setup a transparent proxy for content filtering on my home network.
I loaded an old HP with Ubuntu 8.10 mini command line only install.

2 nics:
eth0 dhcp address assigned from existing Linksys router 192.168.1.1 which is connected to a cable modem for Internet access
eth1 static address 10.0.0.1 255.255.255.0 connected to switch and providing DHCP services to 10.0.0.0 network.

I followed a tutorial @ http://www.geek.com/articles/chips/feature-buiding-a-mini-itx-web-content-filter-with-ubuntu-20090116

the workstations are receiving their IPs on the 10.0.0.0 network but will not route to the Internet.

I believe  my problem is in the firewall.sh that is running at boot to configure iptables.

#!/bin/sh
 
#  IPTABLES  FIREWALL  script
#  Again, I'm assuming that both interfaces are "up"
 
echo -e "\n\nSETTING UP IPTABLES FIREWALL..."
 
 
# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
EXTIF="eth0"
EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' \
  | awk '{print $2}' | sed -e 's/.*://'`"
 
# SET THE INTERFACE DESIGNATION FOR YOUR "INTERNAL" (LAN) CONNECTION
INTIF="eth1"
INTIP="`/sbin/ifconfig $INTIF | grep 'inet addr' \
  | awk '{print $2}' | sed -e 's/.*://'`"
 
 
# SET THE INTERFACE DESIGNATION AND ADDRESS AND NETWORK ADDRESS
# FOR THE NC CONNECTED TO YOUR _INTERNAL_ NETWORK
# Enter the NETWORK address the Internal Interface is on
INTNET="`/sbin/ifconfig $INTIF | grep 'inet addr' \
  | awk '{print $2}' | sed -e 's/.*://' \
  | sed -e 's?\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)?\1\.\2\.\3.0/24?'`"
 
UNIVERSE="0.0.0.0/0"
 
echo 1 > /proc/sys/net/ipv4/ip_forward
 
# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT 
iptables -P OUTPUT DROP
iptables -F OUTPUT 
iptables -P FORWARD DROP
iptables -F FORWARD 
iptables -F -t nat
 
# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
   iptables -F drop-and-log-it
fi
 
# Delete all User-specified chains
iptables -X
 
# Reset all IPTABLES counters
iptables -Z
 
# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info 
iptables -A drop-and-log-it -j REJECT
 
echo -e "     - Loading INPUT rulesets"
 
#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are 
#        already flushed and set to a default policy of DROP. 
#
 
# TRUST ANYTHING COMING IN ON LOOPBACK
iptables -A INPUT -i lo -j ACCEPT
 
# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
 
# these are necessary for basic networking functionality
iptables -A INPUT -i $INTIF -p icmp -s $INTNET -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP -j DROP
 
 
# THIS ALLOWS ANY TRAFFIC TO COME IN ON THE INTERNAL
# CARD - THIS IS PROBABLY TOO LENIENT.  THE RULES BELOW
# ARE MORE SELECTIVE 
#iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
 
#############################################################
# HERE ARE RULES FOR WHICH TRAFFIC ORIGINATING ON THE LOCAL
# NETWORK IS ALLOWED TO ACCESS THE FIREWALL ITSELF - 
# THIS HAS NOTHING TO DO WITH WHAT IS FORWARDED THROUGH!!!
#############################################################
 
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state \
  --state ESTABLISHED,RELATED -j ACCEPT
 
# ping/echo
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT
 
# MGT Console (Internal)
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 10000 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 10000 -j ACCEPT
 
# FTP Access
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 21 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 21 -j ACCEPT
 
# Windows File Sharing
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 135 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 135 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 136 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 136 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 137 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 137 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 138 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 138 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 139 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 139 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 445 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 445 -j ACCEPT
 
# DNS requests
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT
 
# ident/auth
#iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE \
#  --dport 113 -j ACCEPT
#iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE \
#  --dport 113 -j ACCEPT
 
# ssh
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE \
  --dport 4022 -j ACCEPT
  
# UNCOMMENT THIS STANZA FOR WEB CACHE/PROXY SUPPORT
# USING A DANSGUARDIAN/SQUID SETUP
iptables -A INPUT -i $INTIF -p tcp --dport 8080 -j ACCEPT
# Redirect port 80 to Dansguardian (port 8080)
iptables -t nat -A PREROUTING -i $INTIF -p tcp \
   --dport 80 -j REDIRECT --to-ports 8080
 
 
# THIS ALLOWS ANYTHING TO COME IN ON THE EXTERNAL INTERFACE.
# THIS IS OBVIOUSLY UNACCEPTABLE.  UNCOMMENT ONLY FOR TESTING
# PURPOSES
 
#iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
 
#############################################################
# HERE ARE RULES FOR WHICH *INBOUND* TRAFFIC IS ALLOWED
# ON THE EXTERNAL INTERFACE - THIS IS THE CRITICAL PART!!!
# ANY SERVICE SPECIFIED HERE MUST BE EITHER PROVIDED BY 
# THE FIREWALL ITSELF, OR THE PORT MUST BE FORWARDED TO
# SOME SPECIFIC MACHINE ON THE INTERNAL LAN
# SEE BOTTOM OF SCRIPT FOR PORT FORWARDING EXAMPLE
#############################################################
 
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state \
  --state ESTABLISHED,RELATED -j ACCEPT
 
# ping/echo
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
  -d $EXTIP --dport 7 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
  -d $EXTIP --dport 7 -j ACCEPT
 
# ident/auth
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
#  -d $EXTIP --dport 113 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
#  -d $EXTIP --dport 113 -j ACCEPT
 
# ssh (no restrictions)
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
#  -d $EXTIP --dport 22 -j ACCEPT
  
# FTP Access
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
#  -d $EXTIP --dport 21 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
#  -d $EXTIP --dport 20 -j ACCEPT
 
# WWW Access
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
#  -d $EXTIP --dport 80 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
#  -d $EXTIP --dport 80 -j ACCEPT
 
# DAAPD Server
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
#  -d $EXTIP --dport 3689 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
#  -d $EXTIP --dport 5353 -j ACCEPT
 
# Asterisk Server
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
#  -d $EXTIP --dport 5060 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
#  -d $EXTIP --dport 5060 -j ACCEPT
 
 
# SSH (restricted) to 3 burst attempts, then once per minute
iptables -A INPUT -i $EXTIF -m tcp -p tcp --dport 22 -m state --state \
  ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -m tcp -p tcp --dport 22 -m state --state \
  NEW -m limit --limit 1/min --limit-burst 3 -j ACCEPT
iptables -A INPUT -i $EXTIF -m tcp -p tcp --dport 22 -j DROP
 
 
# REMOTE MANAGEMENT
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
#  -d $EXTIP --dport 10000 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
#  -d $EXTIP --dport 10000 -j ACCEPT
 
 
 
####################################################
# SEE SCRIPT AT BEGINNING OF THIS WEBPAGE TO
# LOCATE MORE SERVICES THAT YOU MIGHT WANT
 
# ADD YOUR OWN RULES
#####################################################
 
# Catch all rule, all other incoming is denied and logged. 
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
 
 
echo -e "     - Loading OUTPUT rulesets"
 
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are 
#         already flushed and set to a default policy of DROP. 
#
 
# YOU WILL PROBABLY NOT NEED TO MODIFY THE OUTGOING RULES
# UNLESS YOU REALLY WANT A BOMBPROOF FIREWALL
 
# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
 
# loopback is valid
iptables -A OUTPUT -o lo -j ACCEPT
 
# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -d $INTNET -j ACCEPT
 
# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -j ACCEPT
 
# Catch all rule, all other outgoing is denied and logged. 
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
 
 
echo -e "     - Loading FORWARD rulesets"
 
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
 
################################################################
# ADD PORT FORWARDING RULES HERE
# ANY ENTRY HERE MUST HAVE A CORRESPONDING ENTRY IN THE
# "INPUT ON THE EXTERNAL INTERFACE" SECTION - SEE ABOVE
################################################################
 
# EXAMPLE FORWARD PORT 8080 TO COMPUTER ON LAN WITH IP 10.69.69.10
# THIS comes in two sections.  Forward what comes in on the outside,
# and make a special exception to forward whatever originated
# on INTERNAL network BACK inside
#iptables -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP \
#		 --dport 8080 -j DNAT --to 10.69.69.10:80
#iptables -A FORWARD -p tcp -i $EXTIF -d 10.69.69.10 --dport 80 -j ACCEPT
 
#########################################################
# ADD YOUR RULES HERE FOR TRAFFIC THAT WILL BE
# FORWARDED FROM THE INTERNAL INTERFACE TO THE
# EXTERNAL INTERFACE - this is not as critical as
# the INCOMING filter above, but still worthwhile
#########################################################
 
# Enable (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
 
# this allows everything from inside to outside
# MAYBE too lenient, but maybe not.  If you are
# PARANOID THEN COMMENT THIS OUT and consider
# the rules below!!!
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
 
# allow any previously established traffic through
iptables -A FORWARD -i $EXTIF -o $INTIF -m state \
  --state ESTABLISHED,RELATED -j ACCEPT
 
