bxcarwilly
asked on
How to configure a transparent proxy on ubuntu 8.10
I'm trying to setup a transparent proxy for content filtering on my home network.
I loaded an old HP with Ubuntu 8.10 mini command line only install.
2 nics:
eth0 dhcp address assigned from existing Linksys router 192.168.1.1 which is connected to a cable modem for Internet access
eth1 static address 10.0.0.1 255.255.255.0 connected to switch and providing DHCP services to 10.0.0.0 network.
I followed a tutorial @ http://www.geek.com/articles/chips/feature-buiding-a-mini-itx-web-content-filter-with-ubuntu-20090116
the workstations are receiving their IPs on the 10.0.0.0 network but will not route to the Internet.
I believe my problem is in the firewall.sh that is running at boot to configure iptables.
I loaded an old HP with Ubuntu 8.10 mini command line only install.
2 nics:
eth0 dhcp address assigned from existing Linksys router 192.168.1.1 which is connected to a cable modem for Internet access
eth1 static address 10.0.0.1 255.255.255.0 connected to switch and providing DHCP services to 10.0.0.0 network.
I followed a tutorial @ http://www.geek.com/articles/chips/feature-buiding-a-mini-itx-web-content-filter-with-ubuntu-20090116
the workstations are receiving their IPs on the 10.0.0.0 network but will not route to the Internet.
I believe my problem is in the firewall.sh that is running at boot to configure iptables.
#!/bin/sh
# IPTABLES FIREWALL script
# Again, I'm assuming that both interfaces are "up"
echo -e "\n\nSETTING UP IPTABLES FIREWALL..."
# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
EXTIF="eth0"
EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' \
| awk '{print $2}' | sed -e 's/.*://'`"
# SET THE INTERFACE DESIGNATION FOR YOUR "INTERNAL" (LAN) CONNECTION
INTIF="eth1"
INTIP="`/sbin/ifconfig $INTIF | grep 'inet addr' \
| awk '{print $2}' | sed -e 's/.*://'`"
# SET THE INTERFACE DESIGNATION AND ADDRESS AND NETWORK ADDRESS
# FOR THE NC CONNECTED TO YOUR _INTERNAL_ NETWORK
# Enter the NETWORK address the Internal Interface is on
INTNET="`/sbin/ifconfig $INTIF | grep 'inet addr' \
| awk '{print $2}' | sed -e 's/.*://' \
| sed -e 's?\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)?\1\.\2\.\3.0/24?'`"
UNIVERSE="0.0.0.0/0"
echo 1 > /proc/sys/net/ipv4/ip_forward
# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat
# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi
# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z
# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT
echo -e " - Loading INPUT rulesets"
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# TRUST ANYTHING COMING IN ON LOOPBACK
iptables -A INPUT -i lo -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
# these are necessary for basic networking functionality
iptables -A INPUT -i $INTIF -p icmp -s $INTNET -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP -j DROP
# THIS ALLOWS ANY TRAFFIC TO COME IN ON THE INTERNAL
# CARD - THIS IS PROBABLY TOO LENIENT. THE RULES BELOW
# ARE MORE SELECTIVE
#iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
#############################################################
# HERE ARE RULES FOR WHICH TRAFFIC ORIGINATING ON THE LOCAL
# NETWORK IS ALLOWED TO ACCESS THE FIREWALL ITSELF -
# THIS HAS NOTHING TO DO WITH WHAT IS FORWARDED THROUGH!!!
#############################################################
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# ping/echo
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT
# MGT Console (Internal)
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 10000 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 10000 -j ACCEPT
# FTP Access
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 21 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 21 -j ACCEPT
# Windows File Sharing
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 135 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 135 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 136 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 136 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 137 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 137 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 138 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 138 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 139 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 139 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 445 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 445 -j ACCEPT
