Firewall advice needed.
I need to configure a firewall machine to link some laptops to a network, I am not allowed to alter any settings on the laptops, but will need to divert all outgoing port 25 connections to our mail server. transparently proxy http & https trafic to be routed through an external proxy server. (this is the only way past a external firewall.) Can anyone suggest a good starting point preferably using suse 9.1? Can I acheve redirection of the https traffic? port 25 should just be a iprule command but the proxying is stumping me at the moment. Any suggestions? Rob Keeling
--- Rob Keeling <rob@rjkeeling.freeserve.co.uk> wrote:
divert all outgoing port 25 connections to our mail server. transparently proxy http & https trafic to be routed through an external proxy server. (this is the only way past a external firewall.)
You can set Squid up to be a fine transparent proxy server.
Can anyone suggest a good starting point preferably using suse 9.1?
I would suggest you look at using IPTables. There's a whole pethora of information out there about it. Or, alternatively, if you supply more detailed information here, I am sure I could point you in the right direction.
Can I acheve redirection of the https traffic?
Yes, and you probably won't ned IPTables to do it, if you use a transparent proxy. although granted this detail depends on your network topology.
port 25 should just be a iprule command but the proxying is stumping me at the moment.
Any suggestions?
If you could provide a detail of your network with (if you want) fake IPs, and a small ASCII diagram, that would help. :) -- Thomas Adam ___________________________________________________________ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com
On 21 Jul 2005 at 20:42, Thomas Adam wrote:
--- Rob Keeling <rob@rjkeeling.freeserve.co.uk> wrote:
divert all outgoing port 25 connections to our mail server. transparently proxy http & https trafic to be routed through an external proxy server. (this is the only way past a external firewall.)
You can set Squid up to be a fine transparent proxy server.
This probably won't affect many people, but Squid does an interesting trick as a proxy server. Whilst page requests and the like hit Squid as HTML/1.1 requests , Squid only sends out HTML/1.0 requests. For the most part this shouldn't affect things, but some web app servers don't particularly like 1.0 requests. I've no idea what the technical differences are, beyond that I've been told they're "quirky for the most part" and "a maze of small differences" ----- Paul Graydon Network Technician Haywards Heath College http://www.hhc.ac.uk (01444) 456281 "Joy is not in things; it is in us." Richard Wagner
If you could provide a detail of your network with (if you want) fake IPs, and a small ASCII diagram, that would help. :)
-- Thomas Adam
Certainly, The structure goes something like this. External if is connected to our school network, on a 10.4. address. All of our mail has to pass through mail.embc.org.uk, and web traffic via proxy.embc.org.uk. On the external interface we will have a switch, conecting to multiple laptops (which we can`t change the settings on). I had thought of using NAT and a different ip range for the laptops assigned by dhcp. Our internal mail server (mail) could easily forward the mail traffic on, and we already have a local squid cache that I could copy the config of to create a transparant proxy, however the squid faq says you can`t transparent proxy https. Does that help discribing the problem? Rob Keeling
The structure goes something like this. External if is connected to our school network, on a 10.4. address.
Is this correct or just a typo? addresses starting 10. can't be external - unless they are just another local network. As TA says, a simple pic (I prefer jpeg as I can never format ASCII ones:-) of the topology really does help. Adrian
[ Apologies for the delay, Rob. ] --- Rob Keeling <rob@rjkeeling.freeserve.co.uk> wrote:
The structure goes something like this. External if is connected to our school network, on a 10.4. address.
10.4.X external, eh?
On the external interface we will have a switch, conecting to multiple laptops (which we can`t change the settings on). I had thought of using NAT and a different ip range for the laptops assigned by dhcp.
YUp, that's make life slightly easier in terms of packet filtering, I suppose. Are you still wanting to go down the IPTables route, or are you still open for ideas? The reason I ask, is that based on what you've said here, it might be "better" to use a dedicated firewall machine -- say, IPCop (some would say use "Smoothwall", but I have my reasons as to why *I* personally don't recommend it.) You might find it more beneficial that way. I also hear their web-interface is quite friendly. If you still want to try IPTables, I can rustle some examples up for you, if you like. I'm deliberately holding out, until I know the direction you want to take, Rob.
Our internal mail server (mail) could easily forward the mail traffic
Yes, it could. Just make sure that if that's NATtting, and you have no subdomains that explictly require their own mail domain, that they don't get lost. But I wouldn't imagine you do.
on, and we already have a local squid cache that I could copy the config of to create a transparant proxy, however the squid faq says you can`t transparent proxy https.
Just so we're clear in the above, I assume you mean "https://" as a protocol, and not "http's" (many http requests.)?
Does that help discribing the problem?
Yes. -- Thomas Adam ___________________________________________________________ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com
On Thursday 21 July 2005 17:44, Rob Keeling wrote:
Can anyone suggest a good starting point preferably using suse 9.1? As Thomas said, squid will sort out your transparent proxying for you. The rule for IPTables can be sorted out for you by SuSE Firewall in the 'Masquerading' section of the Yast firewall user interface. You may need to have two NICs in the machine in order for the firewall user interface to let let you do this, but, if the laptops connect to the 'external' interface, you will easily be able to get port 25 (and indeed any others) to forward to any machine you like which can be accessed via the 'internal' interface.
Cheers -- Phil Driscoll
participants (5)
-
adrian.wells -
Paul Graydon -
Phil Driscoll -
Rob Keeling -
Thomas Adam