LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   adding firewalls nat rules (https://www.linuxquestions.org/questions/linux-newbie-8/adding-firewalls-nat-rules-836060/)

divyashree 10-04-2010 05:56 AM
adding firewalls nat rules
 
I have a centos5.3 server. I want to configure it as transparent squid proxy server. Internet is connected to eth0(192.168.0.100) and lan is connected to eth1(192.168.200.0/24) and eth1 ip is 192.168.200.1 .


I have configured it as dhcp,squid and its working fine.

Now I want to configure it as a transparent,so that no one has to manually configure in browser.


I just added a line

Code:
http_port 3128 transparent

to make it transparent.

Now while adding nat rules,

Quote:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
Quote:
iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i eth1 -p tcp --dport 3128
Quote:
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp --dport 80
Quote:
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp --sport 80
Quote:
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -o eth1 -p tcp --sport 80











Code:
iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.200.1  -p tcp --dport 80 -j DNAT --to 192.168.200.1:3128

Code:
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.200.0/24  -d 192.168.200.1 -j SNAT --to 192.168.200.1

Code:
iptables -A FORWARD -s 192.168.200.0/24 -d 192.168.200.1 -i eth1 -o eth1 -m state  --state NEW,ESTABLISHED,RELATED  -p tcp --dport 3128 -j ACCEPT

Code:
iptables -A FORWARD -d 192.168.200.0/24 -s 192.168.200.1 -i eth1 -o eth1 -m state --state ESTABLISHED,RELATED -p tcp --sport 3128 -j ACCEPT

Internet is totally blocked on eth1.


And after stopping the firewall the internet comes.

prayag_pjs 10-04-2010 06:11 AM
Hi,

Hope this helps you

# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

sem007 10-04-2010 06:15 AM
Add redirect rule and check.

Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Regards,

divyashree 10-04-2010 06:44 AM
Now packets are coming to 192.168.0.100 but without specifying the port(3128) and IP(192.168.200.1) in Client systems , no packet is coming.

prayag_pjs 10-04-2010 06:45 AM
Didn't get, what are you trying to say?

divyashree 10-04-2010 07:10 AM
Quote:
Originally Posted by prayag_pjs (Post 4117114)
Didn't get, what are you trying to say?
I am trying to say, I am adding port and ip in client's browser then only internet packets comes to client which can be amde without adding any rules to iptables.

I want the packets come to client machine without mentioning the port(3128) and ip(192.168.200.1) in the client's browser.

sem007 10-04-2010 07:16 AM
Hi divyashree,

Take look

Setup a transparent proxy with Squid in three easy steps

Regards,

divyashree 10-04-2010 07:40 AM
Quote:
Originally Posted by sem007 (Post 4117143)
I have already checked this and its not working at all.

sem007 10-04-2010 07:56 AM
what is your client's default gateway ?

also post squid config and iptables

Code:
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
# iptables -t nat -L
Regards,

divyashree 10-04-2010 08:04 AM
Quote:
Originally Posted by sem007 (Post 4117181)
what is your client's default gateway ?

also post squid config and iptables

Code:
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
# iptables -t nat -L
Regards,
1st
Code:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7      # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl viznet src 192.168.10.0/24
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow viznet
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp:          1440    20%    10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
refresh_pattern .              0      20%    4320
2nd
Code:
target    prot opt source              destination       

DNAT      tcp  --  anywhere            anywhere            tcp dpt:http to:192.168.0.100:3128
REDIRECT  tcp  --  anywhere            anywhere            tcp dpt:http redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target    prot opt source              destination       
MASQUERADE  all  --  anywhere            anywhere           

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

kaushalpatel1982 10-04-2010 08:06 AM
Are you able to ping any server( ping google.com) from your client?

divyashree 10-04-2010 08:09 AM
Quote:
Originally Posted by kaushalpatel1982 (Post 4117189)
Are you able to ping any server( ping google.com) from your client?
No ,

sem007 10-04-2010 08:13 AM
where is acl rule and http_access rule for 192.168.200.0 network?

Quote:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
Why you create multiple acl with same name?

Regards,

divyashree 10-04-2010 08:43 AM
Quote:
Originally Posted by sem007 (Post 4117194)
where is acl rule and http_access rule for 192.168.200.0 network?


Why you create multiple acl with same name?

Regards,
Sorry that was the output of another linux box.

Quote:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines


acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager

acl mylan src 192.168.200.0/24
http_access allow mylan


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
And I am using squid version 3 in which the entries are by default.

sem007 10-04-2010 09:29 AM
add both ip in acl rule in squid.conf

Code:
acl mylan src 192.168.0.100 192.168.200.0/24
enable ip forwarding.

Code:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
flush existing firewall and apply new rules.
Code:
#iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -A FORWARD -i eth1 -j ACCEPT
#iptables -A INPUT -i eth1 -j ACCEPT
#iptables -A OUTPUT -o eth1 -j ACCEPT
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.100:3128
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Regards,

divyashree 10-04-2010 01:37 PM
Quote:
Originally Posted by sem007 (Post 4117247)
add both ip in acl rule in squid.conf

Code:
acl mylan src 192.168.0.100 192.168.200.0/24
enable ip forwarding.

Code:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
flush existing firewall and apply new rules.
Code:
#iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -A FORWARD -i eth1 -j ACCEPT
#iptables -A INPUT -i eth1 -j ACCEPT
#iptables -A OUTPUT -o eth1 -j ACCEPT
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.100:3128
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Regards,
No still not,unless the port and IP are mentioned in client's browser.

prayag_pjs 10-04-2010 11:32 PM
Quote:
Originally Posted by divyashree (Post 4117476)
No still not,unless the port and IP are mentioned in client's browser.
TRY by default DROP rules for INPUT and FORWARD;then accept the ports i.e try defining the rules one by one!

iptables -P INPUT DROP

iptables -P FORWARD DROP

Also see that DNS is configured properly!Configuring caching dns (with bind)will help you!


All times are GMT -5. The time now is 07:17 PM.