LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Mandriva
User Name
Password
Mandriva This Forum is for the discussion of Mandriva (Mandrake) Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 02-09-2005, 05:57 AM   #1
varun_saa
Member
 
Registered: Dec 2004
Posts: 188

Rep: Reputation: 30
squid + iptables


Hello,
My iptables config file is as follows :

# Generated by iptables-save v1.2.9 on Fri Jan 7 20:56:35 2000
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jan 7 20:56:35 2000
# Generated by iptables-save v1.2.9 on Fri Jan 7 20:56:35 2000
*mangle
:PREROUTING ACCEPT [1024:195745]
:INPUT ACCEPT [1019:194076]
:FORWARD ACCEPT [2:144]
:OUTPUT ACCEPT [1000:192114]
:POSTROUTING ACCEPT [999:192086]
COMMIT
# Completed on Fri Jan 7 20:56:35 2000
# Generated by iptables-save v1.2.9 on Fri Jan 7 20:56:35 2000
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 3128 --sport 80 -j ACCEPT
-A INPUT -p udp -m udp -i eth1 --dport 3128 --sport 80 -j ACCEPT
-A INPUT -s 62.0.0.0/255.0.0.0 -i eth0 -j REJECT
-A INPUT -p tcp -m tcp -s 217.81.0.0/255.255.0.0 -i eth0 -j REJECT
-A INPUT -i eth0 -j DROP
-A INPUT -p tcp -m tcp -i eth1 --sport 80 -j DROP
-A INPUT -m state -i eth1 --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 --dport 25 --sport 1024: -j ACCEPT --syn
-A FORWARD -p tcp -i eth1 -o eth0 --dport 110 --sport 1024: -j ACCEPT --syn
-A FORWARD -p tcp -i eth1 -o eth0 --dport 1863 --sport 1024: -j ACCEPT --syn
-A FORWARD -p tcp -i eth1 -o eth0 --dport 5050 --sport 1024: -j ACCEPT --syn
-A OUTPUT -p udp --dport 53 --sport 1024: -j ACCEPT
-A OUTPUT -p tcp -m owner -o eth0 --dport 80 --sport 1024: --uid-owner squid -j ACCEPT --syn
COMMIT
# Completed on Fri Jan 7 20:56:35 2000


mails part is working

MSN is working.

I am able to browse without any proxy settings.
Which I do not want.

I need browsing only through squid proxy

Thanks for all the help so far.

Varun
 
Old 02-09-2005, 06:15 AM   #2
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 57
hi there

what do you mean by this

"I am able to browse without any proxy settings.
Which I do not want. "

you will have to use squid proxy server explicitly in ur applications and stop masquerading/NAT

regards
 
Old 02-09-2005, 06:24 AM   #3
bunnadik
Member
 
Registered: Jan 2005
Location: Ívik, Sweden
Distribution: MDK 10.1
Posts: 450

Rep: Reputation: 30
You need to stop your firewall from forwarding traffic on port 80
Add a
-A FORWARD -p tcp -i eth1 -o eth0 --dport 80 -j REJECT
after the
-A FORWARD -m state --state... entry

Note that this will only prevent your users from reaching webservers on port 80 (the standard one).
If anyone has a proxy (or web) server on the outside running on another port they can still circumvent squid.

One solution to that is to REJECT all FORWARD ports and only open the necessery ports.

- Peder
 
Old 02-09-2005, 12:44 PM   #4
opjose
Senior Member
 
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090

Rep: Reputation: 46
Eh, I believe that Squid supports transparent proxy.

In this case you do NOT do as posted above but rather configure squid to intercept port 80 requests and deal with them itself, hence the "transparent" term, as the user is unaware of this and no client configuration changes are required.

Search for "transparent" in the squid.conf file.
 
Old 02-09-2005, 09:07 PM   #5
varun_saa
Member
 
Registered: Dec 2004
Posts: 188

Original Poster
Rep: Reputation: 30
But you cannot have any auth with transparent proxy.
I want auth.
 
