Squid Proxy as a Firewall?
I'm going to give this linux firewall thing a shot again. I tried the first time with guarddog and I could never get it to work with just that. However I heard somewhere that you can setup a squid proxy to act as a gateway for all traffic so that the firewall will be effective. I set up squid recently. I could just never get it to work. Does anyone have any ideas? Thanks
|
Quote:
|
Thanks for the reply. I'm trying to put a a linux box outside of my network that is running Mepis with Guarddog firewall and have it act as a multi-purpose firewall, proxy server, music server, and game server. It is a very new computer and it isn't having trouble with these tasks so it should be fine. I just can't get it configured correctly so that it will route all of the data through one NIC, filter it with Guarddog firewall, and put it out the other NIC into a Buffalo router/access point. I tried setting it up before without squid but I just never could get it to work. I just need basic step-by-step instructions on how to do this.
Cable modem - Linux Guarddog Firewall/server (with Squid) - Access Point/Router - internal network This has been a big head ache for me so any help would be greatly appreciated. Thanks. :) |
Quote:
does mepis come with a squid package?? if so, you're halfway there... as for the firewall/router functionality, keep in mind that guarddog is only a front-end to iptables, and as such it isn't really needed if you use a proper iptables script (i can provide you with one)... what people that want to use squid and a firewall/router usually do is they set-up squid to work in transparent proxy mode... this way, users on your LAN do not need to make any configurations on their box - their web traffic will be sent through squid transparently... okay, so basically there's two things you need in order to get your project started: 1) you need to have squid already installed (don't worry about configuration yet)... 2) you need to have iptables installed (you already have this, cuz if not then guarddog wouldn't work)... please confirm the first point... if i remember correctly, mepis is debian-based, so i would assume a squid package for it is readily available... once you have those two things, then it's just a matter of: - using an iptables script (i will give this to you) to configure the firewall... and - configuring squid (it's done by editing the squid.conf file)... i can walk you through both... BTW, yeah, i can also give you a squid.conf to get you started... but let's take it one step at a time... the first step is to get your router/firewall functionality properly set-up... what i would need from you to help you out is the names of the network interfaces on the mepis box (the box which will be used as the gateway)... tell me which interface is the one that plugs into your LAN (and DMZ etc. if you have more than two interfaces) and which one plugs into the WAN (Internet, or in this case the one that plugs into your buffalo)... for example, your WAN interface might be eth0 while your LAN one is eth1... oh, and if you can explain your IP configuration (on both mepis and buffalo) it would also be of great help... |
I have already installed Squid in regular mode since it came with the Ubuntu packages (Mepis is based on Ubuntu).
The interfaces are eth0 (wan) to plug into the cable modem and eth1 (lan) to go to the Buffalo. I have also configured the Buffalo to run as a DNS server as well as a dhcp server. Thanks for the help though, I didn't know that you could just use a script. :) EDIT: If it will not function outside of the lan (ie plugged directly into the modem) then that is fine as well. I don't mind running it inside the Buffalo. |
sorry for the delay, school's been terrible... =/
okay, here's a simple iptables script that should work for you... Code:
#!/bin/sh make sure you have forwarding enabled in your /etc/sysctl.conf file: Code:
net/ipv4/ip_forward=1 Code:
net/ipv4/conf/all/rp_filter=1 Code:
sysctl -p PS: i'd remove/uninstall guarddog before doing this if i was you... |
I will check this ASAP. I just have a few questions before hand. Do you just use the run command to execute the iptables script? Also, will this let ports 27015, the vpn port, and port 8080 through to the internet? Thanks.
EDIT: I hate school too. AP world history. :( |
Quote:
Code:
./firewall-script.txt Code:
chmod a+x firewall-script.txt Code:
sh firewall-script.txt Quote:
Quote:
|
Thanks for your concern. I think I may have isolated the problem however. I think that the network card (which is rather old and has been lying on my desk for months) has croaked. This is probably why I've been having so many problems configuring it. See, I tried using the ip tables script, but even though it said that my card was active, computers on the lan were unable to acquire an ip address. I will buy a new nic and try it again. :)
Thanks |
Quote:
Code:
ifconfig Code:
route -n Code:
cat /etc/resolv.conf Code:
iptables -L -n -v Code:
cat /proc/sys/net/ipv4/ip_forward Code:
cat /proc/sys/net/ipv4/conf/all/rp_filter |
Sorry for the delay, but this is becoming such a pain that I guess I will just revert to an old router to block specific ports (which has many more options than my newer one). I will probably get back to a firewall on linux so don't worry, I will still use your advice. It's just that I recently unearthed this D-link router that can be setup to restrict access to any number of ports and applications, which is what this will do on linux anyway. Right?
