SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I compiled tinyproxy on my old (Slackware 10.0) server (IP address 192.168.0.11) and ran it there. Then, configured a MSIE browser on my Windows XP workstation to use the proxy at 192.168.0.11 port 8080.
Note that this requires modification of the /etc/tinyproxy/tinyproxy.conf file - this is how mine looks on the server.
Code:
User nobody
Group nogroup
Port 8080
Bind 192.168.0.11
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy.log"
LogLevel Info
PidFile "/var/run/tinyproxy.pid"
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
Allow 192.168.0.0/16
ViaProxyName "tinyproxy"
ConnectPort 443
ConnectPort 563
Note:
Most important is that I changed the "Allow 192.168.1.0/25" to "Allow 192.168.0.0/16" so that my home network is covered by this "Allow" line.
I also changed the default port 8888 to 8080
And I enabled the "Bind 192.168.0.11" line so that all proxy retrievals go out through the interface I want (since the server has three NICS and I use only one for traffic currently)
With that setup (and without Dansguardian tied behind it because I don not have that) my Internet Explorer on the Windows XP machine could connect to Internet sites with no problem at all.
I have no opportunity to verify the workings of the transparent proxy because I do not have a NAT router running Linux here in the house.
Hope this helps go get nearer to the solution.
Eric
Eric, you have been most helpful. As of this moment the machine that I have been configuring as a web filter does the following.
1. Runs tinyproxy and dansguardian with a GREAT set of forbidden conditions.
2. My WinXP machine that is connected to it CAN reach the internet IF and ONLY IF I tell the individual browsers to use 192.168.2.1 port 8080. It works like a charm!!
As it stands, I guess it could go in place at the school. We could just configure all of the web browsers to use the proxy. Since school is CLOSED, it wouldn't be a problem. My one and ONLY real concern at this point is this. I BELIEVE that our computer tech at the school (it's not me. I just volunteered to make this content filter) will have the network configured in the following manner
INTERNET MODEM (cable, DSL...I have no idea)
|
|
Content Filter (thank's to yours truly and of course Eric's help!)
|
|
A few Gateway Machines (It's a box that assigns each of the PC's in the school it's own IP address)
|
|
Computers (I think the high school only has about 50)
Here's the $64,000,000 question. Will there be a problem with telling each of the machines to use 192.168.2.1 port 8080 as a the source for the internet? The transparent proxy would have just allowed all access to just flow through it. In addition, I configured Outlook and Thunderbird on my WinXP machine at home to use these settings for the internet and it can't establish a connection in order to download or upload mail. As you might imagine THAT is a huge problem.
Any advice would be great. BTW, I have been searching the net for the last 3 days for any CLUES as to what I might be doing wrong. I even tried getting squid and dansguardian to work. Squid runs fine, but in spite of the fact that I have (or so I think) the config files in dansguardian properly adjusted, dansguardian says it can't find the squid proxy. DOH! So, I have stuck with tinyproxy since at least I have that working.
Here's the $64,000,000 question. Will there be a problem with telling each of the machines to use 192.168.2.1 port 8080 as a the source for the internet? The transparent proxy would have just allowed all access to just flow through it. In addition, I configured Outlook and Thunderbird on my WinXP machine at home to use these settings for the internet and it can't establish a connection in order to download or upload mail. As you might imagine THAT is a huge problem.
There should not be a problem with setting up the XP machines to use a proxy server, It's been a while but there are some additional settings where you setup either dynamic or static ip-addresses, that allow to setup the proxy manually. There is also a setting that allows to bypass the proxy for local addresses only, you need this otherwise you may have problems sharing files on the network.
You have setup the machine at home with the same settings, do you mean you are trying to access the proxy at school from home? or do you mean you have setup another proxy at home and you are having problems accessing your mail
If you need to configure the school computers to use a proxy, you can perhaps looking into using a "proxy.pac" file - you can read all about the definition of such a file here: http://wp.netscape.com/eng/mozilla/2...roxy-live.html
You put this "Proxy Auto-Config" file named proxy.pac on your gateway or any other machine that runs a web server. Make sure browsers can request it through an URL, for instance as http://192.168.2.1/proxy.pac and configure that URL as the proxy auto-configuration URL in all your computers' browsers. This way, all computers will never need changes in the proxy configuration if in future you decide to change the proxying scenario (switch to another proxy, or start using transparent proxying or whatever) - when a browser starts up it will automatically download the proxy.pac file and use it's current content to configure it's network settings. PAC files make it a lot easier to fine-tune the proxying setup for your network(s).
