Mandriva This Forum is for the discussion of Mandriva (Mandrake) Linux. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-09-2005, 06:57 AM
|
#1
|
Member
Registered: Dec 2004
Posts: 188
Rep:
|
squid + iptables
Hello,
My iptables config file is as follows :
# Generated by iptables-save v1.2.9 on Fri Jan 7 20:56:35 2000
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jan 7 20:56:35 2000
# Generated by iptables-save v1.2.9 on Fri Jan 7 20:56:35 2000
*mangle
:PREROUTING ACCEPT [1024:195745]
:INPUT ACCEPT [1019:194076]
:FORWARD ACCEPT [2:144]
:OUTPUT ACCEPT [1000:192114]
:POSTROUTING ACCEPT [999:192086]
COMMIT
# Completed on Fri Jan 7 20:56:35 2000
# Generated by iptables-save v1.2.9 on Fri Jan 7 20:56:35 2000
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 3128 --sport 80 -j ACCEPT
-A INPUT -p udp -m udp -i eth1 --dport 3128 --sport 80 -j ACCEPT
-A INPUT -s 62.0.0.0/255.0.0.0 -i eth0 -j REJECT
-A INPUT -p tcp -m tcp -s 217.81.0.0/255.255.0.0 -i eth0 -j REJECT
-A INPUT -i eth0 -j DROP
-A INPUT -p tcp -m tcp -i eth1 --sport 80 -j DROP
-A INPUT -m state -i eth1 --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 --dport 25 --sport 1024: -j ACCEPT --syn
-A FORWARD -p tcp -i eth1 -o eth0 --dport 110 --sport 1024: -j ACCEPT --syn
-A FORWARD -p tcp -i eth1 -o eth0 --dport 1863 --sport 1024: -j ACCEPT --syn
-A FORWARD -p tcp -i eth1 -o eth0 --dport 5050 --sport 1024: -j ACCEPT --syn
-A OUTPUT -p udp --dport 53 --sport 1024: -j ACCEPT
-A OUTPUT -p tcp -m owner -o eth0 --dport 80 --sport 1024: --uid-owner squid -j ACCEPT --syn
COMMIT
# Completed on Fri Jan 7 20:56:35 2000
mails part is working
MSN is working.
I am able to browse without any proxy settings.
Which I do not want.
I need browsing only through squid proxy
Thanks for all the help so far.
Varun
|
|
|
02-09-2005, 07:15 AM
|
#2
|
LQ Guru
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522
Rep:
|
hi there
what do you mean by this
"I am able to browse without any proxy settings.
Which I do not want. "
you will have to use squid proxy server explicitly in ur applications and stop masquerading/NAT
regards
|
|
|
02-09-2005, 07:24 AM
|
#3
|
Member
Registered: Jan 2005
Location: Övik, Sweden
Distribution: MDK 10.1
Posts: 450
Rep:
|
You need to stop your firewall from forwarding traffic on port 80
Add a
-A FORWARD -p tcp -i eth1 -o eth0 --dport 80 -j REJECT
after the
-A FORWARD -m state --state... entry
Note that this will only prevent your users from reaching webservers on port 80 (the standard one).
If anyone has a proxy (or web) server on the outside running on another port they can still circumvent squid.
One solution to that is to REJECT all FORWARD ports and only open the necessery ports.
- Peder
|
|
|
02-09-2005, 01:44 PM
|
#4
|
Senior Member
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090
Rep:
|
Eh, I believe that Squid supports transparent proxy.
In this case you do NOT do as posted above but rather configure squid to intercept port 80 requests and deal with them itself, hence the "transparent" term, as the user is unaware of this and no client configuration changes are required.
Search for "transparent" in the squid.conf file.
|
|
|
02-09-2005, 10:07 PM
|
#5
|
Member
Registered: Dec 2004
Posts: 188
Original Poster
Rep:
|
But you cannot have any auth with transparent proxy.
I want auth.
|
|
|
02-10-2005, 12:29 PM
|
#6
|
Senior Member
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090
Rep:
|
Quote:
Originally posted by varun_saa
But you cannot have any auth with transparent proxy.
I want auth.
|
Well, you didn't say anything about this originally.
Qualifying the question properly helps with any suggestions.
However I don't understand the problem.
Auth is used with an Apache web SERVER, this has nothing to do with squid.
Squid merely caches internet bound web requests, not inbound ones to your own Apache server.
Please clarify and provide far more detail.
|
|
|
02-11-2005, 02:15 AM
|
#7
|
Member
Registered: Jan 2005
Location: Övik, Sweden
Distribution: MDK 10.1
Posts: 450
Rep:
|
Quote:
Squid merely caches internet bound web requests
|
You can set up squid to require authentication before accepting proxy requests.
@opjose: He said he didn't want users to be able to browse w/o proxy settings. Why isn't really that important, though I
agree the more info we get the easier it is to help.
I think my answer is the way to go and in addition, I you could add this after the "-A POSTROUTING -o eth0 -j MASQUERADE" :
-A PREROUTING -o eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
This rule makes every outgoing request to port 80 be redirected to squid. This way you don't have to configure the browser
to point to the squid proxy. As long as the PC has the squid server as it's gateway it will be sent through the proxy.
- Peder
|
|
|
02-11-2005, 04:31 AM
|
#8
|
Member
Registered: Dec 2004
Posts: 188
Original Poster
Rep:
|
Ok,
The reason for auth is that only those who are
autuorized to have access to internet get it and
others don't get it
Varun
|
|
|
02-11-2005, 04:33 AM
|
#9
|
Member
Registered: Dec 2004
Posts: 188
Original Poster
Rep:
|
Ok,
The reason for proxy settings + auth is that only those
who are autuorized to have access to internet get it and
others don't get it
Varun
|
|
|
02-11-2005, 10:26 PM
|
#10
|
Senior Member
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090
Rep:
|
Quote:
Originally posted by bunnadik
You can set up squid to require authentication before accepting proxy requests.
@opjose: He said he didn't want users to be able to browse w/o proxy settings. Why isn't really that important, though I
agree the more info we get the easier it is to help.
I think my answer is the way to go and in addition, I you could add this after the "-A POSTROUTING -o eth0 -j MASQUERADE" :
-A PREROUTING -o eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
This rule makes every outgoing request to port 80 be redirected to squid. This way you don't have to configure the browser
to point to the squid proxy. As long as the PC has the squid server as it's gateway it will be sent through the proxy.
- Peder
|
Yes this will work without problem, although Squid already has it's own mechanism to intercept outbound HTTP requests transparently which prompted my original suggestion.
See next message as I believe it still applies...
|
|
|
02-11-2005, 10:27 PM
|
#11
|
Senior Member
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090
Rep:
|
Quote:
Originally posted by varun_saa
Ok,
The reason for proxy settings + auth is that only those
who are autuorized to have access to internet get it and
others don't get it
Varun
|
Ah, ok, that is what ACL's are for.
Squid supports ACL control which permits you to do this.
In addition once it's set up you can easily control it's behavior via the Webmin interface, and adjust ACL's on the fly.
For the non-initiated, ACL's = Access Control Lists
|
|
|
All times are GMT -5. The time now is 01:53 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|