# DNS requests
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT
# ident/auth
#iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE \
# --dport 113 -j ACCEPT
#iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE \
# --dport 113 -j ACCEPT
# ssh
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE \
--dport 4022 -j ACCEPT
# UNCOMMENT THIS STANZA FOR WEB CACHE/PROXY SUPPORT
# USING A DANSGUARDIAN/SQUID SETUP
iptables -A INPUT -i $INTIF -p tcp --dport 8080 -j ACCEPT
# Redirect port 80 to Dansguardian (port 8080)
iptables -t nat -A PREROUTING -i $INTIF -p tcp \
--dport 80 -j REDIRECT --to-ports 8080
# THIS ALLOWS ANYTHING TO COME IN ON THE EXTERNAL INTERFACE.
# THIS IS OBVIOUSLY UNACCEPTABLE. UNCOMMENT ONLY FOR TESTING
# PURPOSES
#iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
#############################################################
# HERE ARE RULES FOR WHICH *INBOUND* TRAFFIC IS ALLOWED
# ON THE EXTERNAL INTERFACE - THIS IS THE CRITICAL PART!!!
# ANY SERVICE SPECIFIED HERE MUST BE EITHER PROVIDED BY
# THE FIREWALL ITSELF, OR THE PORT MUST BE FORWARDED TO
# SOME SPECIFIC MACHINE ON THE INTERNAL LAN
# SEE BOTTOM OF SCRIPT FOR PORT FORWARDING EXAMPLE
#############################################################
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# ping/echo
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
-d $EXTIP --dport 7 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
-d $EXTIP --dport 7 -j ACCEPT
# ident/auth
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
# -d $EXTIP --dport 113 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
# -d $EXTIP --dport 113 -j ACCEPT
# ssh (no restrictions)
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
# -d $EXTIP --dport 22 -j ACCEPT
# FTP Access
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
# -d $EXTIP --dport 21 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
# -d $EXTIP --dport 20 -j ACCEPT
# WWW Access
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
# -d $EXTIP --dport 80 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
# -d $EXTIP --dport 80 -j ACCEPT
# DAAPD Server
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
# -d $EXTIP --dport 3689 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
# -d $EXTIP --dport 5353 -j ACCEPT
# Asterisk Server
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
# -d $EXTIP --dport 5060 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
# -d $EXTIP --dport 5060 -j ACCEPT
# SSH (restricted) to 3 burst attempts, then once per minute
iptables -A INPUT -i $EXTIF -m tcp -p tcp --dport 22 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -m tcp -p tcp --dport 22 -m state --state \
