Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: [suse-security] Redirect traffic for transparent proxy
  • From: "Vladislav K.V" <vladislav.kisliy@xxxxxxxxx>
  • Date: Wed, 28 Dec 2005 21:33:37 +0200
  • Message-id: <200512282133.37534.vladislav.kisliy@xxxxxxxxx>

Hi Jordi Espasa Clofent
It isn't fault of SuseFirewall, I think. SuseFirewall is simple
front-end for iptables.
That line is senseless - FW_REDIRECT_UDP="172.26.0.0/24,0/0,80,3128"
Squid and http doesn't use for UDP protocol.

You will try it -
FW_REDIRECT="192.168.0.0/24,0/0,tcp,80,3128"

and that "Dragan Andric" adviced :
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Finally you can use my hand-make script,
you will check that:
#!/bin/bash
INET_IFACE="eth0"
LAN_IFACE="eth1"
LAN_IP="172.26.0.1"
LAN_IP_RANGE="172.26.0.0/16"
LO_IFACE="lo"
LO_IP="127.0.0.1"

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#plohaya cepo4ka
iptables -N bad_tcp_packets
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state
--state NEW -j REJECT --reject-with tcp-reset
iptables -N icmp_packets
iptables -A icmp_packets -p ICMP --icmp-type 3 -j ACCEPT
iptables -A icmp_packets -p ICMP --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP --icmp-type 11 -j ACCEPT
iptables -A icmp_packets -p ICMP -j DROP

iptables -N tcp_packets
iptables -A tcp_packets -p TCP --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A tcp_packets -p TCP -j DROP

iptables -N udp_packets
iptables -A udp_packets -p UDP --destination-port 53 -j ACCEPT
iptables -A udp_packets -p UDP -j DROP

iptables -A INPUT -p tcp -j bad_tcp_packets
iptables -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p ICMP -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

iptables -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE -j tcp_packets
iptables -A INPUT -p TCP -i $INET_IFACE -j DROP

iptables -A INPUT -p UDP -i $LAN_IFACE -s $LAN_IP_RANGE -j udp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j DROP


iptables -A FORWARD -p TCP -j bad_tcp_packets
iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#Transpent proxy
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p tcp --dport 8081 -j REDIRECT --to-port 3128

Good luck!


--
Best wishes, Vlad.

< Previous Next >