You might also have to add these lines to /etc/apache/httpd.conf if the browsers don't pick up the PAC file automatically:
Code:
#
# MIME type for proxy autoconfiguration:
#
AddType application/x-ns-proxy-autoconfig .pac
A proxy.pac file could look like:
Code:
function FindProxyForURL(url, host)
{
if (isInNet(host, "127.0.0.0", "255.255.255.0") || isPlainHostName(host)) {
return "DIRECT";
}
else if (isInNet(host, "192.168.0.0", "255.255.0.0")) {
return "PROXY 192.168.2.1:8080; DIRECT";
}
I have been taking some peeks at dansguardian and it's interaction with tinyproxy (or any other proxy for that matter).
This might already be known to you, but it looks like you need to run dansguardian on port 8080, and it expects tinyproxy to listen on port 3128. The corresponding line in dansguardian.conf is
Code:
proxyport = 3128
so the appropriate line in tinyproxy.conf should become
Code:
Port 3128
IIRC, this port number is where Squid listens by default, and since it is the software that dansguardian seems to be targeting at, the squid port number will be the sensible default port to dansguardian.
FYI -
I successfully setup a transparent web proxy using dansguardian and tinyproxy on a Slackware NAT server. No big deal - just need to configure the ports and IP addresses right, and setup the iptables rules that you should already have in place by using the firewall generator of http://www.slackware.com/~alien/efg/ ...!
FYI -
I successfully setup a transparent web proxy using dansguardian and tinyproxy on a Slackware NAT server. No big deal - just need to configure the ports and IP addresses right, and setup the iptables rules that you should already have in place by using the firewall generator of http://www.slackware.com/~alien/efg/ ...!
WOW, you ARE the man. Could you do me a small favor? Could you post your rc.firewall, dansguardian.conf and tinyproxy.conf files so I can see for myself where my configuration got messed up? In addition if anyone ELSE needs to do this they can read this thread.
I am assuming you used the tinyproxy 1.7.0 that you posted in your repository. For some reason I ALWAYS kept getting the messages that I posted previously in this thread.
NAT == Network Address Translation - this used be called "masquerading in the good old days, but with IPtables firewalls NAT is a better term. Essentially it is your router/firewall which "hides" your internal LAN from the outside world.
The fun thing is that I added support for the clamd virus scanning daemon, so if you download and install that as well (I have a package for it) your web content will even be safer when it arrives at the end users' computers. You'll have to enable the line
For dansguardian I created a convenient startup script called "/etc/rc.d/rc.dansguardian". You need to start dansguardian after tinyproxy, so this is what you should add to /etc/rc.d/rc.local :
Well, I configured everything for my network...or so I think. Still, no tansparent proxy. In addition I installed YOUR tinyproxy and YOUR dansguardian.
My network
Code:
WAN eth0: 192.168.1.96
LAN eth1: 192.168.2.1
WinXP Machine: 192.168.2.7
I see quite a lot of weirdness in your configuration. I will try to point them out, but try to think about what you are filling in as values - and compare it to my examples.
In the case of your
Quote:
WAN eth0: 192.168.1.96
LAN eth1: 192.168.2.1
WinXP Machine: 192.168.2.7
The errors in tinyproxy.conf are these:
User root
Group root
Allow 192.168.1.0/25
Allow 192.168.2.0/100
They should be
Code:
User nobody
Group mobody
Allow 192.168.1.0/24
Allow 192.168.2.0/24
Running as user root is not an error strictly speaking, but it is definitely unsafe. The network ranges 192.168.1.0/25 and 192.168.2.0/100 make no sense - the first one denotes a range of IP addresses 192.168.1.1 to 192.168.1.126 (which might be what you want) but the second one with the netmask of 100 is illegal. I have a small IP address calculator running at http://sox.homeip.net/cgi-bin/ipcalc.cgi where you can look what influence a netmask has on address range.
