[opensuse-security] Squid transparent proxy
Hi all, I try to setup transparent proxy on 10.3 using squid from the dvd (squid -v shows that it is 2.6.STABLE14). I configure the SuSEfirewall to redirect the port 80 to 8080 FW_REDIRECT="192.168.1.0/24,0/0,tcp,80,8080" In squid I configure http_port 8080 transparent If I see with netstat I saw that all traffic is forwarded to 8080 but when i see with iptraf there are traffic that are not forwarded to 8080 Do I miss something ? Any help really appreciated regards, medwinz -- Spike Milligan - "My Father had a profound influence on me, he was a lunatic." -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! medwinz schrieb:
Hi all,
I try to setup transparent proxy on 10.3 using squid from the dvd (squid -v shows that it is 2.6.STABLE14). I configure the SuSEfirewall to redirect the port 80 to 8080 FW_REDIRECT="192.168.1.0/24,0/0,tcp,80,8080"
In squid I configure http_port 8080 transparent
If I see with netstat I saw that all traffic is forwarded to 8080 but when i see with iptraf there are traffic that are not forwarded to 8080
Do I miss something ?
Any help really appreciated
regards, medwinz Squid - or the things catching a hover boat in a special movie ...
First at all try to find out what you intend to do with your squid. There are a lot facts to keep in mind. Squid is not running by typing some random written lines or without a better knowledge of how it works and what you can do with it. First of all logging what to log and for which group of people and of this you may get into trouble in some cases (for private purpose never mind). Do you run an apache webserver as well then you can accelerate it with squid as well. Do you run squid alone in the dark or as content filter and/or online virus protection? Do you like small files to be stored even or what I prefer to keep lifetime for your hdd high only cache bigger files (some may have another idea of it). Squid can be run as caching proxy as well. Find a solution on different website (google will help you a lot with wisely choosen search syntax). If you know what you want then first at all try to setup squid and check the function with manually setup proxy in your browser of choice. If it ain't running (type "./etc/init.d/squid status" in a console then watch the output with strg + up/down for scrolling) then try to setup ACL lines before restarting it. You can even check check with "less /var/loq/messages | grep squid" what syslog says. I would start at a clean setup and copy config file to a backup location before doing any changes, commend each line you edit with your name and date of change for later error finding. I used it as caching server and http acceelerator combined with squidguard and via script updated list of spyware and evil domains (this would be to much to mention here) and the server itself as dial up gateway for my webpages. As you can see logging is off and only files >2k and <1024k are cached. If you like to not cache anything set the sizes vice versa (minimum geater maximum) and intend to use it as content filter (like I did), any way some parts will be kept in mem cache. Change YOURDOMAIN.TDL to your needs and the same to EXTERNAT_IP_Firewall, INTERNAL_IP_Firewall and SECRET. As network I chose here 192.168.1.0/24 and even change this to your needs. This config I used which is without the lines for my squidguard. hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? acl APACHE dstdomain .YOURDOMAIN.TDL always_direct allow APACHE cache_mem 48 MB maximum_object_size 1024 KB minimum_object_size 2 KB maximum_object_size_in_memory 128 KB ipcache_size 8192 fqdncache_size 16384 cache_dir ufs /var/cache/squid 128 16 256 read-only cache_access_log /dev/null cache_log /dev/null cache_store_log /dev/null mime_table /usr/share/squid/mime.conf pid_filename /var/run/squid.pid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1 acl SSL_ports port 443 563 acl Safe_ports port 80 21 280 488 591 777 443 563 70 210 1025-65535 acl CONNECT method CONNECT acl localnet src 192.168.1.0-192.168.1.255 acl extern_eth0 src EXTERNAT_IP_Firewall acl inter_eth1 src INTERNAL_IP_Firewall acl worm urlpath_regex -i \.eml$ http_access allow manager http_access allow localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny worm http_access allow localnet http_access deny all no_cache deny QUERY icp_access deny all cache_mgr webmaster@YOURDOMAIN.TDL cache_effective_user squid cache_effective_group nogroup log_icp_queries off cachemgr_passwd SECRET all buffered_logs off Firewall After squid works for you start to configure firewall. What you have should be enough: FW_REDIRECT="192.168.1.0/24,0/0,tcp,80,8080" Add rules allowing your services locally: FW_SERVICES_INT_TCP="WHAT_EVER_PORTS_BEFORE 8080 WHAT_EVER_MORE_PORTS" or limit it to your local net FW_TRUSTED_NETS="192.168.1.0/24,tcp,3128" Restart firewall and squid and check again. HTH Best Regards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: GnuPT v3.6.1 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iPwEAQECAAYFAkkTWBgACgkQQ2DUNFUgaMH14Qb/R6GuQboz9EyHrkXj1bhTn28T QnnPnOBErggXKl9N/gpxZxfxgVm8juodKQnuemew6oERe0DAypJlpaqv3DIrgydX IkvuLurT7vcSKfojfFIFMI89GmkhdpwdJPceyOhRwcuXbdlWVIHqfa+FxXltua6L I0FD2xG0l48XKyqG1/aj0Dm/kynNwo7MBzQhuTyshtm7UWd+DONeWjKYh2/iHyn5 7BMoZbRpHfxo20MHkDkRFzltMmWlhXMvOAZtIspKX2NOt8CEm03Y/g1RpKH+AFqq fd6aJ85hhoSlCnA4Q7M= =tr+L -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Fri, Nov 7, 2008 at 3:48 AM, Philippe Vogel <filiaap@freenet.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi!
medwinz schrieb:
Hi all,
I try to setup transparent proxy on 10.3 using squid from the dvd (squid -v shows that it is 2.6.STABLE14). I configure the SuSEfirewall to redirect the port 80 to 8080 FW_REDIRECT="192.168.1.0/24,0/0,tcp,80,8080"
In squid I configure http_port 8080 transparent
If I see with netstat I saw that all traffic is forwarded to 8080 but when i see with iptraf there are traffic that are not forwarded to 8080
Do I miss something ?
