does anyone know how to setup a netfilter-firewall with transparent squid ? there is a document called "transparent proxy with linux and squid mini-howto"; sure it works, but only when the default policies are set to accept; for higher security my default policies are set to drop and the transparent answer my requests; does anyone have a similar szenario that works ? are there some samples or useful hints avaliable ? thx alex
Try this.
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j
REDIRECT --to-port 3128
you should also have
$IPTABLES -A -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
....
$IPTABLES is the path to the iptables executable and $LAN_IFACE and
$INET_IFACE should be your corresponding NIC such as eth0, eth1.
My default polcies are to DROP, and you should also make the required
configuration in squid.
Hope this helps.
Regards,
Oyku Gencay
----- Original Message -----
From: Joelly Alexander
does anyone know how to setup a netfilter-firewall with transparent squid ? there is a document called "transparent proxy with linux and squid mini-howto"; sure it works, but only when the default policies are set to accept; for higher security my default policies are set to drop and the transparent answer my requests;
does anyone have a similar szenario that works ? are there some samples or useful hints avaliable ?
thx alex
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Sorry not to mention that squid runs on the firewall.
----- Original Message -----
From: Oyku Gencay
Try this.
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 3128 you should also have $IPTABLES -A -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE ....
$IPTABLES is the path to the iptables executable and $LAN_IFACE and $INET_IFACE should be your corresponding NIC such as eth0, eth1.
My default polcies are to DROP, and you should also make the required configuration in squid.
Hope this helps.
Regards, Oyku Gencay
----- Original Message ----- From: Joelly Alexander
To: Sent: Friday, October 12, 2001 12:06 PM Subject: [suse-security] netfilter with transparent squid does anyone know how to setup a netfilter-firewall with transparent squid ? there is a document called "transparent proxy with linux and squid mini-howto"; sure it works, but only when the default policies are set to accept; for higher security my default policies are set to drop and the transparent answer my requests;
does anyone have a similar szenario that works ? are there some samples or useful hints avaliable ?
thx alex
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Does this also work for ftp?
Sorry not to mention that squid runs on the firewall. ----- Original Message ----- From: Oyku Gencay
To: Joelly Alexander ; SuSE Security Sent: Friday, October 12, 2001 12:01 PM Subject: Re: [suse-security] netfilter with transparent squid Try this.
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 3128 you should also have $IPTABLES -A -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE ....
$IPTABLES is the path to the iptables executable and $LAN_IFACE and $INET_IFACE should be your corresponding NIC such as eth0, eth1.
My default polcies are to DROP, and you should also make the required configuration in squid.
Hope this helps.
Regards, Oyku Gencay
----- Original Message ----- From: Joelly Alexander
To: Sent: Friday, October 12, 2001 12:06 PM Subject: [suse-security] netfilter with transparent squid does anyone know how to setup a netfilter-firewall with transparent squid ? there is a document called "transparent proxy with linux and squid mini-howto"; sure it works, but only when the default policies are set to accept; for higher security my default policies are set to drop and the transparent answer my requests;
does anyone have a similar szenario that works ? are there some samples or useful hints avaliable ?
thx alex
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
You should load the necessary kernel modules for ftp or static compile in to
the kernel. The kernel module takes car of the protocol details for ftp.
----- Original Message -----
From: Philipp Snizek
Does this also work for ftp?
Sorry not to mention that squid runs on the firewall. ----- Original Message ----- From: Oyku Gencay
To: Joelly Alexander ; SuSE Security Sent: Friday, October 12, 2001 12:01 PM Subject: Re: [suse-security] netfilter with transparent squid Try this.
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 3128 you should also have $IPTABLES -A -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE ....
$IPTABLES is the path to the iptables executable and $LAN_IFACE and $INET_IFACE should be your corresponding NIC such as eth0, eth1.
My default polcies are to DROP, and you should also make the required configuration in squid.
Hope this helps.
Regards, Oyku Gencay
----- Original Message ----- From: Joelly Alexander
To: Sent: Friday, October 12, 2001 12:06 PM Subject: [suse-security] netfilter with transparent squid does anyone know how to setup a netfilter-firewall with transparent squid ? there is a document called "transparent proxy with linux and squid mini-howto"; sure it works, but only when the default policies are set to accept; for higher security my default policies are set to drop and the transparent answer my requests;
does anyone have a similar szenario that works ? are there some samples or useful hints avaliable ?
thx alex
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Does this also work for ftp?
Sort of. depends on whether you got passive or active ftp, but overall I'd sort of say no. Easy enough to autoconfigure netscape/msie/etc (you can do automated deployments for both and lock the settings down nice in msie) Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
This is covered at the squid site in the FAQ, for ipfwadm, ipchains, iptables, cisco....... http://www.squid-cache.org/Doc/FAQ/FAQ.html section 17 It's also referred to as an interceptong cache (although that's a bit of a misnomor since squid has to be sent the data, it can't "intercept" on it's own). I also advise a slightly more defined set of redirect rules, instead of: $IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 3128 -t nat -A PREROUTING -s 10.3.0.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 This way you can also run a webserver on the machine with much less hassle. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
participants (4)
-
Joelly Alexander
-
Kurt Seifried
-
Oyku Gencay
-
Philipp Snizek