The missing piece in dansguardian is:
filterip =
Make the address of the filter IP equal to the internal IP address of your router/firewall/proxy server like this:
Code:
filterip =192.168.2.1
The firewall code for the transparent proxy is weird. You need to keep in mind that dansguardian is listening on port 8080 and takes all the calls from the internal network, filtering out all unwanted queries - then passes the approved HTTP requests on to tinyproxy (listening on port 3128) which in turn does all the work of retrieving the web content.
There is little sense in allowing outside traffic to the tinyproxy the way you do it by adding the lines (as far as I could see, did not want to spend a lot of time on the firewall)
I advise you to start fresh with a rc.firewall script that was generated by the firewall generator, and only start adding stuff if you get the whole thing working.
Thanks Eric. I will fix the weirdness. The rc.firewall that I am using WAS generated using the generator that you linked me to. I filled in some basic information AND added support for a transparent proxy. The lines that the generator generated for the transparent proxy looked weird to me from the start. That is why I wanted to see what it generated for YOUR rc.firewall. Thanks again!
According to the website you linked me to, these lines are supposed to allow a transparent proxy.
Which means you did not supply the correct values for your internal network in the first place. This would be an additional showstopper. It would have to look like:
OK, I generated a rc.firewall script using http://www.slackware.com/~alien/efg/ with support for transparently proxying port 80 to port 8080, and the correct values for the eth1 interface. This is the full script - as far as I can see this would be what you need.
Code:
#!/bin/sh
#
# Generated iptables firewall script for the Linux 2.4 kernel
# Script generated by Easy Firewall Generator for IPTables 1.15
# copyright 2002 Timothy Scott Morizot
###############################################################################
#
# Local Settings
#
# sysctl location. If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.
SYSCTL="/sbin/sysctl -w"
# To echo the value directly to the /proc file instead
# SYSCTL=""
# IPTables Location - adjust if needed
IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth0"
# Local Interface Information
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.2.1"
LOCAL_NET="192.168.2.0/24"
LOCAL_BCAST="192.168.2.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi
###############################################################################
#
# Load Modules
#
echo "Loading kernel modules ..."
