LinuxQuestions.org - Squid Proxy as a Firewall?

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Squid Proxy as a Firewall? (https://www.linuxquestions.org/questions/linux-security-4/squid-proxy-as-a-firewall-477941/)

Squid Proxy as a Firewall?

I'm going to give this linux firewall thing a shot again. I tried the first time with guarddog and I could never get it to work with just that. However I heard somewhere that you can setup a squid proxy to act as a gateway for all traffic so that the firewall will be effective. I set up squid recently. I could just never get it to work. Does anyone have any ideas? Thanks

Quote:

Originally Posted by flashstar

squid does not have any firewall or gateway functionality... however, when squid is used in conjunction with a firewall (netfilter/iptables), it can provide a great solution for your web access filtering and/or transparent proxy cache needs... what exactly is it that you are aiming to achieve??

Thanks for the reply. I'm trying to put a a linux box outside of my network that is running Mepis with Guarddog firewall and have it act as a multi-purpose firewall, proxy server, music server, and game server. It is a very new computer and it isn't having trouble with these tasks so it should be fine. I just can't get it configured correctly so that it will route all of the data through one NIC, filter it with Guarddog firewall, and put it out the other NIC into a Buffalo router/access point. I tried setting it up before without squid but I just never could get it to work. I just need basic step-by-step instructions on how to do this.

Cable modem - Linux Guarddog Firewall/server (with Squid) - Access Point/Router - internal network

This has been a big head ache for me so any help would be greatly appreciated. Thanks. :)

Quote:

Originally Posted by flashstar

okay, i think i'm starting to understand where you're coming from... the only thing i'm not sure about is what exactly you want squid to do for you... most of the time people use squid to do things like URL filtering, access control, or just plain web caching (to speed things up and also save bandwidth)...

does mepis come with a squid package?? if so, you're halfway there...

as for the firewall/router functionality, keep in mind that guarddog is only a front-end to iptables, and as such it isn't really needed if you use a proper iptables script (i can provide you with one)...

what people that want to use squid and a firewall/router usually do is they set-up squid to work in transparent proxy mode... this way, users on your LAN do not need to make any configurations on their box - their web traffic will be sent through squid transparently...

okay, so basically there's two things you need in order to get your project started:

1) you need to have squid already installed (don't worry about configuration yet)...

2) you need to have iptables installed (you already have this, cuz if not then guarddog wouldn't work)...

please confirm the first point... if i remember correctly, mepis is debian-based, so i would assume a squid package for it is readily available...

once you have those two things, then it's just a matter of:

- using an iptables script (i will give this to you) to configure the firewall... and

- configuring squid (it's done by editing the squid.conf file)...

i can walk you through both... BTW, yeah, i can also give you a squid.conf to get you started...

but let's take it one step at a time... the first step is to get your router/firewall functionality properly set-up... what i would need from you to help you out is the names of the network interfaces on the mepis box (the box which will be used as the gateway)... tell me which interface is the one that plugs into your LAN (and DMZ etc. if you have more than two interfaces) and which one plugs into the WAN (Internet, or in this case the one that plugs into your buffalo)... for example, your WAN interface might be eth0 while your LAN one is eth1... oh, and if you can explain your IP configuration (on both mepis and buffalo) it would also be of great help...

I have already installed Squid in regular mode since it came with the Ubuntu packages (Mepis is based on Ubuntu).
The interfaces are eth0 (wan) to plug into the cable modem and eth1 (lan) to go to the Buffalo.
I have also configured the Buffalo to run as a DNS server as well as a dhcp server.

Thanks for the help though, I didn't know that you could just use a script. :)

EDIT: If it will not function outside of the lan (ie plugged directly into the modem) then that is fine as well. I don't mind running it inside the Buffalo.

sorry for the delay, school's been terrible... =/

okay, here's a simple iptables script that should work for you...

