[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Squid Proxy and Remote Desktop - HELP

Posted on 2009-05-07
6
Medium Priority
?
7,364 Views
Last Modified: 2013-11-22
Hey

I have setup a Transparent Squid Proxy server on Debian 5. Everything is working great FTP, http, Https, but I can't Remote Desktop to a windows machine with a public IP.

I have tried making changes to IPtables (I am quite dumb when it comes to IPTables), but I don't seem to be getting anywhere - without breaking anything.

Has anyone ever got this right? What Changes do I need to make to IPtables or to squid.conf to get this working?

Below is my Squid.conf and also a little script I Have for the IPtables (got the IPtables script from http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html but slightly changed)
:#:  cat /etc/squid/squid.conf
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.47.134.0/24 10.47.135.0/24     # RFC1918 possible internal network
acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localhost
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access allow all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Package(.gz)*)$        0       20%     2880
refresh_pattern .               0       20%     4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
icp_port 3130
coredump_dir /var/spool/squid
log_fqdn on
_____________________________________________________________
:#:  cat /etc/iptables.proxy
 
# squid server IP
SQUID_SERVER="196.211.63.174"
# Interface connected to Internet
INTERNET="eth1"
# Interface connected to LAN
LAN_IN="eth0"
# Squid port
SQUID_PORT="3128"
 
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Open in new window

0
Comment
Question by:Rigged
  • 3
  • 3
6 Comments
 
LVL 2

Expert Comment

by:Miele102
ID: 24323675
For i know, RDP uses port 3389.
So, if you open mstsc and then type the ip address the protocol should be routed directly to your firewall and internet, passing by the proxy.
Could it be that a firewall is blocking the RDP protocol?
0
 
LVL 1

Author Comment

by:Rigged
ID: 24323945
Hi Miele102

Currently I have the Router (point of Termination for the internet) behind it we have our Cisco Pix Firewall, what we have been using since forever. As of late I our internet is a bit congested and we started to build the Squid Proxy (it is directly behind the router) and getting everything to work through the Proxy before putting it behind the PixFirewall. RDP works through the Pix and Router, but not through the Proxy and Router.

Thats the thing thats confusing me - it works through the one, but not the other and as you said (and from what I have read in other places) it should be passing the Proxy, but it isn't.

Is there maybe a rule I can pass onto IPtables or is there something else I can try coz as far as I can tell it is only the Squid Proxy that is stopping the comunication
0
 
LVL 2

Accepted Solution

by:
Miele102 earned 1500 total points
ID: 24325142
Hi,
Is the squidproxy also your firewall, i mean, you say that rdp works through the pix and router but not through the squid and router. I see in your iptables that the squid has two nics which are defiend in Internet and Lan. Is the pix out of order and does the squid function also as firewall?
Then you need to configure a portforwarding in your ip tables where 3389 is forwarded to the router, i think.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 1

Author Closing Comment

by:Rigged
ID: 31578903
:D THX for pointing me in the right direction
0
 
LVL 1

Author Comment

by:Rigged
ID: 24325609
HAHA, sweet. I found a site describing how IPTables port Fowarding works and added the following to my little iptables script mentioned above:

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -m tcp --dport 3389 -j DNAT --to-destination $SQUID_SERVER

It all works 100% now :D
0
 
LVL 2

Expert Comment

by:Miele102
ID: 24326699
Great.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question