|
Quote:
about the linksys: i know it lets you restrict incoming connections, but i'm not sure if it lets you restrict outgoing connections (it might)... in fact, i'm not even sure which type of connections you are trying to restrict, since saying you want to "block specific ports" is kinda vague when we are talking about routing... =/ in any case, a linksys router will be nowhere near as flexible and/or powerful as a properly configured x86 linux box - but perhaps it does in fact do everything that you need it to do... i wish you the best with whatever you choose, and i'm here to help you either way... good luck... |
Win32sux, all I wish to do is to make my network secure by blocking all ports coming in (an maybe out as well) except TCP port 27015, 80, 53, and 8080. I will try to check your commands. I really do appreciate your help. It's very hard to find anyone online who is as helpful as you.
The buffalo is running a DHCP server which is designed to assign addresses from 192.168.2.2-192.168.2.20. |
eth0 Link encap:Ethernet HWaddr 00:30:1B:BB:73:A1
inet addr:192.168.2.16 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:18718190 errors:3 dropped:0 overruns:0 frame:3 TX packets:15079321 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2556164663 (2.3 GiB) TX bytes:1172776624 (1.0 GiB) Interrupt:225 eth1 Link encap:Ethernet HWaddr 00:11:95:1D:E4:94 inet addr:192.168.2.15 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:50 Base address:0xe000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:159953 errors:0 dropped:0 overruns:0 frame:0 TX packets:159953 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:838651380 (799.8 MiB) TX bytes:838651380 (799.8 MiB) flashstar@6[~]$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth1 0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0 flashstar@6[~]$ cat /etc/resolv.conf search hsd1.tx.comcast.net nameserver 192.168.2.1 flashstar@6[~]$ iptables -L -n -v WARNING: Failed to open config file /etc/modprobe.d/cs46xx: Permission denied FATAL: Module ip_tables not found. iptables v1.3.3: can't initialize iptables table `filter': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. flashstar@6[~]$ cat /proc/sys/net/ipv4/ip_forward 0 flashstar@6[~]$ cat /proc/sys/net/ipv4/conf/all/rp_filter 1 root@4[flashstar]# ./firewall-script.txt root@4[flashstar]# ./firewall-script.txt root@4[flashstar]# iptables -L -n -v Chain INPUT (policy DROP 16 packets, 2143 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state NEW Chain OUTPUT (policy ACCEPT 29 packets, 2689 bytes) pkts bytes target prot opt in out source destination root@4[flashstar]# This was what I got when I typed in the above mentioned codes. |
okay let's start with this:
Quote:
Quote:
Quote:
Code:
Kernel IP routing table once you have your IP configuration in order, the routing should work well with the iptables script i provided for you... keep in mind that this: Quote:
Code:
net/ipv4/ip_forward=1 |
hi flashstar... just wondering how this is going (or went)...
ain't heard from you for a few days... i hope all is well... =/ |
Sorry for not being on, I have been up to my eyeballs in homework. I did manage however to go back to Ubuntu, and things seem to be much more stable. I will try quickly tonight to get your script to work.
Thanks :) |
Shoot, I just realised that Ubuntu doesn't let you run as root. How do you edit sysctrl.conf? Thanks
|
Quote:
Code:
sudo vi /etc/sysctl.conf |
I tried again, only this time with Ubuntu. I created a network configuration file, applied it, set port forwarding and enabled that, and I configured the lan card for an IP address of 192.168.1.2 netmask 255.255.255.0. Still no go, I guess it really may be the network card.
|
could i have a look at the current output from all those previous commands??