Code:

#!/bin/sh



IPT="/sbin/iptables"



WAN_IFACE="eth0"

LAN_IFACE="eth1"



$IPT -P INPUT DROP

$IPT -P FORWARD DROP

$IPT -P OUTPUT ACCEPT



$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P INPUT ACCEPT

$IPT -t mangle -P FORWARD ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

$IPT -t mangle -P POSTROUTING ACCEPT



$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT



$IPT -F

$IPT -F -t nat

$IPT -F -t mangle



$IPT -X

$IPT -X -t nat

$IPT -X -t mangle



$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT



$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



$IPT -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \

-m state --state NEW -j ACCEPT



$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

run that on the mepis box and it should start routing properly for your LAN... once you are sure it works well it's just a matter of saving the changes... i explained how to do it for ubuntu on a previous post, let me know if you have any questions about that... my guess is that if mepis is ubuntu-based then it should be the same procedure...

make sure you have forwarding enabled in your /etc/sysctl.conf file:

Code:

net/ipv4/ip_forward=1

i also recommend having rp_filter enabled:

Code:

net/ipv4/conf/all/rp_filter=1

do this after editing sysctl.conf to activate the changes without having to reboot:

Code:

sysctl -p

let me know how it goes... good luck!!!

PS: i'd remove/uninstall guarddog before doing this if i was you...

I will check this ASAP. I just have a few questions before hand. Do you just use the run command to execute the iptables script? Also, will this let ports 27015, the vpn port, and port 8080 through to the internet? Thanks.

EDIT: I hate school too. AP world history. :(

Quote:

Originally Posted by flashstar

I will check this ASAP. I just have a few questions before hand. Do you just use the run command to execute the iptables script?

to execute the script, save it as a text file, and then execute it with a dot and a slash, like:

Code:

./firewall-script.txt

of course, you'd need to have made the file executable beforehand:

Code:

chmod a+x firewall-script.txt

another way to execute it is with the sh command (instead of the dot and the slash):

Code:

sh firewall-script.txt

Quote:

Also, will this let ports 27015, the vpn port, and port 8080 through to the internet? Thanks.

this particular script doesn't filter any outgoing connections (neither from the mepis box nor from the LAN), so it will allow outgoing connections to those ports you have mentioned... on the other hand, if what you meant was incoming connections, then a couple rules would need to be added - no big deal... let me know...

Quote:

EDIT: I hate school too. AP world history. :(

speaking of school, i'm gonna hit the shower now and be on my way to school... TTYL...

Thanks for your concern. I think I may have isolated the problem however. I think that the network card (which is rather old and has been lying on my desk for months) has croaked. This is probably why I've been having so many problems configuring it. See, I tried using the ip tables script, but even though it said that my card was active, computers on the lan were unable to acquire an ip address. I will buy a new nic and try it again. :)

Thanks

Quote:

Originally Posted by flashstar

computers on the lan were unable to acquire an ip address.

from the mepis box?? i thought your DHCP server was running on your buffalo, not the mepis... also, even though you're getting a new card, could you post the output of these commands on the mepis box please (after executing the script):

Code:

ifconfig

Code:

route -n

Code:

cat /etc/resolv.conf

Code:

iptables -L -n -v

Code:

cat /proc/sys/net/ipv4/ip_forward

Code:

cat /proc/sys/net/ipv4/conf/all/rp_filter

BTW, did you try doing ping tests?? cuz if you are able to ping google.com and hosts on your LAN from the mepis box then it's very unlikely that your either of your cards has croaked...

Sorry for the delay, but this is becoming such a pain that I guess I will just revert to an old router to block specific ports (which has many more options than my newer one). I will probably get back to a firewall on linux so don't worry, I will still use your advice. It's just that I recently unearthed this D-link router that can be setup to restrict access to any number of ports and applications, which is what this will do on linux anyway. Right?

Quote:

Originally Posted by flashstar

i'm willing to help you out in whatever way i can so that you can get your linux box doing exactly what you want it to do... but you haven't given me much to work with... take the commands i kindly asked for output of, for example... or when i asked you about your IP configuration... or about your DHCP server... =(

about the linksys: i know it lets you restrict incoming connections, but i'm not sure if it lets you restrict outgoing connections (it might)... in fact, i'm not even sure which type of connections you are trying to restrict, since saying you want to "block specific ports" is kinda vague when we are talking about routing... =/

in any case, a linksys router will be nowhere near as flexible and/or powerful as a properly configured x86 linux box - but perhaps it does in fact do everything that you need it to do... i wish you the best with whatever you choose, and i'm here to help you either way... good luck...

