netfilter with transparent squid - openSUSE Security - openSUSE Mailing Lists

newer
R: R: [suse-security] email...

netfilter with transparent squid

older
Am I hacked???

Joelly Alexander

12 Oct 2001 12 Oct '01

09:06

does anyone know how to setup a netfilter-firewall with transparent squid ? there is a document called "transparent proxy with linux and squid mini-howto"; sure it works, but only when the default policies are set to accept; for higher security my default policies are set to drop and the transparent answer my requests; does anyone have a similar szenario that works ? are there some samples or useful hints avaliable ? thx alex

Reply

Sign in to reply online Use email software

Show replies by date

Oyku Gencay

12 Oct 12 Oct

09:01

New subject: [suse-security] netfilter with transparent squid

Try this. $IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 3128 you should also have $IPTABLES -A -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE .... $IPTABLES is the path to the iptables executable and $LAN_IFACE and $INET_IFACE should be your corresponding NIC such as eth0, eth1. My default polcies are to DROP, and you should also make the required configuration in squid. Hope this helps. Regards, Oyku Gencay ----- Original Message ----- From: Joelly Alexander To: Sent: Friday, October 12, 2001 12:06 PM Subject: [suse-security] netfilter with transparent squid

does anyone know how to setup a netfilter-firewall with transparent squid ? there is a document called "transparent proxy with linux and squid mini-howto"; sure it works, but only when the default policies are set to accept; for higher security my default policies are set to drop and the transparent answer my requests;

does anyone have a similar szenario that works ? are there some samples or useful hints avaliable ?

thx alex

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Reply

Sign in to reply online Use email software

Oyku Gencay

09:04

New subject: [suse-security] netfilter with transparent squid

Sorry not to mention that squid runs on the firewall. ----- Original Message ----- From: Oyku Gencay To: Joelly Alexander ; SuSE Security Sent: Friday, October 12, 2001 12:01 PM Subject: Re: [suse-security] netfilter with transparent squid

Try this.

$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 3128 you should also have $IPTABLES -A -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE ....

$IPTABLES is the path to the iptables executable and $LAN_IFACE and $INET_IFACE should be your corresponding NIC such as eth0, eth1.

My default polcies are to DROP, and you should also make the required configuration in squid.

Hope this helps.

Regards, Oyku Gencay

----- Original Message ----- From: Joelly Alexander To: Sent: Friday, October 12, 2001 12:06 PM Subject: [suse-security] netfilter with transparent squid

...
does anyone know how to setup a netfilter-firewall with transparent squid ? there is a document called "transparent proxy with linux and squid mini-howto"; sure it works, but only when the default policies are set to accept; for higher security my default policies are set to drop and the transparent answer my requests;

does anyone have a similar szenario that works ? are there some samples or useful hints avaliable ?

thx alex

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Reply

Sign in to reply online Use email software

Philipp Snizek

09:13

New subject: AW: [suse-security] netfilter with transparent squid

Does this also work for ftp?

Sorry not to mention that squid runs on the firewall. ----- Original Message ----- From: Oyku Gencay To: Joelly Alexander ; SuSE Security Sent: Friday, October 12, 2001 12:01 PM Subject: Re: [suse-security] netfilter with transparent squid

...
Try this.

$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 3128 you should also have $IPTABLES -A -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE ....

$IPTABLES is the path to the iptables executable and $LAN_IFACE and $INET_IFACE should be your corresponding NIC such as eth0, eth1.

My default polcies are to DROP, and you should also make the required configuration in squid.

Hope this helps.

Regards, Oyku Gencay

----- Original Message ----- From: Joelly Alexander To: Sent: Friday, October 12, 2001 12:06 PM Subject: [suse-security] netfilter with transparent squid

...
does anyone know how to setup a netfilter-firewall with transparent squid ? there is a document called "transparent proxy with linux and squid mini-howto"; sure it works, but only when the default policies are set to accept; for higher security my default policies are set to drop and the transparent answer my requests;

does anyone have a similar szenario that works ? are there some samples or useful hints avaliable ?

thx alex

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Reply

Sign in to reply online Use email software

Oyku Gencay

09:13

New subject: [suse-security] netfilter with transparent squid

You should load the necessary kernel modules for ftp or static compile in to the kernel. The kernel module takes car of the protocol details for ftp. ----- Original Message ----- From: Philipp Snizek To: 'SuSE Security' Sent: Friday, October 12, 2001 12:13 PM Subject: AW: [suse-security] netfilter with transparent squid

Does this also work for ftp?

...
Sorry not to mention that squid runs on the firewall. ----- Original Message ----- From: Oyku Gencay To: Joelly Alexander ; SuSE Security Sent: Friday, October 12, 2001 12:01 PM Subject: Re: [suse-security] netfilter with transparent squid

...
Try this.

$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 3128 you should also have $IPTABLES -A -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE ....

$IPTABLES is the path to the iptables executable and $LAN_IFACE and $INET_IFACE should be your corresponding NIC such as eth0, eth1.

My default polcies are to DROP, and you should also make the required configuration in squid.

Hope this helps.

Regards, Oyku Gencay

----- Original Message ----- From: Joelly Alexander To: Sent: Friday, October 12, 2001 12:06 PM Subject: [suse-security] netfilter with transparent squid

...
does anyone know how to setup a netfilter-firewall with transparent squid ? there is a document called "transparent proxy with linux and squid mini-howto"; sure it works, but only when the default policies are set to accept; for higher security my default policies are set to drop and the transparent answer my requests;

does anyone have a similar szenario that works ? are there some samples or useful hints avaliable ?

thx alex

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Reply

Sign in to reply online Use email software

Kurt Seifried

09:23

New subject: [suse-security] netfilter with transparent squid

Does this also work for ftp?

Sort of. depends on whether you got passive or active ftp, but overall I'd sort of say no. Easy enough to autoconfigure netscape/msie/etc (you can do automated deployments for both and lock the settings down nice in msie) Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/

Reply

Sign in to reply online Use email software

Kurt Seifried

09:21

New subject: [suse-security] netfilter with transparent squid

This is covered at the squid site in the FAQ, for ipfwadm, ipchains, iptables, cisco....... http://www.squid-cache.org/Doc/FAQ/FAQ.html section 17 It's also referred to as an interceptong cache (although that's a bit of a misnomor since squid has to be sent the data, it can't "intercept" on it's own). I also advise a slightly more defined set of redirect rules, instead of: $IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 3128 -t nat -A PREROUTING -s 10.3.0.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 This way you can also run a webserver on the machine with much less hassle. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/

Reply

Sign in to reply online Use email software

8238

Age (days ago)

8238

Last active (days ago)

Download

6 comments

4 participants

tags

participants (4)

Joelly Alexander
Kurt Seifried
Oyku Gencay
Philipp Snizek