Link to home
Start Free TrialLog in
Avatar of bxcarwilly
bxcarwilly

asked on

How to configure a transparent proxy on ubuntu 8.10

I'm trying to setup a transparent proxy for content filtering on my home network.
I loaded an old HP with Ubuntu 8.10 mini command line only install.

2 nics:
eth0 dhcp address assigned from existing Linksys router 192.168.1.1 which is connected to a cable modem for Internet access
eth1 static address 10.0.0.1 255.255.255.0 connected to switch and providing DHCP services to 10.0.0.0 network.

I followed a tutorial @ http://www.geek.com/articles/chips/feature-buiding-a-mini-itx-web-content-filter-with-ubuntu-20090116

the workstations are receiving their IPs on the 10.0.0.0 network but will not route to the Internet.

I believe  my problem is in the firewall.sh that is running at boot to configure iptables.

#!/bin/sh
 
#  IPTABLES  FIREWALL  script
#  Again, I'm assuming that both interfaces are "up"
 
echo -e "\n\nSETTING UP IPTABLES FIREWALL..."
 
 
# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
EXTIF="eth0"
EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' \
  | awk '{print $2}' | sed -e 's/.*://'`"
 
# SET THE INTERFACE DESIGNATION FOR YOUR "INTERNAL" (LAN) CONNECTION
INTIF="eth1"
INTIP="`/sbin/ifconfig $INTIF | grep 'inet addr' \
  | awk '{print $2}' | sed -e 's/.*://'`"
 
 
# SET THE INTERFACE DESIGNATION AND ADDRESS AND NETWORK ADDRESS
# FOR THE NC CONNECTED TO YOUR _INTERNAL_ NETWORK
# Enter the NETWORK address the Internal Interface is on
INTNET="`/sbin/ifconfig $INTIF | grep 'inet addr' \
  | awk '{print $2}' | sed -e 's/.*://' \
  | sed -e 's?\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)?\1\.\2\.\3.0/24?'`"
 
UNIVERSE="0.0.0.0/0"
 
echo 1 > /proc/sys/net/ipv4/ip_forward
 
# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT 
iptables -P OUTPUT DROP
iptables -F OUTPUT 
iptables -P FORWARD DROP
iptables -F FORWARD 
iptables -F -t nat
 
# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
   iptables -F drop-and-log-it
fi
 
# Delete all User-specified chains
iptables -X
 
# Reset all IPTABLES counters
iptables -Z
 
# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info 
iptables -A drop-and-log-it -j REJECT
 
echo -e "     - Loading INPUT rulesets"
 
#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are 
#        already flushed and set to a default policy of DROP. 
#
 
# TRUST ANYTHING COMING IN ON LOOPBACK
iptables -A INPUT -i lo -j ACCEPT
 
# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
 
# these are necessary for basic networking functionality
iptables -A INPUT -i $INTIF -p icmp -s $INTNET -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP -j DROP
 
 
# THIS ALLOWS ANY TRAFFIC TO COME IN ON THE INTERNAL
# CARD - THIS IS PROBABLY TOO LENIENT.  THE RULES BELOW
# ARE MORE SELECTIVE 
#iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
 
#############################################################
# HERE ARE RULES FOR WHICH TRAFFIC ORIGINATING ON THE LOCAL
# NETWORK IS ALLOWED TO ACCESS THE FIREWALL ITSELF - 
# THIS HAS NOTHING TO DO WITH WHAT IS FORWARDED THROUGH!!!
#############################################################
 
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state \
  --state ESTABLISHED,RELATED -j ACCEPT
 
# ping/echo
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT
 
# MGT Console (Internal)
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 10000 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 10000 -j ACCEPT
 
# FTP Access
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 21 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 21 -j ACCEPT
 
# Windows File Sharing
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 135 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 135 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 136 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 136 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 137 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 137 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 138 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 138 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 139 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 139 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 445 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 445 -j ACCEPT
 
# DNS requests
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT
 
# ident/auth
#iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE \
#  --dport 113 -j ACCEPT
#iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE \
#  --dport 113 -j ACCEPT
 
# ssh
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE \
  --dport 4022 -j ACCEPT
  
# UNCOMMENT THIS STANZA FOR WEB CACHE/PROXY SUPPORT
# USING A DANSGUARDIAN/SQUID SETUP
iptables -A INPUT -i $INTIF -p tcp --dport 8080 -j ACCEPT
# Redirect port 80 to Dansguardian (port 8080)
iptables -t nat -A PREROUTING -i $INTIF -p tcp \
   --dport 80 -j REDIRECT --to-ports 8080
 
 
# THIS ALLOWS ANYTHING TO COME IN ON THE EXTERNAL INTERFACE.
# THIS IS OBVIOUSLY UNACCEPTABLE.  UNCOMMENT ONLY FOR TESTING
# PURPOSES
 
#iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
 
#############################################################
# HERE ARE RULES FOR WHICH *INBOUND* TRAFFIC IS ALLOWED
# ON THE EXTERNAL INTERFACE - THIS IS THE CRITICAL PART!!!
# ANY SERVICE SPECIFIED HERE MUST BE EITHER PROVIDED BY 
# THE FIREWALL ITSELF, OR THE PORT MUST BE FORWARDED TO
# SOME SPECIFIC MACHINE ON THE INTERNAL LAN
# SEE BOTTOM OF SCRIPT FOR PORT FORWARDING EXAMPLE
#############################################################
 
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state \
  --state ESTABLISHED,RELATED -j ACCEPT
 
# ping/echo
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
  -d $EXTIP --dport 7 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
  -d $EXTIP --dport 7 -j ACCEPT
 
# ident/auth
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
#  -d $EXTIP --dport 113 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
#  -d $EXTIP --dport 113 -j ACCEPT
 
# ssh (no restrictions)
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
#  -d $EXTIP --dport 22 -j ACCEPT
  
# FTP Access
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
#  -d $EXTIP --dport 21 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
#  -d $EXTIP --dport 20 -j ACCEPT
 
# WWW Access
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
#  -d $EXTIP --dport 80 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
#  -d $EXTIP --dport 80 -j ACCEPT
 
# DAAPD Server
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
#  -d $EXTIP --dport 3689 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
#  -d $EXTIP --dport 5353 -j ACCEPT
 
# Asterisk Server
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
#  -d $EXTIP --dport 5060 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
#  -d $EXTIP --dport 5060 -j ACCEPT
 
 
# SSH (restricted) to 3 burst attempts, then once per minute
iptables -A INPUT -i $EXTIF -m tcp -p tcp --dport 22 -m state --state \
  ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -m tcp -p tcp --dport 22 -m state --state \
  NEW -m limit --limit 1/min --limit-burst 3 -j ACCEPT
iptables -A INPUT -i $EXTIF -m tcp -p tcp --dport 22 -j DROP
 
 
# REMOTE MANAGEMENT
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
#  -d $EXTIP --dport 10000 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
#  -d $EXTIP --dport 10000 -j ACCEPT
 
 
 
####################################################
# SEE SCRIPT AT BEGINNING OF THIS WEBPAGE TO
# LOCATE MORE SERVICES THAT YOU MIGHT WANT
 
# ADD YOUR OWN RULES
#####################################################
 
# Catch all rule, all other incoming is denied and logged. 
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
 
 
echo -e "     - Loading OUTPUT rulesets"
 
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are 
#         already flushed and set to a default policy of DROP. 
#
 
# YOU WILL PROBABLY NOT NEED TO MODIFY THE OUTGOING RULES
# UNLESS YOU REALLY WANT A BOMBPROOF FIREWALL
 
# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
 
# loopback is valid
iptables -A OUTPUT -o lo -j ACCEPT
 
# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -d $INTNET -j ACCEPT
 
# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -j ACCEPT
 
# Catch all rule, all other outgoing is denied and logged. 
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
 
 
echo -e "     - Loading FORWARD rulesets"
 
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
 
################################################################
# ADD PORT FORWARDING RULES HERE
# ANY ENTRY HERE MUST HAVE A CORRESPONDING ENTRY IN THE
# "INPUT ON THE EXTERNAL INTERFACE" SECTION - SEE ABOVE
################################################################
 
# EXAMPLE FORWARD PORT 8080 TO COMPUTER ON LAN WITH IP 10.69.69.10
# THIS comes in two sections.  Forward what comes in on the outside,
# and make a special exception to forward whatever originated
# on INTERNAL network BACK inside
#iptables -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP \
#		 --dport 8080 -j DNAT --to 10.69.69.10:80
#iptables -A FORWARD -p tcp -i $EXTIF -d 10.69.69.10 --dport 80 -j ACCEPT
 
#########################################################
# ADD YOUR RULES HERE FOR TRAFFIC THAT WILL BE
# FORWARDED FROM THE INTERNAL INTERFACE TO THE
# EXTERNAL INTERFACE - this is not as critical as
# the INCOMING filter above, but still worthwhile
#########################################################
 
# Enable (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
 
# this allows everything from inside to outside
# MAYBE too lenient, but maybe not.  If you are
# PARANOID THEN COMMENT THIS OUT and consider
# the rules below!!!
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
 
# allow any previously established traffic through
iptables -A FORWARD -i $EXTIF -o $INTIF -m state \
  --state ESTABLISHED,RELATED -j ACCEPT
 
# ICMP protocol necessary for ping, etc
iptables -A FORWARD -i $INTIF -p icmp -j ACCEPT
 
# high port numbers allowed out
iptables -A FORWARD -i $INTIF -p tcp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 1024:65535 -j ACCEPT
 