Win32sux, all I wish to do is to make my network secure by blocking all ports coming in (an maybe out as well) except TCP port 27015, 80, 53, and 8080. I will try to check your commands. I really do appreciate your help. It's very hard to find anyone online who is as helpful as you.

The buffalo is running a DHCP server which is designed to assign addresses from 192.168.2.2-192.168.2.20.

eth0 Link encap:Ethernet HWaddr 00:30:1B:BB:73:A1
inet addr:192.168.2.16 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18718190 errors:3 dropped:0 overruns:0 frame:3
TX packets:15079321 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2556164663 (2.3 GiB) TX bytes:1172776624 (1.0 GiB)
Interrupt:225

eth1 Link encap:Ethernet HWaddr 00:11:95:1D:E4:94
inet addr:192.168.2.15 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:50 Base address:0xe000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:159953 errors:0 dropped:0 overruns:0 frame:0
TX packets:159953 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:838651380 (799.8 MiB) TX bytes:838651380 (799.8 MiB)

flashstar@6[~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth1
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
flashstar@6[~]$ cat /etc/resolv.conf
search hsd1.tx.comcast.net
nameserver 192.168.2.1
flashstar@6[~]$ iptables -L -n -v
WARNING: Failed to open config file /etc/modprobe.d/cs46xx: Permission denied
FATAL: Module ip_tables not found.
iptables v1.3.3: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
flashstar@6[~]$ cat /proc/sys/net/ipv4/ip_forward
0
flashstar@6[~]$ cat /proc/sys/net/ipv4/conf/all/rp_filter
1

root@4[flashstar]# ./firewall-script.txt
root@4[flashstar]# ./firewall-script.txt
root@4[flashstar]# iptables -L -n -v
Chain INPUT (policy DROP 16 packets, 2143 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state NEW

Chain OUTPUT (policy ACCEPT 29 packets, 2689 bytes)
pkts bytes target prot opt in out source destination
root@4[flashstar]#

This was what I got when I typed in the above mentioned codes.

okay let's start with this:

Quote:

Originally Posted by flashstar

eth0 Link encap:Ethernet HWaddr 00:30:1B:BB:73:A1
inet addr:192.168.2.16 Bcast:192.168.2.255 Mask:255.255.255.0

Quote:

eth1 Link encap:Ethernet HWaddr 00:11:95:1D:E4:94
inet addr:192.168.2.15 Bcast:192.168.2.255 Mask:255.255.255.0

you have both network cards on the same subnet... that's not good... i assume your WAN card's IP is what your ISP (or your buffalo) gives you, so leave that alone and change the IP/subnet of your LAN card instead... i suggest giving it IP 192.168.1.1 with netmask 255.255.255.0, and hence the machine(s) connected to the LAN side of your mepis router will need to use subnet 192.168.1.0/24 with gateway 192.168.1.1

Quote:

Originally Posted by flashstar

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth1
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0

you only need one gateway, on your WAN interface... so make sure you aren't doing anything funny in that regard... i suspect that once you've properly set your LAN's IP configuration, the rest will fall into place... but just to give you an illustration of what it should look like, here's the "route -n" output from my ubuntu box (i am doing NAT with a two-interface setup like yours):

Code:

Kernel IP routing table

Destination    Gateway        Genmask        Flags Metric Ref    Use Iface

202.70.190.0    0.0.0.0        255.255.255.0  U    0      0        0 eth1

192.168.1.0    0.0.0.0        255.255.255.0  U    0      0        0 eth0

0.0.0.0        202.70.190.1    0.0.0.0        UG    0      0        0 eth1

eth0 is my LAN interface, which has an IP of 192.168.1.1, and eth1 is my WAN interface, which is configured via DHCP (i have a cable modem) by my ISP and currently has IP 202.70.190.65... as you can see, the only gateway on my box is that which is provided by my ISP, which is 202.70.190.1 and is connected to my box via eth1...

once you have your IP configuration in order, the routing should work well with the iptables script i provided for you... keep in mind that this:

Quote:

flashstar@6[~]$ cat /proc/sys/net/ipv4/ip_forward
0

means you still haven't activated forwarding, which you must do by making sure this line is in your /etc/sysctl.conf file:

Code:

net/ipv4/ip_forward=1

make sure you re-post all those outputs after having made the appropriate changes, so we can see how you are progressing... good luck...

hi flashstar... just wondering how this is going (or went)...

ain't heard from you for a few days...

i hope all is well... =/

Sorry for not being on, I have been up to my eyeballs in homework. I did manage however to go back to Ubuntu, and things seem to be much more stable. I will try quickly tonight to get your script to work.