Code:
ifconfig Code:
route -n Code:
cat /etc/resolv.conf Code:
sudo iptables -L -n -v Code:
cat /proc/sys/net/ipv4/ip_forward Code:
cat /proc/sys/net/ipv4/conf/all/rp_filter |
Here are the results:
flashstar@ubuntu:~$ ifconfig eth0 Link encap:Ethernet HWaddr 00:11:95:1D:E4:94 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::211:95ff:fe1d:e494/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:468 (468.0 b) Interrupt:58 Base address:0x6000 eth1 Link encap:Ethernet HWaddr 00:30:1B:BB:73:A1 inet addr:192.168.2.16 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::230:1bff:febb:73a1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2567 errors:0 dropped:0 overruns:0 frame:0 TX packets:522 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:775839 (757.6 KiB) TX bytes:124242 (121.3 KiB) Interrupt:233 Base address:0xe000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:5 errors:0 dropped:0 overruns:0 frame:0 TX packets:5 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:256 (256.0 b) TX bytes:256 (256.0 b) flashstar@ubuntu:~$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth1 flashstar@ubuntu:~$ cat /etc/resolv.conf search hsd1.tx.comcast.net nameserver 192.168.2.1 flashstar@ubuntu:~$ sudo iptables -L -n -v Chain INPUT (policy DROP 35 packets, 4253 bytes) pkts bytes target prot opt in out source destination 2 80 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state NEW Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes) pkts bytes target prot opt in out source destination flashstar@ubuntu:~$ cat /proc/sys/net/ipv4/ip_forward 1 flashstar@ubuntu:~$ cat /proc/sys/net/ipv4/conf/all/rp_filter 1 |
everything looks great now - except this:
Quote:
change this part of the script: Code:
WAN_IFACE="eth0" Code:
WAN_IFACE="eth1" |
flashstar@ubuntu:~/Desktop$ sudo iptables -L -n -v
Chain INPUT (policy DROP 11 packets, 1025 bytes) pkts bytes target prot opt in out source destination 3 120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state NEW Chain OUTPUT (policy ACCEPT 3 packets, 120 bytes) pkts bytes target prot opt in out source destination Does this look ok? Also, for the lan card, should it have a default gateway set? |
Quote:
|
I tried manually setting a client on the LAN side, but I could still not retrieve Google. I had the ip address set to 192.168.1.5, netmask set to 255.255.255.0, and the gateway/dns at 192.168.2.1.
I'll try it again. |
Quote:
|
THANKS SO MUCH!!!!
I finally got a working connection. I just set the gateway to 192.168.1.2 on the LAN computer I was testing. Hopefully this will help everyone who tries to do the same thing as me. To get everything working perfectly though, I have a few questions. I need to be able to accept incoming ports 27015, 8080, the vpn port, HTTPS port, and the DNS port. Also, I would like to set this up to run as a DHCP server so that I don't have to manually set up each computer. Finally, what is an easy way to get a transparent proxy to work? Thanks again. You have been the most helpful person that I have met online. |
Quote:
Quote:
Quote:
Quote:
i just have two questions: why do you need to accept incoming DNS?? are you planning to make the ubuntu box a DNS daemon for the LAN?? or is it a DNS server for the WAN?? oh, and speaking of WAN, that brings me to my next question: you need those ports enabled on the LAN side or the WAN side?? Quote:
here's a dhcpd.conf file to get you started (i've pre-configured it for you): Code:
ddns-update-style none; Quote:
Code:
#!/bin/sh Quote:
|
Thanks again. I have been running the firewall on the LAN side of the Buffalo so DHCP would currently make a big difference. However, I was wondering if it would be possible to put the Linux firewall in between the Buffalo and the Internet. This would simply be easier because I could let the Buffalo continue to assign IP's and handle all the other basic parts of networking on with the local windows machines.
So I don't necessarily need to have DCHP working (sorry I wasn't really thinking last night). I just need to get the proxy server up and running as a transparent proxy. Also, will plugging the Linux firewall right into the internet cause me to have to make any changes to the setup? I just need to know the ip of the main external DNS server right? Then, setting up the transparent proxy should be easy? I'm sorry if I can't really answer the questions about the ports now until I get it all evened out. The main final goal of the firewall is to just have it as a "gateway" so that it can filter all data before it reaches the Buffalo. If I can have it do double duty as a transparent proxy server, that would be awesome as well. :) You could probably get quite popular if you combine all of your answers here into a set-by-step guide! I'm sure that a ton of people are wanting to know have to do this. |
I finally got the firewall running correctly as a "gateway" between the internet and the Buffalo. My only question now is how do you set up a transparent proxy server?
|
Quote:
|
Thanks a bunch!
|
iptables best practice
this is result of my internet researching to collect IP Tables Script Can save from attacks
if any one can participate to make this script better share my your comments Quote:
|
All times are GMT -5. The time now is 10:51 PM. |