Any help really appreciated
regards, medwinz Squid - or the things catching a hover boat in a special movie ...
First at all try to find out what you intend to do with your squid. There are a lot facts to keep in mind. Squid is not running by typing some random written lines or without a better knowledge of how it works and what you can do with it. First of all logging what to log and for which group of people and of this you may get into trouble in some cases (for private purpose never mind). Do you run an apache webserver as well then you can accelerate it with squid as well. Do you run squid alone in the dark or as content filter and/or online virus protection? Do you like small files to be stored even or what I prefer to keep lifetime for your hdd high only cache bigger files (some may have another idea of it). Squid can be run as caching proxy as well. Find a solution on different website (google will help you a lot with wisely choosen search syntax).
Hi, thanks for your suggestion. Well, I do know what I need. It's actually just simple as transparent proxy. I have a configuration that running well in squid 2.5, just need some modification for 2.6. Also I have a bit of acl setting.
If you know what you want then first at all try to setup squid and check the function with manually setup proxy in your browser of choice. If it ain't running (type "./etc/init.d/squid status" in a console then watch the output with strg + up/down for scrolling) then try to setup ACL lines before restarting it. You can even check check with "less /var/loq/messages | grep squid" what syslog says.
Yes, I also use /var/log/squid/access.log
I would start at a clean setup and copy config file to a backup location before doing any changes, commend each line you edit with your name and date of change for later error finding. I used it as caching server and http acceelerator combined with squidguard and via script updated list of spyware and evil domains (this would be to much to mention here) and the server itself as dial up gateway for my webpages. As you can see logging is off and only files >2k and <1024k are cached. If you like to not cache anything set the sizes vice versa (minimum geater maximum) and intend to use it as content filter (like I did), any way some parts will be kept in mem cache.
Change YOURDOMAIN.TDL to your needs and the same to EXTERNAT_IP_Firewall, INTERNAL_IP_Firewall and SECRET. As network I chose here 192.168.1.0/24 and even change this to your needs.
This config I used which is without the lines for my squidguard.
hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? acl APACHE dstdomain .YOURDOMAIN.TDL always_direct allow APACHE cache_mem 48 MB maximum_object_size 1024 KB minimum_object_size 2 KB maximum_object_size_in_memory 128 KB ipcache_size 8192 fqdncache_size 16384 cache_dir ufs /var/cache/squid 128 16 256 read-only cache_access_log /dev/null cache_log /dev/null cache_store_log /dev/null mime_table /usr/share/squid/mime.conf pid_filename /var/run/squid.pid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1 acl SSL_ports port 443 563 acl Safe_ports port 80 21 280 488 591 777 443 563 70 210 1025-65535 acl CONNECT method CONNECT acl localnet src 192.168.1.0-192.168.1.255 acl extern_eth0 src EXTERNAT_IP_Firewall acl inter_eth1 src INTERNAL_IP_Firewall acl worm urlpath_regex -i \.eml$ http_access allow manager http_access allow localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny worm http_access allow localnet http_access deny all no_cache deny QUERY icp_access deny all cache_mgr webmaster@YOURDOMAIN.TDL cache_effective_user squid cache_effective_group nogroup log_icp_queries off cachemgr_passwd SECRET all buffered_logs off
Yes, I do have something similar
Firewall
After squid works for you start to configure firewall.
What you have should be enough: FW_REDIRECT="192.168.1.0/24,0/0,tcp,80,8080"
Add rules allowing your services locally: FW_SERVICES_INT_TCP="WHAT_EVER_PORTS_BEFORE 8080 WHAT_EVER_MORE_PORTS"
or limit it to your local net
FW_TRUSTED_NETS="192.168.1.0/24,tcp,3128"
Restart firewall and squid and check again.
My SuSEfirewall2 also has configuration similar to that. If I set the proxy setting in client browser to squid server ip and port and check the /var/log/squid/access.log, I saw the traffic flowing through the squid. The same thing happen if I left the client proxy setting blank. So I believe that transparent proxying is running. I confirm this with netstat. I double check this with some acl that i make using url_regex. I block some website. And it is running well whether with client browser proxy setting is set to proxy server or left it blank as no proxy. What make me confuse is when I use iptraf there are connections to port 80 (user access http/browsing) but directly from user ip not from the squid ip server port 8080. Is it the way iptraf do the job differently? regards, medwinz -- Bill Vaughan - "The tax collector must love poor people, he's creating so many of them." -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Fri, 7 Nov 2008, medwinz wrote:
On Fri, Nov 7, 2008 at 3:48 AM, Philippe Vogel <filiaap@freenet.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi!
medwinz schrieb:
Hi all,
I try to setup transparent proxy on 10.3 using squid from the dvd (squid -v shows that it is 2.6.STABLE14). I configure the SuSEfirewall to redirect the port 80 to 8080 FW_REDIRECT="192.168.1.0/24,0/0,tcp,80,8080"
In squid I configure http_port 8080 transparent You have missed your IP address .
http_port <your ip:8080> transparent e.g. http_port 192.168.1.1:8080 transparent -- Regards Graham Smith -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (3)
-
Graham Smith -
medwinz -
Philippe Vogel