Thanks :)

Shoot, I just realised that Ubuntu doesn't let you run as root. How do you edit sysctrl.conf? Thanks

Quote:

Originally Posted by flashstar

Shoot, I just realised that Ubuntu doesn't let you run as root. How do you edit sysctrl.conf? Thanks

on ubuntu you use sudo to run commands with root privilages... so you can do it like this (as the user you set-up during the installation):

Code:

sudo vi /etc/sysctl.conf

sudo will ask you for the password of the non-root account you are using, and once you give it you'll be editing the file with vi with root power... almost anything you need to do on ubuntu as root should be done with sudo instead...

I tried again, only this time with Ubuntu. I created a network configuration file, applied it, set port forwarding and enabled that, and I configured the lan card for an IP address of 192.168.1.2 netmask 255.255.255.0. Still no go, I guess it really may be the network card.

could i have a look at the current output from all those previous commands??

Code:

ifconfig

Code:

route -n

Code:

cat /etc/resolv.conf

Code:

sudo iptables -L -n -v

Code:

cat /proc/sys/net/ipv4/ip_forward

Code:

cat /proc/sys/net/ipv4/conf/all/rp_filter

Here are the results:

flashstar@ubuntu:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:95:1D:E4:94
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::211:95ff:fe1d:e494/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:468 (468.0 b)
Interrupt:58 Base address:0x6000

eth1 Link encap:Ethernet HWaddr 00:30:1B:BB:73:A1
inet addr:192.168.2.16 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::230:1bff:febb:73a1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2567 errors:0 dropped:0 overruns:0 frame:0
TX packets:522 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:775839 (757.6 KiB) TX bytes:124242 (121.3 KiB)
Interrupt:233 Base address:0xe000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:256 (256.0 b) TX bytes:256 (256.0 b)

flashstar@ubuntu:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth1

flashstar@ubuntu:~$ cat /etc/resolv.conf
search hsd1.tx.comcast.net
nameserver 192.168.2.1

flashstar@ubuntu:~$ sudo iptables -L -n -v
Chain INPUT (policy DROP 35 packets, 4253 bytes)
pkts bytes target prot opt in out source destination
2 80 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state NEW

Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination

flashstar@ubuntu:~$ cat /proc/sys/net/ipv4/ip_forward
1

flashstar@ubuntu:~$ cat /proc/sys/net/ipv4/conf/all/rp_filter
1

everything looks great now - except this:

Quote:

Originally Posted by flashstar

0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state NEW

you have the WAN_IFACE and LAN_IFACE values inverted in the script... there's no way it would be able to work like that... i should have caught that before - my bad... =(

change this part of the script:

Code:

WAN_IFACE="eth0"

LAN_IFACE="eth1"

to this:

Code:

WAN_IFACE="eth1"

LAN_IFACE="eth0"

then re-execute the script and everything should work fine... remember that the clients on the LAN should have an IP in the 192.168.1.0/24 subnet and be configured to use 192.168.1.2 as their gateway and 192.168.2.1 as their DNS server... also, make sure they don't have any proxy configured for use...

flashstar@ubuntu:~/Desktop$ sudo iptables -L -n -v
Chain INPUT (policy DROP 11 packets, 1025 bytes)
pkts bytes target prot opt in out source destination
3 120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state NEW

Chain OUTPUT (policy ACCEPT 3 packets, 120 bytes)
pkts bytes target prot opt in out source destination

Does this look ok?

Also, for the lan card, should it have a default gateway set?

Quote:

Originally Posted by flashstar

looks good!!! no, the LAN card doesn't need a gateway set... the box only needs to have one gateway, on the WAN side... the route output you posted above confirms it's already properly set... now it's just a matter of making sure the IP configuration on the LAN clients is fine and you should be set... for starters, try pinging google from a client on the LAN... let me know how it goes... good luck!!!