Old 02-10-2005, 11:29 AM   #6
opjose
Senior Member
 
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090

Rep: Reputation: 46
Quote:
Originally posted by varun_saa
But you cannot have any auth with transparent proxy.
I want auth.
Well, you didn't say anything about this originally.

Qualifying the question properly helps with any suggestions.


However I don't understand the problem.

Auth is used with an Apache web SERVER, this has nothing to do with squid.

Squid merely caches internet bound web requests, not inbound ones to your own Apache server.

Please clarify and provide far more detail.
 
Old 02-11-2005, 01:15 AM   #7
bunnadik
Member
 
Registered: Jan 2005
Location: Ívik, Sweden
Distribution: MDK 10.1
Posts: 450

Rep: Reputation: 30
Quote:
Squid merely caches internet bound web requests
You can set up squid to require authentication before accepting proxy requests.

@opjose: He said he didn't want users to be able to browse w/o proxy settings. Why isn't really that important, though I
agree the more info we get the easier it is to help.

I think my answer is the way to go and in addition, I you could add this after the "-A POSTROUTING -o eth0 -j MASQUERADE" :
-A PREROUTING -o eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

This rule makes every outgoing request to port 80 be redirected to squid. This way you don't have to configure the browser
to point to the squid proxy. As long as the PC has the squid server as it's gateway it will be sent through the proxy.

- Peder
 
Old 02-11-2005, 03:31 AM   #8
varun_saa
Member
 
Registered: Dec 2004
Posts: 188

Original Poster
Rep: Reputation: 30
Ok,
The reason for auth is that only those who are
autuorized to have access to internet get it and
others don't get it

Varun
 
Old 02-11-2005, 03:33 AM   #9
varun_saa
Member
 
Registered: Dec 2004
Posts: 188

Original Poster
Rep: Reputation: 30
Ok,
The reason for proxy settings + auth is that only those
who are autuorized to have access to internet get it and
others don't get it

Varun
 
Old 02-11-2005, 09:26 PM   #10
opjose
Senior Member
 
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090

Rep: Reputation: 46
Quote:
Originally posted by bunnadik
You can set up squid to require authentication before accepting proxy requests.

@opjose: He said he didn't want users to be able to browse w/o proxy settings. Why isn't really that important, though I
agree the more info we get the easier it is to help.

I think my answer is the way to go and in addition, I you could add this after the "-A POSTROUTING -o eth0 -j MASQUERADE" :
-A PREROUTING -o eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

This rule makes every outgoing request to port 80 be redirected to squid. This way you don't have to configure the browser
to point to the squid proxy. As long as the PC has the squid server as it's gateway it will be sent through the proxy.

- Peder
Yes this will work without problem, although Squid already has it's own mechanism to intercept outbound HTTP requests transparently which prompted my original suggestion.

See next message as I believe it still applies...
 
Old 02-11-2005, 09:27 PM   #11
opjose
Senior Member
 
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090

Rep: Reputation: 46
Quote:
Originally posted by varun_saa
Ok,
The reason for proxy settings + auth is that only those
who are autuorized to have access to internet get it and
others don't get it

Varun
Ah, ok, that is what ACL's are for.

Squid supports ACL control which permits you to do this.

In addition once it's set up you can easily control it's behavior via the Webmin interface, and adjust ACL's on the fly.

For the non-initiated, ACL's = Access Control Lists
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables+squid alcor Linux - Networking 1 11-02-2005 05:13 PM
squid management with IPtables shamza Linux - Networking 1 07-08-2005 03:13 PM
squid and iptables masquerading egyptian Linux - Security 1 09-05-2004 04:31 AM
iptables and squid batfink Linux - Networking 3 09-15-2003 02:51 PM
Iptables / Squid Configuration aushtosh Linux - Security 2 04-09-2002 11:57 PM


All times are GMT -5. The time now is 01:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration