Solved

Squid Proxy and Remote Desktop - HELP

Posted on 2009-05-07
6
7,027 Views
Last Modified: 2013-11-22
Hey

I have setup a Transparent Squid Proxy server on Debian 5. Everything is working great FTP, http, Https, but I can't Remote Desktop to a windows machine with a public IP.

I have tried making changes to IPtables (I am quite dumb when it comes to IPTables), but I don't seem to be getting anywhere - without breaking anything.

Has anyone ever got this right? What Changes do I need to make to IPtables or to squid.conf to get this working?

Below is my Squid.conf and also a little script I Have for the IPtables (got the IPtables script from http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html but slightly changed)
:#:  cat /etc/squid/squid.conf

acl all src all

acl manager proto cache_object

acl localhost src 127.0.0.1/32

acl to_localhost dst 127.0.0.0/8

acl localnet src 10.47.134.0/24 10.47.135.0/24     # RFC1918 possible internal network

acl SSL_ports port 443          # https

acl SSL_ports port 563          # snews

acl SSL_ports port 873          # rsync

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl Safe_ports port 631         # cups

acl Safe_ports port 873         # rsync

acl Safe_ports port 901         # SWAT

acl purge method PURGE

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access allow !Safe_ports

http_access allow CONNECT !SSL_ports

http_access allow localhost

http_access allow localnet

http_access deny all

icp_access allow localnet

icp_access allow all

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern (Release|Package(.gz)*)$        0       20%     2880

refresh_pattern .               0       20%     4320

acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]

upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT

hosts_file /etc/hosts

icp_port 3130

coredump_dir /var/spool/squid

log_fqdn on

_____________________________________________________________

:#:  cat /etc/iptables.proxy
 

# squid server IP

SQUID_SERVER="196.211.63.174"

# Interface connected to Internet

INTERNET="eth1"

# Interface connected to LAN

LAN_IN="eth0"

# Squid port

SQUID_PORT="3128"
 

# Clean old firewall

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support

modprobe ip_conntrack

modprobe ip_conntrack_ftp

# For win xp ftp client

#modprobe ip_nat_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

# Unlimited access to loop back

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP

iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN

iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE

iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

# unlimited access to LAN

iptables -A INPUT -i $LAN_IN -j ACCEPT

iptables -A OUTPUT -o $LAN_IN -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system

iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it

iptables -A INPUT -j LOG

iptables -A INPUT -j DROP

Open in new window

0
Comment
Question by:Rigged
  • 3
  • 3
6 Comments
 
LVL 2

Expert Comment

by:Miele102
ID: 24323675
For i know, RDP uses port 3389.
So, if you open mstsc and then type the ip address the protocol should be routed directly to your firewall and internet, passing by the proxy.
Could it be that a firewall is blocking the RDP protocol?
0
 
LVL 1

Author Comment

by:Rigged
ID: 24323945
Hi Miele102

Currently I have the Router (point of Termination for the internet) behind it we have our Cisco Pix Firewall, what we have been using since forever. As of late I our internet is a bit congested and we started to build the Squid Proxy (it is directly behind the router) and getting everything to work through the Proxy before putting it behind the PixFirewall. RDP works through the Pix and Router, but not through the Proxy and Router.

Thats the thing thats confusing me - it works through the one, but not the other and as you said (and from what I have read in other places) it should be passing the Proxy, but it isn't.

Is there maybe a rule I can pass onto IPtables or is there something else I can try coz as far as I can tell it is only the Squid Proxy that is stopping the comunication
0
 
LVL 2

Accepted Solution

by:
Miele102 earned 500 total points
ID: 24325142
Hi,
Is the squidproxy also your firewall, i mean, you say that rdp works through the pix and router but not through the squid and router. I see in your iptables that the squid has two nics which are defiend in Internet and Lan. Is the pix out of order and does the squid function also as firewall?
Then you need to configure a portforwarding in your ip tables where 3389 is forwarded to the router, i think.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 1

Author Closing Comment

by:Rigged
ID: 31578903
:D THX for pointing me in the right direction
0
 
LVL 1

Author Comment

by:Rigged
ID: 24325609
HAHA, sweet. I found a site describing how IPTables port Fowarding works and added the following to my little iptables script mentioned above:

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -m tcp --dport 3389 -j DNAT --to-destination $SQUID_SERVER

It all works 100% now :D
0
 
LVL 2

Expert Comment

by:Miele102
ID: 24326699
Great.
0

Featured Post

Do email signature updates give you a headache?

Are you constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now