NEW -m limit --limit 1/min --limit-burst 3 -j ACCEPT
iptables -A INPUT -i $EXTIF -m tcp -p tcp --dport 22 -j DROP
# REMOTE MANAGEMENT
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
# -d $EXTIP --dport 10000 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
# -d $EXTIP --dport 10000 -j ACCEPT
####################################################
# SEE SCRIPT AT BEGINNING OF THIS WEBPAGE TO
# LOCATE MORE SERVICES THAT YOU MIGHT WANT
# ADD YOUR OWN RULES
#####################################################
# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# YOU WILL PROBABLY NOT NEED TO MODIFY THE OUTGOING RULES
# UNLESS YOU REALLY WANT A BOMBPROOF FIREWALL
# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
# loopback is valid
iptables -A OUTPUT -o lo -j ACCEPT
# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -d $INTNET -j ACCEPT
# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
################################################################
# ADD PORT FORWARDING RULES HERE
# ANY ENTRY HERE MUST HAVE A CORRESPONDING ENTRY IN THE
# "INPUT ON THE EXTERNAL INTERFACE" SECTION - SEE ABOVE
################################################################
# EXAMPLE FORWARD PORT 8080 TO COMPUTER ON LAN WITH IP 10.69.69.10
# THIS comes in two sections. Forward what comes in on the outside,
# and make a special exception to forward whatever originated
# on INTERNAL network BACK inside
#iptables -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP \
# --dport 8080 -j DNAT --to 10.69.69.10:80
#iptables -A FORWARD -p tcp -i $EXTIF -d 10.69.69.10 --dport 80 -j ACCEPT
#########################################################
# ADD YOUR RULES HERE FOR TRAFFIC THAT WILL BE
# FORWARDED FROM THE INTERNAL INTERFACE TO THE
# EXTERNAL INTERFACE - this is not as critical as
# the INCOMING filter above, but still worthwhile
#########################################################
# Enable (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
# this allows everything from inside to outside
# MAYBE too lenient, but maybe not. If you are
# PARANOID THEN COMMENT THIS OUT and consider
# the rules below!!!
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# allow any previously established traffic through
iptables -A FORWARD -i $EXTIF -o $INTIF -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# ICMP protocol necessary for ping, etc
iptables -A FORWARD -i $INTIF -p icmp -j ACCEPT
# high port numbers allowed out
iptables -A FORWARD -i $INTIF -p tcp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 1024:65535 -j ACCEPT
# ping/echo
iptables -A FORWARD -i $INTIF -p tcp --dport 7 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 7 -j ACCEPT
# DNS
iptables -A FORWARD -i $INTIF -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 53 -j ACCEPT
# ident/auth
iptables -A FORWARD -i $INTIF -p tcp --dport 113 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 113 -j ACCEPT
# ssh
iptables -A FORWARD -i $INTIF -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 22 -j ACCEPT
# http
iptables -A FORWARD -i $INTIF -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 80 -j ACCEPT
# https
iptables -A FORWARD -i $INTIF -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 443 -j ACCEPT
# ftp
iptables -A FORWARD -i $INTIF -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 21 -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j drop-and-log-it
echo -e " Firewall server rule loading complete\n\n"
ASKER
I thought I have done that on lines 29 and 277, 278
ommm your iptables is too big to study.... [ you should of break this little part first]
at first fixed internet connection sharing between gateway pc and other internal pc then .. go to for big iptables rules and others
what the result of
cat /proc/sys/net/ipv4/ip_forw ard
does it show 1 ??
at first fixed internet connection sharing between gateway pc and other internal pc then .. go to for big iptables rules and others
what the result of
cat /proc/sys/net/ipv4/ip_forw
does it show 1 ??
ASKER
no 0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I get a permission denied when I try to run echo "1" > /proc/sys/net/ipv4/ip_forw ard
Use sudo. "sudo echo "1" > /proc/sys/net/ipv4/ip_forw ard"
Hi sorry due to night could not able to reply
yes as @LinuxNtwrkng said, use sudo before executing that command
or use root username and password for that
yes as @LinuxNtwrkng said, use sudo before executing that command
or use root username and password for that
ASKER
I get permission denied whether I use sudo or not
can you logon to the server as root user ??
ASKER
I'm using SSH to access the server remotely and it will not allow me to log in as root.
do you have root password ??
then type
su -
it will ask for root password , type that,
then you will become root
then type
su -
it will ask for root password , type that,
then you will become root
ASKER
Okay. I was able to run the command and the result of cat /proc/sys/net/ipv4/ip_forw ard is now 1.
I will be onsite to test a workstation connected to the 10.0.0.0 network in an hour or so. I'll let you know if it worked
I will be onsite to test a workstation connected to the 10.0.0.0 network in an hour or so. I'll let you know if it worked
ASKER
It worked!! Can you explain what happened and why the command echo "1" > /proc/sys/net/ipv4/ip_forw ard fixed it?
ASKER
My workstation can get to the Internet but it is not being proxied for content filtering.
How can I force all traffic to be transparently forced through 8080 where dansguardian is listening?
How can I force all traffic to be transparently forced through 8080 where dansguardian is listening?
good at least one worked
echo "1" > /proc/sys/net/ipv4/ip_forw ard fixed it? : you are enabling masqurading from kernel
about this
How can I force all traffic to be transparently forced through 8080 where dansguardian is listening?
do you have squid ??
echo "1" > /proc/sys/net/ipv4/ip_forw
about this
How can I force all traffic to be transparently forced through 8080 where dansguardian is listening?
do you have squid ??
ASKER
yes.
installed and configured as follows:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl SSL_ports port 563
acl SSL_ports port 873
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 631
acl Safe_ports port 873
acl Safe_ports port 901
acl purge method PURGE
acl CONNECT method CONNECT
acl apache rep_header Server ^Apache
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
cache_effective_user proxy
hosts_file /etc/hosts
coredump_dir /var/spool/squid
cache_effective_group proxy
installed and configured as follows:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl SSL_ports port 563
acl SSL_ports port 873
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 631
acl Safe_ports port 873
acl Safe_ports port 901
acl purge method PURGE
acl CONNECT method CONNECT
acl apache rep_header Server ^Apache
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
cache_effective_user proxy
hosts_file /etc/hosts
coredump_dir /var/spool/squid
cache_effective_group proxy
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you. It is working now.
echo "1" > /proc/sys/net/ipv4/ip_forw
then
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE [ here eh0 is connected to the isp router]
this 2 rule will allow you internal pc to share internet