# ICMP protocol necessary for ping, etc
iptables -A FORWARD -i $INTIF -p icmp -j ACCEPT
 
# high port numbers allowed out
iptables -A FORWARD -i $INTIF -p tcp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 1024:65535 -j ACCEPT
 
# ping/echo
iptables -A FORWARD -i $INTIF -p tcp --dport 7 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 7 -j ACCEPT
 
# DNS
iptables -A FORWARD -i $INTIF -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 53 -j ACCEPT
 
# ident/auth
iptables -A FORWARD -i $INTIF -p tcp --dport 113 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 113 -j ACCEPT
 
# ssh
iptables -A FORWARD -i $INTIF -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 22 -j ACCEPT
 
# http
iptables -A FORWARD -i $INTIF -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 80 -j ACCEPT
 
# https
iptables -A FORWARD -i $INTIF -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 443 -j ACCEPT
 
# ftp
iptables -A FORWARD -i $INTIF -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 21 -j ACCEPT
 
# Catch all rule, all other forwarding is denied and logged. 
iptables -A FORWARD -j drop-and-log-it
 
 
echo -e "    Firewall server rule loading complete\n\n"

Open in new window

Comment
Watch Question

Top Expert 2009

Commented:
for internet connection sharing you need to enable

echo "1" > /proc/sys/net/ipv4/ip_forward

then

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  [ here eh0 is connected to the isp router]

this 2 rule will allow you internal pc to share internet

Author

Commented:
I thought I have done that on lines 29 and 277, 278
Top Expert 2009

Commented:
ommm your iptables is too big to study.... [ you should of break this little part first]

at first fixed internet connection sharing between gateway pc and other internal pc then .. go to for big iptables rules and others

what the result of

cat /proc/sys/net/ipv4/ip_forward

does it show 1 ??

Author

Commented:
no 0
Top Expert 2009
Commented:
then it will not work


then run this command

echo "1" > /proc/sys/net/ipv4/ip_forward

if you check your line 29 its

 echo 1 > /proc/sys/net/ipv4/ip_forward
there is no "1"

anyway, run this  
echo "1" > /proc/sys/net/ipv4/ip_forward

then check again

cat /proc/sys/net/ipv4/ip_forward
if its show is showing 1 or not

if it show  1 and if your masquarade is right , then you should be able to use internet from internal pc

in internal pc you also need to insert dns server address in /etc/resolv.conf file


then check again

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
I get a permission denied when I try to run echo "1" > /proc/sys/net/ipv4/ip_forward
Use sudo.  "sudo echo "1" > /proc/sys/net/ipv4/ip_forward"
Top Expert 2009

Commented:
Hi sorry due to night could not able to reply

yes as @LinuxNtwrkng said, use sudo before executing that command

or use root username and password for that

Author

Commented:
I get permission denied whether I use sudo or not
Top Expert 2009

Commented:
can you logon to the server as root user ??

Author

Commented:
I'm using SSH to access the server remotely and it will not allow me to log in as root.
Top Expert 2009

Commented:
do you have root password ??

then type

su -
it will ask for root password , type that,

then you will become root

Author

Commented:
Okay.  I was able to run the command and the result of cat /proc/sys/net/ipv4/ip_forward is now 1.
I will be onsite to test a workstation connected to the 10.0.0.0 network in an hour or so.  I'll let you know if it worked

Author

Commented:
It worked!!  Can you explain what happened and why the command echo "1" > /proc/sys/net/ipv4/ip_forward fixed it?

Author

Commented:
My workstation can get to the Internet but it is not being proxied for content filtering.
How can I force all traffic to be transparently forced through 8080 where dansguardian is listening?
Top Expert 2009

Commented:
good at least one worked

echo "1" > /proc/sys/net/ipv4/ip_forward fixed it?  : you are enabling masqurading from kernel


about this

How can I force all traffic to be transparently forced through 8080 where dansguardian is listening?

do you have squid ??

Author

Commented:
yes.

installed and configured as follows:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl SSL_ports port 563
acl SSL_ports port 873
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 631
acl Safe_ports port 873
acl Safe_ports port 901
acl purge method PURGE
acl CONNECT method CONNECT
acl apache rep_header Server ^Apache
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
cache_effective_user proxy
hosts_file /etc/hosts
coredump_dir /var/spool/squid
cache_effective_group proxy

Top Expert 2009
Commented:
have a look to this post

http://www.experts-exchange.com/Networking/Linux_Networking/Q_24013058.html

there is one link from cybercity, look at that one


to make the transparent you need to define in squid.


http_port 8080 transparent

but before that you need iptables to [ change it according to your needs]

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

as i said your iptables is too big, so just go through to your iptables to see  if you have those rules in their

Author

Commented:
thank you.  It is working now.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.