# You should uncomment the line below and run it the first time just to
# ensure all kernel module dependencies are OK. There is no need to run
# every time, however.
# /sbin/depmod -a
# Unless you have kernel module auto-loading disabled, you should not
# need to manually load each of these modules. Other than ip_tables,
# ip_conntrack, and some of the optional modules, I've left these
# commented by default. Uncomment if you have any problems or if
# you have disabled module autoload. Note that some modules must
# be loaded by another kernel module.
# core netfilter module
/sbin/modprobe ip_tables
# the stateful connection tracking module
/sbin/modprobe ip_conntrack
# filter table module
# /sbin/modprobe iptable_filter
# mangle table module
# /sbin/modprobe iptable_mangle
# nat table module
# /sbin/modprobe iptable_nat
# LOG target module
# /sbin/modprobe ipt_LOG
# This is used to limit the number of packets per sec/min/hr
# /sbin/modprobe ipt_limit
# masquerade target module
# /sbin/modprobe ipt_MASQUERADE
# filter using owner as part of the match
# /sbin/modprobe ipt_owner
# REJECT target drops the packet and returns an ICMP response.
# The response is configurable. By default, connection refused.
# /sbin/modprobe ipt_REJECT
# This target allows packets to be marked in the mangle table
# /sbin/modprobe ipt_mark
# This target affects the TCP MSS
# /sbin/modprobe ipt_tcpmss
# This match allows multiple ports instead of a single port or range
# /sbin/modprobe multiport
# This match checks against the TCP flags
# /sbin/modprobe ipt_state
# This match catches packets with invalid flags
# /sbin/modprobe ipt_unclean
# The ftp nat module is required for non-PASV ftp support
/sbin/modprobe ip_nat_ftp
# the module for full ftp connection tracking
/sbin/modprobe ip_conntrack_ftp
# the module for full irc connection tracking
/sbin/modprobe ip_conntrack_irc
###############################################################################
#
# Kernel Parameter Configuration
#
# See http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
# for a detailed tutorial on sysctl and the various settings
# available.
# Required to enable IPv4 forwarding.
# Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
# Alternatively, it can be set in /etc/sysctl.conf
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi
# This enables dynamic address hacking.
# This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
#if [ "$SYSCTL" = "" ]
#then
# echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#else
# $SYSCTL net.ipv4.ip_dynaddr="1"
#fi
# This enables SYN flood protection.
# The SYN cookies activation allows your system to accept an unlimited
# number of TCP connections while still trying to give reasonable
# service during a denial of service attack.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
# This enables source validation by reversed path according to RFC1812.
# In other words, did the response packet originate from the same interface
# through which the source packet was sent? It's recommended for single-homed
# systems and routers on stub networks. Since those are the configurations
# this firewall is designed to support, I turn it on by default.
# Turn it off if you use multiple NICs connected to the same network.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
# This option allows a subnet to be firewalled with a single IP address.
# It's used to build a DMZ. Since that's not a focus of this firewall
# script, it's not enabled by default, but is included for reference.
# See: http://www.sjdjweis.com/linux/proxyarp/
#if [ "$SYSCTL" = "" ]
#then
# echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#else
# $SYSCTL net.ipv4.conf.all.proxy_arp="1"
#fi
# The following kernel settings were suggested by Alex Weeks. Thanks!
# This kernel parameter instructs the kernel to ignore all ICMP
# echo requests sent to the broadcast address. This prevents
# a number of smurfs and similar DoS nasty attacks.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
# This option can be used to accept or refuse source routed
# packets. It is usually on by default, but is generally
# considered a security risk. This option turns it off.
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
# This option can disable ICMP redirects. ICMP redirects
# are generally considered a security risk and shouldn't be
# needed by most systems using this generator.
#if [ "$SYSCTL" = "" ]
#then
# echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
#else
# $SYSCTL net.ipv4.conf.all.accept_redirects="0"
#fi
# However, we'll ensure the secure_redirects option is on instead.
# This option accepts only from gateways in the default gateways list.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
# This option logs packets from impossible addresses.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="1"
fi
###############################################################################
#
# Flush Any Existing Rules or Chains
#
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
###############################################################################
#
# Rules Configuration
#
###############################################################################
#
# Filter Table
#
###############################################################################
# Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet
# must traverse.
echo "Create and populate custom rule chains ..."
# Create a chain to filter INVALID packets
$IPT -N bad_packets
# Create another chain to filter bad tcp packets
$IPT -N bad_tcp_packets
# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.
$IPT -N icmp_packets
# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound
# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound
# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound
# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound
###############################################################################
#
# Populate User Chains
#
# bad_packets chain
#
# Drop packets received on the external interface
# claiming a source of the local network
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \
--log-prefix "Illegal source: "
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "Invalid packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets
