Redirect traffic for transparent proxy
Hi all, I'm trying to set up a machine with proxy-cache (Squid 2,5 STABLE); the setting process is well-documented, but I've found a trouble when I want redirect the traffic for transparent proxy. My goal is obvious: redirect all traffic from port 80 (the clients) to port 3128 (the proxy in the server) to set up transparent proxy. The structure is: Server eth0 -- connection to internet 192.168.1.2 (EXT) eth1 -- connection to LAN 172.26.0.1 (INT) Client eth0 -- connection to eth1 Server 172.26.0.x (where x is 2+) 1) In SuSE manual, the syntaxis of redirected traffic is (page 763 of Reference Guide SuSE 10.0): FW_REDIRECT_TCP="172.26.0.0/24,0/0,80,3128" FW_REDIRECT_UDP="172.26.0.0/24,0/0,80,3128" 2) In the /etc/sysconfig/SuSEfirewall2 the comments of section 14 (¿whereis section 15???) says the same line both protocols, TCP and UDP. So, the correct syntaxis should be: FW_REDIRECT="172.26.0.0/24,0/0,80,3128" 3) Both syntaxis (1 & 2) doesn't works in my server. Even I've tried to do it with iptables: iptables -t nat -A PREROUTING -i $INTERFACE -p tcp --dport 80 -j REDIRECT --to-port 3128 Apparently squid works fine; if I test without transparent proxy (setting the client browsers to port 3128 directly) there isn't problems. The trouble is redirect traffic. -- Salut, Jordi Espasa
2005/12/28, Jordi Espasa Clofent <jespasac@yahoo.es>:
3) Both syntaxis (1 & 2) doesn't works in my server. Even I've tried to do it with iptables:
iptables -t nat -A PREROUTING -i $INTERFACE -p tcp --dport 80 -j REDIRECT --to-port 3128
Apparently squid works fine; if I test without transparent proxy (setting the client browsers to port 3128 directly) there isn't problems.
The trouble is redirect traffic.
-- Salut, Jordi Espasa
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
And what did you use rules in another table (FILTERED) ? It's important too.
Hi Vladislav,
And what did you use rules in another table (FILTERED) ? It's important too.
The output of iptables -nL is: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED input_int all -- 0.0.0.0/0 0.0.0.0/0 input_ext all -- 0.0.0.0/0 0.0.0.0/0 input_ext all -- 0.0.0.0/0 0.0.0.0/0 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU forward_int all -- 0.0.0.0/0 0.0.0.0/0 forward_ext all -- 0.0.0.0/0 0.0.0.0/0 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR ' Chain forward_ext (1 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT-INV ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain forward_int (1 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT-INV ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain input_ext (2 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state NEW udp dpt:111 LOG flags 6 level 4 prefix `SFW2-INext-ACC-RPC ' ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state NEW tcp dpt:111 LOG flags 6 level 4 prefix `SFW2-INext-ACC-RPC ' ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state NEW udp dpt:32769 LOG flags 6 level 4 prefix `SFW2-INext-ACC-RPC ' ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:32769 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state NEW tcp dpt:32771 LOG flags 6 level 4 prefix `SFW2-INext-ACC-RPC ' ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:32771 reject_func tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 state NEW LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain input_int (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain reject_func (1 references) target prot opt source destination REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable But I think the real problem is why the SuSEFirewall2 rules doesn't works. TIA.
Hi Jordi Espasa Clofent It isn't fault of SuseFirewall, I think. SuseFirewall is simple front-end for iptables. That line is senseless - FW_REDIRECT_UDP="172.26.0.0/24,0/0,80,3128" Squid and http doesn't use for UDP protocol. You will try it - FW_REDIRECT="192.168.0.0/24,0/0,tcp,80,3128" and that "Dragan Andric" adviced : httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Finally you can use my hand-make script, you will check that: #!/bin/bash INET_IFACE="eth0" LAN_IFACE="eth1" LAN_IP="172.26.0.1" LAN_IP_RANGE="172.26.0.0/16" LO_IFACE="lo" LO_IP="127.0.0.1" iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT #plohaya cepo4ka iptables -N bad_tcp_packets iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset iptables -N icmp_packets iptables -A icmp_packets -p ICMP --icmp-type 3 -j ACCEPT iptables -A icmp_packets -p ICMP --icmp-type 8 -j ACCEPT iptables -A icmp_packets -p ICMP --icmp-type 11 -j ACCEPT iptables -A icmp_packets -p ICMP -j DROP iptables -N tcp_packets iptables -A tcp_packets -p TCP --dport 22 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT iptables -A tcp_packets -p TCP -j DROP iptables -N udp_packets iptables -A udp_packets -p UDP --destination-port 53 -j ACCEPT iptables -A udp_packets -p UDP -j DROP iptables -A INPUT -p tcp -j bad_tcp_packets iptables -A INPUT -p ALL -i $LO_IFACE -j ACCEPT iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p ICMP -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets iptables -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE -j tcp_packets iptables -A INPUT -p TCP -i $INET_IFACE -j DROP iptables -A INPUT -p UDP -i $LAN_IFACE -s $LAN_IP_RANGE -j udp_packets iptables -A INPUT -p UDP -i $INET_IFACE -j DROP iptables -A FORWARD -p TCP -j bad_tcp_packets iptables -A FORWARD -i $LAN_IFACE -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #Transpent proxy iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -p tcp --dport 8081 -j REDIRECT --to-port 3128 Good luck! -- Best wishes, Vlad.
participants (3)
-
Jordi Espasa Clofent -
Vladislav K.V -
Vladislav Kisliy