I tried manually setting a client on the LAN side, but I could still not retrieve Google. I had the ip address set to 192.168.1.5, netmask set to 255.255.255.0, and the gateway/dns at 192.168.2.1.

I'll try it again.

Quote:

Originally Posted by flashstar

and the gateway/dns at 192.168.2.1.

you need to fix that... the gateway for your LAN clients is 192.168.1.2 (the IP of the LAN interface on your ununtu box)... the DNS is fine as 192.168.2.1 (the IP of your buffalo router)...

THANKS SO MUCH!!!!

I finally got a working connection. I just set the gateway to 192.168.1.2 on the LAN computer I was testing. Hopefully this will help everyone who tries to do the same thing as me. To get everything working perfectly though, I have a few questions.

I need to be able to accept incoming ports 27015, 8080, the vpn port, HTTPS port, and the DNS port.

Also, I would like to set this up to run as a DHCP server so that I don't have to manually set up each computer.

Finally, what is an easy way to get a transparent proxy to work?

Thanks again. You have been the most helpful person that I have met online.

Quote:

Originally Posted by flashstar

THANKS SO MUCH!!!!

you're very welcome!!!

Quote:

I finally got a working connection. I just set the gateway to 192.168.1.2 on the LAN computer I was testing.

yup, i had a feeling that was gonna do the trick... :)

Quote:

Hopefully this will help everyone who tries to do the same thing as me.

you can rest assured your thread will help many people...

Quote:

I need to be able to accept incoming ports 27015, 8080, the vpn port, HTTPS port, and the DNS port.

you want these incoming connections on the ubuntu box?? or do you want to have the ubuntu box forward them to a box on the LAN?? let me know and i'll give you the appropriate rules...

i just have two questions: why do you need to accept incoming DNS?? are you planning to make the ubuntu box a DNS daemon for the LAN?? or is it a DNS server for the WAN?? oh, and speaking of WAN, that brings me to my next question: you need those ports enabled on the LAN side or the WAN side??

Quote:

Also, I would like to set this up to run as a DHCP server so that I don't have to manually set up each computer.

sounds like a good idea to me...

here's a dhcpd.conf file to get you started (i've pre-configured it for you):

Code:

ddns-update-style none;

subnet 192.168.1.0 netmask 255.255.255.0 {

      option routers 192.168.1.2;

      option subnet-mask 255.255.255.0;

      option domain-name "example.net";

      option domain-name-servers 192.168.2.1;

      option broadcast-address 192.168.1.255;

      range 192.168.1.3 192.168.1.254;

      default-lease-time 43200;

      max-lease-time 86400;

      }

Quote:

Finally, what is an easy way to get a transparent proxy to work?

well, it's just a matter of getting squid up and running and then adding a couple rules to the iptables script... but i suggest you leave this for last... lets move on to the DHCP server now... you'll need to make a small addition to the script in order for DHCP to work on the LAN:

Code:

#!/bin/sh



IPT="/sbin/iptables"



WAN_IFACE="eth1"

LAN_IFACE="eth0"



$IPT -P INPUT DROP

$IPT -P FORWARD DROP

$IPT -P OUTPUT ACCEPT



$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P INPUT ACCEPT

$IPT -t mangle -P FORWARD ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

$IPT -t mangle -P POSTROUTING ACCEPT



$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT



$IPT -F

$IPT -F -t nat

$IPT -F -t mangle



$IPT -X

$IPT -X -t nat

$IPT -X -t mangle



$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT



$IPT -A INPUT -p UDP -i $LAN_IFACE \

--dport 67 --sport 68 -j ACCEPT



$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



$IPT -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \

-m state --state NEW -j ACCEPT



$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

also, let me know if you already figured-out how to make the iptables rules stick - cuz if not then they get lost upon reboot...

Quote:

Thanks again. You have been the most helpful person that I have met online.

hehe, happy to help... :)

Thanks again. I have been running the firewall on the LAN side of the Buffalo so DHCP would currently make a big difference. However, I was wondering if it would be possible to put the Linux firewall in between the Buffalo and the Internet. This would simply be easier because I could let the Buffalo continue to assign IP's and handle all the other basic parts of networking on with the local windows machines.

