Squid Proxy as a Firewall?
I'm going to give this linux firewall thing a shot again. I tried the first time with guarddog and I could never get it to work with just that. However I heard somewhere that you can setup a squid proxy to act as a gateway for all traffic so that the firewall will be effective. I set up squid recently. I could just never get it to work. Does anyone have any ideas? Thanks
|
Quote:
|
Thanks for the reply. I'm trying to put a a linux box outside of my network that is running Mepis with Guarddog firewall and have it act as a multi-purpose firewall, proxy server, music server, and game server. It is a very new computer and it isn't having trouble with these tasks so it should be fine. I just can't get it configured correctly so that it will route all of the data through one NIC, filter it with Guarddog firewall, and put it out the other NIC into a Buffalo router/access point. I tried setting it up before without squid but I just never could get it to work. I just need basic step-by-step instructions on how to do this.
Cable modem - Linux Guarddog Firewall/server (with Squid) - Access Point/Router - internal network This has been a big head ache for me so any help would be greatly appreciated. Thanks. :) |
Quote:
does mepis come with a squid package?? if so, you're halfway there... as for the firewall/router functionality, keep in mind that guarddog is only a front-end to iptables, and as such it isn't really needed if you use a proper iptables script (i can provide you with one)... what people that want to use squid and a firewall/router usually do is they set-up squid to work in transparent proxy mode... this way, users on your LAN do not need to make any configurations on their box - their web traffic will be sent through squid transparently... okay, so basically there's two things you need in order to get your project started: 1) you need to have squid already installed (don't worry about configuration yet)... 2) you need to have iptables installed (you already have this, cuz if not then guarddog wouldn't work)... please confirm the first point... if i remember correctly, mepis is debian-based, so i would assume a squid package for it is readily available... once you have those two things, then it's just a matter of: - using an iptables script (i will give this to you) to configure the firewall... and - configuring squid (it's done by editing the squid.conf file)... i can walk you through both... BTW, yeah, i can also give you a squid.conf to get you started... but let's take it one step at a time... the first step is to get your router/firewall functionality properly set-up... what i would need from you to help you out is the names of the network interfaces on the mepis box (the box which will be used as the gateway)... tell me which interface is the one that plugs into your LAN (and DMZ etc. if you have more than two interfaces) and which one plugs into the WAN (Internet, or in this case the one that plugs into your buffalo)... for example, your WAN interface might be eth0 while your LAN one is eth1... oh, and if you can explain your IP configuration (on both mepis and buffalo) it would also be of great help... |
I have already installed Squid in regular mode since it came with the Ubuntu packages (Mepis is based on Ubuntu).
The interfaces are eth0 (wan) to plug into the cable modem and eth1 (lan) to go to the Buffalo. I have also configured the Buffalo to run as a DNS server as well as a dhcp server. Thanks for the help though, I didn't know that you could just use a script. :) EDIT: If it will not function outside of the lan (ie plugged directly into the modem) then that is fine as well. I don't mind running it inside the Buffalo. |
sorry for the delay, school's been terrible... =/
okay, here's a simple iptables script that should work for you... Code:
#!/bin/sh make sure you have forwarding enabled in your /etc/sysctl.conf file: Code:
net/ipv4/ip_forward=1 Code:
net/ipv4/conf/all/rp_filter=1 Code:
sysctl -p PS: i'd remove/uninstall guarddog before doing this if i was you... |
I will check this ASAP. I just have a few questions before hand. Do you just use the run command to execute the iptables script? Also, will this let ports 27015, the vpn port, and port 8080 through to the internet? Thanks.
EDIT: I hate school too. AP world history. :( |
Quote:
Code:
./firewall-script.txt Code:
chmod a+x firewall-script.txt Code:
sh firewall-script.txt Quote:
Quote:
|
Thanks for your concern. I think I may have isolated the problem however. I think that the network card (which is rather old and has been lying on my desk for months) has croaked. This is probably why I've been having so many problems configuring it. See, I tried using the ip tables script, but even though it said that my card was active, computers on the lan were unable to acquire an ip address. I will buy a new nic and try it again. :)
Thanks |
Quote:
Code:
ifconfig Code:
route -n Code:
cat /etc/resolv.conf Code:
iptables -L -n -v Code:
cat /proc/sys/net/ipv4/ip_forward Code:
cat /proc/sys/net/ipv4/conf/all/rp_filter |
Sorry for the delay, but this is becoming such a pain that I guess I will just revert to an old router to block specific ports (which has many more options than my newer one). I will probably get back to a firewall on linux so don't worry, I will still use your advice. It's just that I recently unearthed this D-link router that can be setup to restrict access to any number of ports and applications, which is what this will do on linux anyway. Right?
|
Quote:
about the linksys: i know it lets you restrict incoming connections, but i'm not sure if it lets you restrict outgoing connections (it might)... in fact, i'm not even sure which type of connections you are trying to restrict, since saying you want to "block specific ports" is kinda vague when we are talking about routing... =/ in any case, a linksys router will be nowhere near as flexible and/or powerful as a properly configured x86 linux box - but perhaps it does in fact do everything that you need it to do... i wish you the best with whatever you choose, and i'm here to help you either way... good luck... |
Win32sux, all I wish to do is to make my network secure by blocking all ports coming in (an maybe out as well) except TCP port 27015, 80, 53, and 8080. I will try to check your commands. I really do appreciate your help. It's very hard to find anyone online who is as helpful as you.
The buffalo is running a DHCP server which is designed to assign addresses from 192.168.2.2-192.168.2.20. |
eth0 Link encap:Ethernet HWaddr 00:30:1B:BB:73:A1
inet addr:192.168.2.16 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:18718190 errors:3 dropped:0 overruns:0 frame:3 TX packets:15079321 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2556164663 (2.3 GiB) TX bytes:1172776624 (1.0 GiB) Interrupt:225 eth1 Link encap:Ethernet HWaddr 00:11:95:1D:E4:94 inet addr:192.168.2.15 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:50 Base address:0xe000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:159953 errors:0 dropped:0 overruns:0 frame:0 TX packets:159953 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:838651380 (799.8 MiB) TX bytes:838651380 (799.8 MiB) flashstar@6[~]$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth1 0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0 flashstar@6[~]$ cat /etc/resolv.conf search hsd1.tx.comcast.net nameserver 192.168.2.1 flashstar@6[~]$ iptables -L -n -v WARNING: Failed to open config file /etc/modprobe.d/cs46xx: Permission denied FATAL: Module ip_tables not found. iptables v1.3.3: can't initialize iptables table `filter': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. flashstar@6[~]$ cat /proc/sys/net/ipv4/ip_forward 0 flashstar@6[~]$ cat /proc/sys/net/ipv4/conf/all/rp_filter 1 root@4[flashstar]# ./firewall-script.txt root@4[flashstar]# ./firewall-script.txt root@4[flashstar]# iptables -L -n -v Chain INPUT (policy DROP 16 packets, 2143 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state NEW Chain OUTPUT (policy ACCEPT 29 packets, 2689 bytes) pkts bytes target prot opt in out source destination root@4[flashstar]# This was what I got when I typed in the above mentioned codes. |
okay let's start with this:
Quote:
Quote:
Quote:
Code:
Kernel IP routing table once you have your IP configuration in order, the routing should work well with the iptables script i provided for you... keep in mind that this: Quote:
Code:
net/ipv4/ip_forward=1 |
All times are GMT -5. The time now is 05:32 PM. |