Squid Proxy and Remote Desktop - HELP

Hey

I have setup a Transparent Squid Proxy server on Debian 5. Everything is working great FTP, http, Https, but I can't Remote Desktop to a windows machine with a public IP.

I have tried making changes to IPtables (I am quite dumb when it comes to IPTables), but I don't seem to be getting anywhere - without breaking anything.

Has anyone ever got this right? What Changes do I need to make to IPtables or to squid.conf to get this working?

Below is my Squid.conf and also a little script I Have for the IPtables (got the IPtables script from http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html but slightly changed)
:#:  cat /etc/squid/squid.conf
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.47.134.0/24 10.47.135.0/24     # RFC1918 possible internal network
acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localhost
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access allow all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Package(.gz)*)$        0       20%     2880
refresh_pattern .               0       20%     4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
icp_port 3130
coredump_dir /var/spool/squid
log_fqdn on
_____________________________________________________________
:#:  cat /etc/iptables.proxy
 
# squid server IP
SQUID_SERVER="196.211.63.174"
# Interface connected to Internet
INTERNET="eth1"
# Interface connected to LAN
LAN_IN="eth0"
# Squid port
SQUID_PORT="3128"
 
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Open in new window

LVL 1
RiggedAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Miele102Connect With a Mentor Commented:
Hi,
Is the squidproxy also your firewall, i mean, you say that rdp works through the pix and router but not through the squid and router. I see in your iptables that the squid has two nics which are defiend in Internet and Lan. Is the pix out of order and does the squid function also as firewall?
Then you need to configure a portforwarding in your ip tables where 3389 is forwarded to the router, i think.
0
 
Miele102Commented:
For i know, RDP uses port 3389.
So, if you open mstsc and then type the ip address the protocol should be routed directly to your firewall and internet, passing by the proxy.
Could it be that a firewall is blocking the RDP protocol?
0
 
RiggedAuthor Commented:
Hi Miele102

Currently I have the Router (point of Termination for the internet) behind it we have our Cisco Pix Firewall, what we have been using since forever. As of late I our internet is a bit congested and we started to build the Squid Proxy (it is directly behind the router) and getting everything to work through the Proxy before putting it behind the PixFirewall. RDP works through the Pix and Router, but not through the Proxy and Router.

Thats the thing thats confusing me - it works through the one, but not the other and as you said (and from what I have read in other places) it should be passing the Proxy, but it isn't.

Is there maybe a rule I can pass onto IPtables or is there something else I can try coz as far as I can tell it is only the Squid Proxy that is stopping the comunication
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
RiggedAuthor Commented:
:D THX for pointing me in the right direction
0
 
RiggedAuthor Commented:
HAHA, sweet. I found a site describing how IPTables port Fowarding works and added the following to my little iptables script mentioned above:

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -m tcp --dport 3389 -j DNAT --to-destination $SQUID_SERVER

It all works 100% now :D
0
 
Miele102Commented:
Great.
0
All Courses

From novice to tech pro — start learning today.