So I don't necessarily need to have DCHP working (sorry I wasn't really thinking last night). I just need to get the proxy server up and running as a transparent proxy. Also, will plugging the Linux firewall right into the internet cause me to have to make any changes to the setup? I just need to know the ip of the main external DNS server right? Then, setting up the transparent proxy should be easy?

I'm sorry if I can't really answer the questions about the ports now until I get it all evened out.

The main final goal of the firewall is to just have it as a "gateway" so that it can filter all data before it reaches the Buffalo. If I can have it do double duty as a transparent proxy server, that would be awesome as well. :)

You could probably get quite popular if you combine all of your answers here into a set-by-step guide! I'm sure that a ton of people are wanting to know have to do this.

I finally got the firewall running correctly as a "gateway" between the internet and the Buffalo. My only question now is how do you set up a transparent proxy server?

Quote:

Originally Posted by flashstar

I finally got the firewall running correctly as a "gateway" between the internet and the Buffalo. My only question now is how do you set up a transparent proxy server?

okay, i'll uninstall my squid so i can start again from scratch and give you a step-by-step on how to get it going... i'll post back ASAP...

iptables best practice

this is result of my internet researching to collect IP Tables Script Can save from attacks
if any one can participate to make this script better
share my your comments

Quote:

## 1001. IP Tables Flush Command
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
################################################################################
## 1002. default policy for each of the chains
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP
################################################################################
## 1003. Log INPUT traffic
iptables -I INPUT -j LOG --log-prefix "iptables-in: " --log-level 7
## 1004. Log FORWARD Traffic
iptables -I FORWARD -j LOG --log-prefix "iptables-fw: " --log-level 7
## 1005. Log OUTPUT Traffic
iptables -I OUTPUT -j LOG --log-prefix "iptables-out: " --log-level 7
################################################################################
## 1006. To log network activity in the NAT table execute the following commands for tracking activity in their respective chains
iptables -t nat -I PREROUTING -j LOG --log-prefix "iptables-nat-in: " --log-level 7
iptables -t nat -I POSTROUTING -j LOG --log-prefix "iptables-nat-out: " --log-level 7
################################################################################
## 1007. Open LoopBack Interface
iptables --append INPUT --in-interface lo --jump ACCEPT
iptables --append OUTPUT --out-interface lo --jump ACCEPT
################################################################################
## 1008. Allow Connections Initiated by the Machine
## Allow Connection Initiated by wireless interface
iptables --append OUTPUT --out-interface wlan0 --jump ACCEPT
## Allow Connection Initiated by wire interface
iptables --append OUTPUT --out-interface eth0 --jump ACCEPT
iptables --append INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
################################################################################
## 1009. Filter untrusted traffic
iptables -A INPUT --in-interface wlan0
iptables -A INPUT --in-interface eth0
################################################################################
## 1010. Block Invalid Packets
## This rule blocks all packets that are not a SYN packet and don’t belong to an established TCP connection.
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
################################################################################
## 1011. Block New Packets That Are Not SYN
## This blocks all packets that are new (don’t belong to an established connection) and don’t use the SYN flag.
## This rule is similar to the “Block Invalid Packets” one, but we found that it catches some packets that the other one doesn’t.
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
################################################################################
## 1012. Block Uncommon MSS Values
## The above iptables rule blocks new packets (only SYN packets can be new packets as per the two previous rules)
## that use a TCP MSS value that is not common. This helps to block dumb SYN floods.
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
################################################################################
## 1013. Block Packets With Bogus TCP Flags
## The below ruleset blocks packets that use bogus TCP flags, ie.
## TCP flags that legitimate packets wouldn’t use.
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
################################################################################
## Bloack Port Scanning
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

