Solved

Squid Proxy and Remote Desktop - HELP

Posted on 2009-05-07
6
6,977 Views
Last Modified: 2013-11-22
Hey

I have setup a Transparent Squid Proxy server on Debian 5. Everything is working great FTP, http, Https, but I can't Remote Desktop to a windows machine with a public IP.

I have tried making changes to IPtables (I am quite dumb when it comes to IPTables), but I don't seem to be getting anywhere - without breaking anything.

Has anyone ever got this right? What Changes do I need to make to IPtables or to squid.conf to get this working?

Below is my Squid.conf and also a little script I Have for the IPtables (got the IPtables script from http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html but slightly changed)
:#:  cat /etc/squid/squid.conf

acl all src all

acl manager proto cache_object

acl localhost src 127.0.0.1/32

acl to_localhost dst 127.0.0.0/8

acl localnet src 10.47.134.0/24 10.47.135.0/24     # RFC1918 possible internal network

acl SSL_ports port 443          # https

acl SSL_ports port 563          # snews

acl SSL_ports port 873          # rsync

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl Safe_ports port 631         # cups

acl Safe_ports port 873         # rsync

acl Safe_ports port 901         # SWAT

acl purge method PURGE

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access allow !Safe_ports

http_access allow CONNECT !SSL_ports

http_access allow localhost

http_access allow localnet

http_access deny all

icp_access allow localnet

icp_access allow all

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern (Release|Package(.gz)*)$        0       20%     2880

refresh_pattern .               0       20%     4320

acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]

upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT

hosts_file /etc/hosts

icp_port 3130

coredump_dir /var/spool/squid

log_fqdn on

_____________________________________________________________

:#:  cat /etc/iptables.proxy
 

# squid server IP

SQUID_SERVER="196.211.63.174"

# Interface connected to Internet

INTERNET="eth1"

# Interface connected to LAN

LAN_IN="eth0"

# Squid port

SQUID_PORT="3128"
 

# Clean old firewall

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support

modprobe ip_conntrack

modprobe ip_conntrack_ftp

# For win xp ftp client

#modprobe ip_nat_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

# Unlimited access to loop back

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP

iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN

iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE

iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

# unlimited access to LAN

iptables -A INPUT -i $LAN_IN -j ACCEPT

iptables -A OUTPUT -o $LAN_IN -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system

iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it

iptables -A INPUT -j LOG

iptables -A INPUT -j DROP

Open in new window

0
Comment
Question by:Rigged
  • 3
  • 3
6 Comments
 
LVL 2

Expert Comment

by:Miele102
Comment Utility
For i know, RDP uses port 3389.
So, if you open mstsc and then type the ip address the protocol should be routed directly to your firewall and internet, passing by the proxy.
Could it be that a firewall is blocking the RDP protocol?
0
 
LVL 1

Author Comment

by:Rigged
Comment Utility
Hi Miele102

Currently I have the Router (point of Termination for the internet) behind it we have our Cisco Pix Firewall, what we have been using since forever. As of late I our internet is a bit congested and we started to build the Squid Proxy (it is directly behind the router) and getting everything to work through the Proxy before putting it behind the PixFirewall. RDP works through the Pix and Router, but not through the Proxy and Router.

Thats the thing thats confusing me - it works through the one, but not the other and as you said (and from what I have read in other places) it should be passing the Proxy, but it isn't.

Is there maybe a rule I can pass onto IPtables or is there something else I can try coz as far as I can tell it is only the Squid Proxy that is stopping the comunication
0
 
LVL 2

Accepted Solution

by:
Miele102 earned 500 total points
Comment Utility
Hi,
Is the squidproxy also your firewall, i mean, you say that rdp works through the pix and router but not through the squid and router. I see in your iptables that the squid has two nics which are defiend in Internet and Lan. Is the pix out of order and does the squid function also as firewall?
Then you need to configure a portforwarding in your ip tables where 3389 is forwarded to the router, i think.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Closing Comment

by:Rigged
Comment Utility
:D THX for pointing me in the right direction
0
 
LVL 1

Author Comment

by:Rigged
Comment Utility
HAHA, sweet. I found a site describing how IPTables port Fowarding works and added the following to my little iptables script mentioned above:

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -m tcp --dport 3389 -j DNAT --to-destination $SQUID_SERVER

It all works 100% now :D
0
 
LVL 2

Expert Comment

by:Miele102
Comment Utility
Great.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now