# ping/echo
iptables -A FORWARD -i $INTIF -p tcp --dport 7 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 7 -j ACCEPT
 
# DNS
iptables -A FORWARD -i $INTIF -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 53 -j ACCEPT
 
# ident/auth
iptables -A FORWARD -i $INTIF -p tcp --dport 113 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 113 -j ACCEPT
 
# ssh
iptables -A FORWARD -i $INTIF -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 22 -j ACCEPT
 
# http
iptables -A FORWARD -i $INTIF -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 80 -j ACCEPT
 
# https
iptables -A FORWARD -i $INTIF -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 443 -j ACCEPT
 
# ftp
iptables -A FORWARD -i $INTIF -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 21 -j ACCEPT
 
# Catch all rule, all other forwarding is denied and logged. 
iptables -A FORWARD -j drop-and-log-it
 
 
echo -e "    Firewall server rule loading complete\n\n"

Open in new window

Avatar of fosiul01
fosiul01
Flag of United Kingdom of Great Britain and Northern Ireland image
for internet connection sharing you need to enable

echo "1" > /proc/sys/net/ipv4/ip_forward

then

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  [ here eh0 is connected to the isp router]

this 2 rule will allow you internal pc to share internet
Avatar of bxcarwilly
bxcarwilly

ASKER

I thought I have done that on lines 29 and 277, 278
Avatar of fosiul01
fosiul01
Flag of United Kingdom of Great Britain and Northern Ireland image
ommm your iptables is too big to study.... [ you should of break this little part first]

at first fixed internet connection sharing between gateway pc and other internal pc then .. go to for big iptables rules and others

what the result of

cat /proc/sys/net/ipv4/ip_forward

does it show 1 ??
Avatar of bxcarwilly
bxcarwilly

ASKER

no 0
ASKER CERTIFIED SOLUTION
Avatar of fosiul01
fosiul01
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of bxcarwilly
bxcarwilly

ASKER

I get a permission denied when I try to run echo "1" > /proc/sys/net/ipv4/ip_forward
Avatar of LinuxNtwrkng
LinuxNtwrkng
Flag of United States of America image
Use sudo.  "sudo echo "1" > /proc/sys/net/ipv4/ip_forward"
Avatar of fosiul01
fosiul01
Flag of United Kingdom of Great Britain and Northern Ireland image
Hi sorry due to night could not able to reply

yes as @LinuxNtwrkng said, use sudo before executing that command

or use root username and password for that
Avatar of bxcarwilly
bxcarwilly

ASKER

I get permission denied whether I use sudo or not
Avatar of fosiul01
fosiul01
Flag of United Kingdom of Great Britain and Northern Ireland image
can you logon to the server as root user ??
Avatar of bxcarwilly
bxcarwilly

ASKER

I'm using SSH to access the server remotely and it will not allow me to log in as root.
Avatar of fosiul01
fosiul01
Flag of United Kingdom of Great Britain and Northern Ireland image
do you have root password ??

then type

su -
it will ask for root password , type that,

then you will become root
Avatar of bxcarwilly
bxcarwilly

ASKER

Okay.  I was able to run the command and the result of cat /proc/sys/net/ipv4/ip_forward is now 1.
I will be onsite to test a workstation connected to the 10.0.0.0 network in an hour or so.  I'll let you know if it worked
Avatar of bxcarwilly
bxcarwilly

ASKER

It worked!!  Can you explain what happened and why the command echo "1" > /proc/sys/net/ipv4/ip_forward fixed it?
Avatar of bxcarwilly
bxcarwilly

ASKER

My workstation can get to the Internet but it is not being proxied for content filtering.
How can I force all traffic to be transparently forced through 8080 where dansguardian is listening?
Avatar of fosiul01
fosiul01
Flag of United Kingdom of Great Britain and Northern Ireland image
good at least one worked

echo "1" > /proc/sys/net/ipv4/ip_forward fixed it?  : you are enabling masqurading from kernel


about this

How can I force all traffic to be transparently forced through 8080 where dansguardian is listening?

do you have squid ??

Avatar of bxcarwilly
bxcarwilly

ASKER

yes.

installed and configured as follows:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl SSL_ports port 563
acl SSL_ports port 873
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 631
acl Safe_ports port 873
acl Safe_ports port 901
acl purge method PURGE
acl CONNECT method CONNECT
acl apache rep_header Server ^Apache
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
cache_effective_user proxy
hosts_file /etc/hosts
coredump_dir /var/spool/squid
cache_effective_group proxy

SOLUTION
Avatar of fosiul01
fosiul01
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of bxcarwilly
bxcarwilly

ASKER

thank you.  It is working now.