Re: [suse-security] Transparent proxy ...
Peter Wiersig wrote:
Richard Ems:
Hi Frank!
Mi idea was to build a Firewall where PC1 would ONLY do packet filtering (masq, forw, redir, etc.) and PC2 would do the rest (snmp server, pop server, proxy server, dns server, etc.) Also the hardware is very different on both PC's: PC1: 1 x 700 Mhz, 64 MB RAM, IDE PC2: 2 x 700 Mhz, 512 MB RAM, SCSI, more disk space than PC1
mmmm, now I'm not so sure ...
What do you think?
Richard
I would do the same as you. Setup PC1 as screening router and go with the other stuff on PC2.
In what part of the setup do you have problems.
(not via list because its not really security related - its more of an configuration question.)
Peter
Hi Peter! My problem is that I wan't to configure a transparent proxy for http, https and ftp (and if possible nntp also!) running squid on PC2. So PC1 should transparently forward requests to these ports to squid at PC1 where squid would look for permissions and in the cache or ask PC1 (the only PC connected to the internet) for the requested data. My problem is HOW to configure my ipchains rules, ipmasqadm rules or whatsoever to make this redirection and portforwarding or so! Any ideas where to look for some help? Or have you configured something like this? Or should I move the squid proxy server from PC2 to PC1? Thanks, Richard -- Richard Ems ... e-mail: r.ems@gmx.net ... Fachbereich Informatik, Universität Hamburg Unix IS user friendly. It's just selective about who its friends are.
My problem is HOW to configure my ipchains rules, ipmasqadm rules or whatsoever to make this redirection and portforwarding or so! Look at the squid-FAQ (or was it doc?) at the squid homepage, there is a chapter about transparent proxying with ipchains examples, etc.
bye Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
Markus Gaugusch wrote:
My problem is HOW to configure my ipchains rules, ipmasqadm rules or whatsoever to make this redirection and portforwarding or so! Look at the squid-FAQ (or was it doc?) at the squid homepage, there is a chapter about transparent proxying with ipchains examples, etc.
bye
Markus
-- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi Markus, I have read those FAQ's already and there is all well explained, but squid is NOT the problem. The problem is redirecting using ipchains or ipmasqadm or ??? from PC1 port x to PC2 port y !!! Thanks, Richard -- Richard Ems ... e-mail: r.ems@gmx.net ... Fachbereich Informatik, Universität Hamburg Unix IS user friendly. It's just selective about who its friends are.
Hi Richard, I have a site where there is Squid setup as transparent proxy. What you will want to do is setup Squid to run as httpd_accel(erator) and to redirect the outgoing traffic on port 80 to Squid using ipchains. Here's part of the Squid-conf: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on http_access deny !localdomains (where you set "acl localdomains src your.network/requirednetmask") proxy_auth /etc/httpd/htpasswd (having all users in /etc/httpd/htpasswd, use htpasswd that comes with apache) and to redirect the traffic execute ipchains -A output -i external_device -p TCP -d any/0 80 -j REDIRECT your_squid_port make sure tu have your kernel compiled with "Transparent_Proxy yes" You should consider not to cache ssl connections. Ftp will only work as ftp over http (e.g. the ftp your browser uses) I don't know of any NNTP proxy. What you can do is to setup a local newsfeed like leafnode and restrict access to it. You definetly should have a look at the Transparent Proxy mini-HOWTO (www.linuxdoc.org) Regards, Alex
Alexander Noack wrote:
Hi Richard,
I have a site where there is Squid setup as transparent proxy. What you will want to do is setup Squid to run as httpd_accel(erator) and to redirect the outgoing traffic on port 80 to Squid using ipchains.
Here's part of the Squid-conf:
httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on http_access deny !localdomains (where you set "acl localdomains src your.network/requirednetmask") proxy_auth /etc/httpd/htpasswd (having all users in /etc/httpd/htpasswd, use htpasswd that comes with apache)
and to redirect the traffic execute ipchains -A output -i external_device -p TCP -d any/0 80 -j REDIRECT your_squid_port
make sure tu have your kernel compiled with "Transparent_Proxy yes"
You should consider not to cache ssl connections. Ftp will only work as ftp over http (e.g. the ftp your browser uses) I don't know of any NNTP proxy. What you can do is to setup a local newsfeed like leafnode and restrict access to it.
You definetly should have a look at the Transparent Proxy mini-HOWTO (www.linuxdoc.org)
Regards,
Alex
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi Alexander, This solution is Ok, I read about it but it's not enough. My kernel is of course compiled with "Transparent proxy yes" and so on ... Did you read the previous messages? The problem is that the squid server is running on another PC (I called it on my previous emails PC2) and the packet filtering is happening on PC1 !!! So I need to redirect to a port on another machine! This is not possible directly with ipchains, isnt' it? Redirecting to another port on the same machine is not the problem. Thanks, Richard -- Richard Ems ... e-mail: r.ems@gmx.net ... Fachbereich Informatik, Universität Hamburg Unix IS user friendly. It's just selective about who its friends are.
At 10:31 PM 5/02/2001, you wrote:
Ftp will only work as ftp over http (e.g. the ftp your browser uses)
This is only partially correct. It is actually not possible to transparently redirect ftp due to the number of ports it uses. You can transparently proxy ftp, but not with squid. The only transparent ftp proxy that currently works on Linux (that I know of) is the one in the TIS Firewall Toolkit (http://www.tis.com) (This is the same one that is in gauntlet firewall on solaris) TIS has a very restrictive liscence, basically you have to be an educational institution, or you have to buy gauntlet. You may wish to wait for SuSE 7.1 with kernel 2.4.x with all the netfilter and iptables stuff as it is much more powerful. I had a long talk to Rusty and a one of the other Linux firewall people at http://linux.conf.au and Rusty is talking about adding some transparent application level proxies to netfilter, but this probably will not happen for 6 months. (Rusty is the guy who wrote IPCHAINS as well as NETFILTER and IPTABLES and all the associated kernel bells and whistles) I hope he does do this in the near future, as it will mean linux has something that NO other OS does except Solaris with the addition of Gauntlet. (I have offered to do the documentation of some of this stuff for him, so you can be sure that I'll let you know when it happens :-) So, to clarify, you CAN transparently redirect ftp over http by virtue that it is a http stream, however the only way to make you browser do ftp over http instead of normal ftp is to tell it that you have a proxy, which sorta defeats the purpose of transparent redirection. Sorry to give you the bad news... This is all in the squid doco if you feel like reading up on it more.. Cheers --- Nix - nix@susesecurity.com http://www.susesecurity.com
participants (4)
-
Alexander Noack -
Markus Gaugusch -
Nix -
Richard Ems