Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have tried transparent proxy and I have latest version of FEDORA . But its not working and showing error while putting in squid.conf
parseConfigFile: line 594 unrecognized: 'httpd_accel_host virtual'
parseConfigFile: line 595 unrecognized: 'httpd_accel_port 80'
parseConfigFile: line 596 unrecognized: 'httpd_accel_with_proxy on'
parseConfigFile: line 597 unrecognized: 'httpd_accel_uses_host_header on'
Unless you're using a really old Squid version, those lines aren't used to set transparent mode.
Instead, you just add the word transparent to the http_port line, like (for example):
The reason you can't use iptables is because Gmail (for example) has thousands of IP addresses and they change all the time. A proxy is the right tool for the job. You can prevent people from bypassing it by disabling forwarding or by enforcing its use in transparent mode.
Threads with zero replies are automatically bumped. Don't do this - it's rude.
no not necessary altho a proxy can help google pretty much has a set range of ips for now... you just to drop the ip range from gmail....
And yes i know there are other countries, but if one does a search on the net one should be able to find the ips google uses, for example i've already got a lot of them.. again just a search over the net should do one good and of course and then once you've got an ip, whois that ip and find the range and use ipcalc to calculate the ip range from oh say 127.0.0.1 - 127.255.255.255..
OK...I have a plan.
In user's web browser internet connection setting portion , will put Squid system IP & Port . So that users will browse internet through that method .
Now issue with remote mail server access (mail send / receive) & remote FTP server access (upload / download / login) . This could be solved..... If we can make proper NAT / Masquerade between local LINUX system & remote server's related ports.
But may be problematic.......if remote IP information is blocked , then its not possible to get remote IP .
Masquerade to all packet would make a security hole and pass all packet that will come to the interface . Now have to find out some exceptional IPTABLES rule , so that that would not create such security related problem.
Yes I have tried also , but same error is coming . Should I load any module for that or anything related to http protocol (port 80)
That doesn't make sense. The error would not appear unless you still have those lines in there.
And no, there's no module you need to load.
Quote:
Originally Posted by sanjee
OK...I have a plan.
In user's web browser internet connection setting portion , will put Squid system IP & Port . So that users will browse internet through that method .
Now issue with remote mail server access (mail send / receive) & remote FTP server access (upload / download / login) . This could be solved..... If we can make proper NAT / Masquerade between local LINUX system & remote server's related ports.
But may be problematic.......if remote IP information is blocked , then its not possible to get remote IP .
Masquerade to all packet would make a security hole and pass all packet that will come to the interface . Now have to find out some exceptional IPTABLES rule , so that that would not create such security related problem.
I don't really understand why you are making this sound so complicated. It's actually pretty simple. You proxy Web traffic (whether you do it transparently or not is irrelevant), and then NAT traffic to other specific ports (FTP, POP3, etc). You don't need to do masquerading for "all packets" or anything like that.
Yes you r write . But problem arise when we don't know the actual port . Its possible the port number is statically or dynamically changed . Then Its difficult to nat with the port . And I m facing such kind of problem.I m unable to login some that kind of FTP servers due to port problem.
Would anyone help me how to NAT / MASQUERADE anything in this kind of situation .
Suppose Eth0 -> LAN & Eth1 -> Internet Connection . Now want login / Upload / Download to remote FTP server. Now Problem is that I don't know server's IP . BEcause said server's admin block ip information and change FTP port number.I know only domain name . Here how users will access those servers through linux firewall. But I don't want to masquerade all packets , because it will make security hole.
Regarding the problem I m confuse , how to make NAT / MASQUERADE with port 20,21 port to the changing/unknown ports .
Yes you r write . But problem arise when we don't know the actual port . Its possible the port number is statically or dynamically changed . Then Its difficult to nat with the port . And I m facing such kind of problem.I m unable to login some that kind of FTP servers due to port problem.
Would anyone help me how to NAT / MASQUERADE anything in this kind of situation .
Suppose Eth0 -> LAN & Eth1 -> Internet Connection . Now want login / Upload / Download to remote FTP server. Now Problem is that I don't know server's IP . BEcause said server's admin block ip information and change FTP port number.I know only domain name . Here how users will access those servers through linux firewall. But I don't want to masquerade all packets , because it will make security hole.
Regarding the problem I m confuse , how to make NAT / MASQUERADE with port 20,21 port to the changing/unknown ports .
It would be extremely unusual for an admin to make an FTP daemon listen on a port other than 21. You don't ever need to worry about port 20, or any of the ephemeral (dynamically changing) ports - it's all handled by the module-provided FTP connection tracking.
I wrote an example iptables script for you to help you get started. Here it is:
Code:
#!/bin/sh
IPT="/sbin/iptables"
LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"
WAN_IFACE="eth1"
DNS1="208.67.222.222"
DNS2="208.67.220.220"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# This is for Squid:
$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 3128 \
-s $LAN_NET -m state --state NEW -j ACCEPT
# This is so that LAN clients can ping you:
$IPT -A INPUT -p ICMP -i $LAN_IFACE --icmp-type 8 \
-s $LAN_NET -m state --state NEW -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# This is for FTP (in case you don't wanna do it through Squid):
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
--dport 21 -m state --state NEW -j ACCEPT
# This is for POP3:
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
--dport 110 -m state --state NEW -j ACCEPT
# This is for DNS:
$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
-d $DNS1 --dport 53 -m state --state NEW -j ACCEPT
# This is for DNS:
$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
-d $DNS2 --dport 53 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
It lets clients connect to Squid on the LAN, and it lets them connect to FTP, POP3, and DNS on the WAN. They would only be able to do HTTP/HTTPS through Squid, so you can determine which sites they can (or can't) use in your squid.conf by way of ACLs. You would, of course, need to customize this script before using it.