# All good, so return
$IPT -A bad_packets -p ALL -j RETURN
# bad_tcp_packets chain
#
# All tcp packets will traverse this chain.
# Every new connection attempt should begin with
# a syn packet. If it doesn't, it is likely a
# port scan. This drops packets in state
# NEW that are not flagged as syn packets.
# Return to the calling chain if the bad packets originate
# from the local interface. This maintains the approach
# throughout this firewall of a largely trusted internal
# network.
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
# However, I originally did apply this filter to the forward chain
# for packets originating from the internal network. While I have
# not conclusively determined its effect, it appears to have the
# interesting side effect of blocking some of the ad systems.
# Apparently some ad systems have the browser initiate a NEW
# connection that is not flagged as a syn packet to retrieve
# the ad image. If you wish to experiment further comment the
# rule above. If you try it, you may also wish to uncomment the
# rule below. It will keep those packets from being logged.
# There are a lot of them.
# $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE ! --syn -m state \
# --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN
# icmp_packets chain
#
# This chain is for inbound (from the Internet) icmp packets only.
# Type 8 (Echo Request) is not accepted by default
# Enable it if you want remote hosts to be able to reach you.
# 11 (Time Exceeded) is the only one accepted
# that would not already be covered by the established
# connection rule. Applied to INPUT on the external interface.
#
# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
# for more info on ICMP types.
#
# Note that the stateful settings allow replies to ICMP packets.
# These rules allow new packets of the specified types.
# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
--log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
# Echo - uncomment to allow your system to be pinged.
# Uncomment the LOG command if you also want to log PING attempts
#
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
# --log-prefix "Ping detected: "
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# By default, however, drop pings without logging. Blaster
# and other worms have infected systems blasting pings.
# Comment the line below if you want pings logged, but it
# will likely fill your logs.
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN
# TCP & UDP
# Identify ports at:
# http://www.chebucto.ns.ca/~rakerman/port-table.html
# http://www.iana.org/assignments/port-numbers
# udp_inbound chain
#
# This chain describes the inbound UDP packets it will accept.
# It's applied to INPUT on the external or Internet interface.
# Note that the stateful settings allow replies.
# These rules are for new requests.
# It drops netbios packets (windows) immediately without logging.
# Drop netbios calls
# Please note that these rules do not really change the way the firewall
# treats netbios connections. Connections from the localhost and
# internal interface (if one exists) are accepted by default.
# Responses from the Internet to requests initiated by or through
# the firewall are also accepted by default. To get here, the
# packets would have to be part of a new request received by the
# Internet interface. You would have to manually add rules to
# accept these. I added these rules because some network connections,
# such as those via cable modems, tend to be filled with noise from
# unprotected Windows machines. These rules drop those packets
# quickly and without logging them. This prevents them from traversing
# the whole chain and keeps the log from getting cluttered with
# chatter from Windows systems.
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
# Dynamic Address
# If DHCP, the initial request is a broadcast. The response
# doesn't exactly match the outbound packet. This explicitly
# allow the DHCP ports to alleviate this problem.
# If you receive your dynamic address by a different means, you
# can probably comment this line.
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 \
-j ACCEPT
# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN
# udp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# UDP requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# tcp_inbound chain
#
# This chain is used to allow inbound connections to the
# system/gateway. Use with care. It defaults to none.
# It's applied on INPUT from the external or Internet interface.
# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN
# tcp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
###############################################################################
#
# INPUT Chain
#
echo "Process INPUT chain ..."
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
# DOCSIS compliant cable modems
# Some DOCSIS compliant cable modems send IGMP multicasts to find
# connected PCs. The multicast packets have the destination address
# 224.0.0.1. You can accept them. If you choose to do so,
# Uncomment the rule to ACCEPT them and comment the rule to DROP
# them The firewall will drop them here by default to avoid
# cluttering the log. The firewall will drop all multicasts
# to the entire subnet (224.0.0.1) by default. To only affect
# IGMP multicasts, change '-p ALL' to '-p 2'. Of course,
# if they aren't accepted elsewhere, it will only ensure that
# multicasts on other protocols are logged.
# Drop them without logging.
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
# Allow DHCP client request packets inbound from internal network
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 \
-j ACCEPT
# Inbound Internet Packet Rules
# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Log packets that still don't match
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "INPUT packet died: "
###############################################################################
#
# FORWARD Chain
#
echo "Process FORWARD chain ..."
# Used if forwarding for a private network
# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets
# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Log packets that still don't match
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "FORWARD packet died: "
###############################################################################
#
# OUTPUT Chain
#
echo "Process OUTPUT chain ..."
# Generally trust the firewall on output
# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
# Log packets that still don't match
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "OUTPUT packet died: "
###############################################################################
#
# nat table
#
###############################################################################
# The nat table is where network address translation occurs if there
# is a private network. If the gateway is connected to the Internet
# with a static IP, snat is used. If the gateway has a dynamic address,
# masquerade must be used instead. There is more overhead associated
# with masquerade, so snat is better when it can be used.
# The nat table has a builtin chain, PREROUTING, for dnat and redirects.
# Another, POSTROUTING, handles snat and masquerade.
echo "Load rules for nat table ..."