iptables -A INPUT -p tcp -i wlan0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp -i wlan0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP
iptables -A FORWARD -p tcp -i wlan0 -m state --state NEW -m recent --set
iptables -A FORWARD -p tcp -i wlan0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP
################################################################################
## 1014. v (Spoofing)
## These rules block spoofed packets originating from private (local) subnets.
## On your public network interface you usually don’t want to receive packets from private source IPs.
## These rules assume that your loopback interface uses the 127.0.0.0/8 IP space.
## These five sets of rules alone already block many TCP-based DDoS attacks at very high packet rates.
## With the kernel settings and rules mentioned above, you’ll be able to filter ACK and SYN-ACK attacks at line rate.
iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
################################################################################
## 1015. Additional Rules
## This drops all ICMP packets. ICMP is only used to ping a host to find out if it’s still alive.
## Because it’s usually not needed and only represents another vulnerability that attackers can exploit,
## we block all ICMP packets to mitigate Ping of Death (ping flood), ICMP flood and ICMP fragmentation flood.
iptables -t mangle -A PREROUTING -p icmp -j DROP
################################################################################
## 1016. This iptables rule helps against connection attacks.
## It rejects connections from hosts that have more than 80 established connections.
## If you face any issues you should raise the limit as this could cause troubles with
## legitimate clients that establish a large number of TCP connections.
iptables -A INPUT -p tcp -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset
################################################################################
## 1017. Limits the new TCP connections that a client can establish per second.
## This can be useful against connection attacks,
## but not so much against SYN floods because the usually use an endless amount of different spoofed source IPs.
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
################################################################################
## 1018. This rule blocks fragmented packets.
## Normally you don’t need those and blocking fragments will mitigate UDP fragmentation flood.
## But most of the time UDP fragmentation floods use a high amount of bandwidth that is likely to exhaust the capacity of your network card,
## which makes this rule optional and probably not the most useful one.
iptables -t mangle -A PREROUTING -f -j DROP
################################################################################
## 1019. This limits incoming TCP RST packets to mitigate TCP RST floods.
## Effectiveness of this rule is questionable.
iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
################################################################################
## 1020. Mitigating SYN Floods With SYNPROXY
## SYNPROXY is a new target of iptables that has been added in Linux kernel version 3.12 and iptables 1.4.21.
## CentOS 7 backported the feature and it’s available in its 3.10 default kernel.
## The purpose of SYNPROXY is to check whether the host that sent the SYN packet actually establishes a full TCP connection
## or just does nothing after it sent the SYN packet.
## If it does nothing, it discards the packet with minimal performance impact.
## While the iptables rules that we provided above already block most TCP-based attacks,
## the attack type that can still slip through them if sophisticated enough is a SYN flood.
## It’s important to note that the performance of the rules will always be better if we find a certain pattern or signature to block,
## such as packet length (-m length), TOS (-m tos), TTL (-m ttl) or strings and hex values (-m string and -m u32 for the more advanced users).
## But in some rare cases that’s not possible or at least not easy to achieve. So, in these cases, you can make use of SYNPROXY.
## Here are iptables SYNPROXY rules that help mitigate SYN floods that bypass our other rules:
iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
################################################################################
## 1021. allow 3 way handshake
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
################################################################################
## 1022. DROP Spoofing packets
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
################################################################################
## 1023. For SMURF Attack Protection
iptables -A INPUT -p icmp --icmp-type echo-request -d 192.168.1.255 -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type redirect -j DROP
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -m u32 ! --u32 "0x6&0xFF=0x3C" -j DROP
################################################################################
## 1024. Droping All Invalid Packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
################################################################################
## 1025. Flooding Of RST Packets, SMURF Attack Rejection
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
################################################################################
## 1026. Protecting portscans
# Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds)
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
################################################################################
## 1027. Remove attacking IP after 24 hours
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove
################################################################################
## 1028. These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
################################################################################
## 1029. Allow the following ports through from outside
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
################################################################################
## Need To Check
## 1030. Allow ping means ICMP port is open (If you do not want ping replace ACCEPT with REJECT)
## iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
################################################################################
## Lastly reject All INPUT traffic
## iptables -A INPUT -j REJECT
################# Below are for OUTPUT iptables rules #############################################

## Allow loopback OUTPUT
## iptables -A OUTPUT -o lo -j ACCEPT
## iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the following ports through from outside
# SMTP = 25
# DNS =53
# HTTP = 80
# HTTPS = 443
# SSH = 22
### You can also add or remove port no. as per your requirement

iptables -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT

## Allow pings
## iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

## Lastly Reject all Output traffic
## iptables -A OUTPUT -j REJECT

## Reject Forwarding traffic
## iptables -A FORWARD -j REJECT