Last edited by win32sux; 09-22-2008 at 08:46 PM.
Reason: Had forgotten POSTROUTING rule.
So many Thanks. Till now I have tried with squid entry only etc. Its working fine.
BUT...BUT...BUT......again a small hole breaking squid web security . In mozilla or such type of browsers ,,,, from "preference" / "tools-> options (in XP)" portion there is a proxy bypass portion or "no proxy" option. I have chacked the domain name we put in the option . Its bypassing the squid security .
So many Thanks. Till now I have tried with squid entry only etc. Its working fine.
BUT...BUT...BUT......again a small hole breaking squid web security . In mozilla or such type of browsers ,,,, from "preference" / "tools-> options (in XP)" portion there is a proxy bypass portion or "no proxy" option. I have chacked the domain name we put in the option . Its bypassing the squid security .
That means you're forwarding HTTP/HTTPS packets (which defeats the purpose of using Squid). Notice how, in the script I posted, no HTTP/HTTPS packets are forwarded - which makes the proxy bypass method you mention futile.
Quote:
Is there any way to fight with it.
Yes, stop forwarding TCP packets with destination ports 80 and 443.
Yes ....the configuration you posted , its very nice. And I m trying to do according to your conf , because I m not so familier with IPTABLES Connection tracking rules.
Now I want to resolve my one query . The above mentioned problem I mentioned ,
in XP mozilla / other browsers [preference->connection setting > no proxy for... / tools -> options -> Advanced -> network -> settings -> no proxy for...]how redirecting web packets , because I m already been redirected port 80 to squid port like
-A FORWARD -i $LAN-interface -j ACCEPT
-A PREROUTING -i $LAN-interface -p tcp -m tcp --dport 80 -j DNAT --to-destination $squidip:squidport
-A PREROUTING -i $WAN-interface -p tcp -m tcp --dport 80 -j REDIRECT --to-ports $squidport
-A POSTROUTING -o $WAN-interface -j MASQUERADE
.........could you please make me clear what is my actual fault entry or is it passing https etc.
Yes ....the configuration you posted , its very nice. And I m trying to do according to your conf , because I m not so familier with IPTABLES Connection tracking rules.
Now I want to resolve my one query . The above mentioned problem I mentioned ,
in XP mozilla / other browsers [preference->connection setting > no proxy for... / tools -> options -> Advanced -> network -> settings -> no proxy for...]how redirecting web packets , because I m already been redirected port 80 to squid port like
-A FORWARD -i $LAN-interface -j ACCEPT
-A PREROUTING -i $LAN-interface -p tcp -m tcp --dport 80 -j DNAT --to-destination $squidip:squidport
-A PREROUTING -i $WAN-interface -p tcp -m tcp --dport 80 -j REDIRECT --to-ports $squidport
-A POSTROUTING -o $WAN-interface -j MASQUERADE
.........could you please make me clear what is my actual fault entry or is it passing https etc.
HTTPS uses TCP destination port 443. HTTPS isn't transparently proxied by Squid. You need to add a rule to prevent TCP destination port 443 packets from being forwarded. Or better yet, set your FORWARD policy to DROP and only make rules for specific ports on the WAN which you want to allow your LAN clients to connect to (such as is done in my example). BTW, unless I'm missing something, at least one of the rules you posted doesn't make sense. I mean, why would you need both DNAT and REDIRECT? And why are you using REDIRECT on the WAN interface? Please explain.
AFAICT, you should be fine with something like this:
Code:
#!/bin/sh
IPT="/sbin/iptables"
LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"
LAN_IP="192.168.1.1"
WAN_IFACE="eth1"
DNS1="208.67.222.222"
DNS2="208.67.220.220"
SQUID_PORT="3128"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# This is for Squid:
$IPT -A INPUT -p TCP -i $LAN_IFACE --dport $SQUID_PORT \
-s $LAN_NET -m state --state NEW -j ACCEPT
# This is so that LAN clients can ping you:
$IPT -A INPUT -p ICMP -i $LAN_IFACE --icmp-type 8 \
-s $LAN_NET -m state --state NEW -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# This is for FTP (in case you don't wanna do it through Squid):
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
--dport 21 -m state --state NEW -j ACCEPT
# This is for POP3:
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
--dport 110 -m state --state NEW -j ACCEPT
# This is for DNS:
$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
-d $DNS1 --dport 53 -m state --state NEW -j ACCEPT
# This is for DNS:
$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
-d $DNS2 --dport 53 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "
$IPT -t nat -A PREROUTING -p TCP -i $LAN_IFACE -s $LAN_NET --dport 80 \
-d ! $LAN_IP -j REDIRECT --to-ports $SQUID_PORT
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
No , actually previously I was thinking I should redirect port 80 to squid port with REDIRECT parameter and with the concept of PREROUTING I used DNAT . But now I m getting something different concept about above rules . Because I wasn't familier with IPTABLES Connection tracking rules. Could you please tell me , what is actual negative side of my DNAT rule / can it create some problem.
Now I m thinking it differently . According to the posts/discussion till now it has the ability to make a maping between port 80 and SQUID. At the same time If I want , Internet users can browse internal WEB or access any internal server like mail etc etc , where as there is existing internal squid or other firewalling rules ; then how I will match both rules.
is it like this "$IPT -A INPUT -p TCP -i $WAN_IFACE --dport $LAN_PORT -s 0/0 -m state --state NEW -j ACCEPT" or may be adding some redirection rule along with this . If this rule is really bad/ fool type ,,, then requesting to rectify me.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.