###############################################################################
#
# PREROUTING chain
#
# This is a sample that will exempt a specific host from the transparent proxy
#$IPT -t nat -A PREROUTING -p tcp -s 192.168.1.50 --destination-port 80 \
# -j RETURN
#$IPT -t nat -A PREROUTING -p tcp -s 192.168.1.50 --destination-port 443 \
# -j RETURN
# Redirect HTTP for a transparent proxy
$IPT -t nat -A PREROUTING -p tcp --destination-port 80 \
-j REDIRECT --to-ports 8080
# Redirect HTTPS for a transparent proxy - commented by default
$IPT -t nat -A PREROUTING -p tcp --destination-port 443 \
-j REDIRECT --to-ports 8080
###############################################################################
#
# POSTROUTING chain
#
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
###############################################################################
#
# mangle table
#
###############################################################################
# The mangle table is used to alter packets. It can alter or mangle them in
# several ways. For the purposes of this generator, we only use its ability
# to alter the TTL in packets. However, it can be used to set netfilter
# mark values on specific packets. Those marks could then be used in another
# table like filter, to limit activities associated with a specific host, for
# instance. The TOS target can be used to set the Type of Service field in
# the IP header. Note that the TTL target might not be included in the
# distribution on your system. If it is not and you require it, you will
# have to add it. That may require that you build from source.
echo "Load rules for mangle table ..."
I don't have a CLUE what I could be doing wrong. I corrected EVERY mistake that you mentioned. I checked and double checked them. In addition, I used the rc.firewall script that you provided and STILL I do NOT have a transparent proxy. Is there anything else about the setup of my machine that could be causing this issue?
I have no idea.
Perhaps you should first just try to get the dansguardian/tinyproxy combination to work (and check if it really filters content and rejects URLs). Test this by configuring your browser to use 192.168.2.1:8080 as your proxy.
If that works, and if your server is already acting as a NAT firewall/router, add the iptables rules that activate the transparent proxy. If needed, this is a short script that you can save, for instance as the file "/etc/rc.d/rc.transparent" and make it executable:
Code:
chmod +x /etc/rc.d/rc.transparent
Code:
#!/bin/sh
#
# File /etc/rc.d/rc.transparent
# Transparent proxying (using tinyproxy/dansguardian)
#
IPT=/usr/sbin/iptables
start() {
echo "Adding iptables rules for transparent proxying ports 80 and 443..."
# This is a sample that will exempt a specific host from the transparent proxy
$IPT -A PREROUTING -t nat -p tcp -s 10.111.111.254 --destination-port 80 \
-j RETURN
$IPT -A PREROUTING -t nat -p tcp -s 10.111.111.254 --destination-port 443 \
-j RETURN
# Redirect HTTP for a transparent proxy
$IPT -A PREROUTING -t nat -p tcp --destination-port 80 \
-j REDIRECT --to-ports 8080
# Redirect HTTPS for a transparent proxy - commented by default
$IPT -A PREROUTING -t nat -p tcp --destination-port 443 \
-j REDIRECT --to-ports 8080
}
stop() {
echo "Deleting iptables rules for transparent proxying..."
$IPT -D PREROUTING -t nat -p tcp -s 10.111.111.254 --destination-port 80 \
-j RETURN
$IPT -D PREROUTING -t nat -p tcp -s 10.111.111.254 --destination-port 443 \
-j RETURN
$IPT -D PREROUTING -t nat -p tcp --destination-port 80 \
-j REDIRECT --to-ports 8080
$IPT -D PREROUTING -t nat -p tcp --destination-port 443 \
-j REDIRECT --to-ports 8080
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo "usage $0 start|stop|restart"
esac
To enable the transparent proxy run
Code:
/etc/rc.d/rc.transparent start
To disable the transparent proxy ruleset run
Code:
/etc/rc.d/rc.transparent stop
This assumes you already have an IPTABLES NAT firewall rul active.
Maybe you could also post output from
tinyproxy and dansguardian have been working BEAUTIFULLY together for DAYS! My WinXP machine detects it...ONLY IF I tell the web browser to use 192.168.2.1 port 8080.
That's not my problem. My problem is that if I DON'T tell my browser to use those settings and use "direct connect" it doesn't find the proxy.
whoops...gotta go.
bye
**EDIT**
Ran late to go see "Over the Hedge" (GREAT MOVIE!)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
I don't have a CLUE what I could be doing wrong. I corrected EVERY mistake that you mentioned. I checked and double checked them. In addition, I used the rc.firewall script that you provided and STILL I do NOT have a transparent proxy. Is there anything else about the setup of my machine that could be causing this issue?
