FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 04-15-2012, 09:46 AM
Muhammad Yousuf Khan
 
Default Squid as default gateway in proxy mode.

On Sat, Apr 14, 2012 at 3:40 PM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>
> Hello,
>
> > Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:
> >
> >> now the problem part is i want to ping outside host to verify the
> >> connectivity of internet for that all the time i have to open the SSH
> >> the console and ping. but what i want is, i should also ping it from
> >> host computers as well. however i don't want to NAT all the traffic
> >> coming from inside and going outside. rather what i want is just to
> >> NAT only ICMP Echo Rep and Req so that i can at least ping outside
> >> host
>
> As Joe wrote, this is not the right way to do things. See below.
>
> > with out SSH the Squid console. which is very bothering.
> >> My network diagram is very simple
> >>
> >> <Squid
> >> Box>--------eth0(192.18.30.2)----------------------<192.168.30.1-ISP
> >> Router>
> >> * * * *I
> >> * * * *I
> >> * *eth1(192.168.1.1)
> >> * * * *I
> >> * * * *I
> >> * *(local network 192.168.1.0/24)
> >>
> >>
> >> And why i am using Squid as a Gateway because i just want to minimize
> >> unwanted nods that needs to be monitor all the time and batter
> >> control over traffic with IPtables firewall. i am using this line to
> >> NAT very specific ports to allow certain facilities like Email ,
> >> Remote desktop and stuff. and this is working for me.
> >>
> >> iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE
>
> This is not the right way to do things. NAT is not intended for
> filtering. By not masquerading outgoing traffic, you just let packets go
> out with their original source address instead of dropping them. You
> just rely on the ISP router not knowing how to handle the original
> source address. This is wrong.
>
> The right way is to only accept specific through your router, and then
> NAT all traffic that was allowed to go out. Ok, it is a bit more
> complicated.
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -t filter -P FORWARD DROP
> iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED
> * -j ACCEPT
> iptables -t filter -A FORWARD -o eth0 -m state --state NEW
> * -p tcp --dport 110 -j ACCEPT
>
> >> now i am stuck on allowing the ping traffic. please help
>
> iptables -t filter -A FORWARD -0 eth0 -p icmp --icmp-type echo-request
> * -j ACCEPT


Thanks ill try this line on Monday, since this is a weekend. ill let
you know the results though.
>
> Joe wrote :
> > only TCP and UDP have 'ports'
>
> No. ICMP does not have ports, but other protocols such as SCTP and DCCP
> have ports too.
>
i know ICMP didnt have ports and it is a layer 4 proto. but if it
works on ports then i didn't ask this question here.
secondly the concern that this is not the right approach. i know that
this is not a way of blocking stuff. i should have drop the traffic
one by one after opening all the traffic. i know in other words we
are talking about "Transparent " proxy. but the biggest problem of
transparent proxy for me is that i can not block particular domains on
port 443 (HTTPS) like twitter, facebook and stuff which supports
HTTPS and my management is very strict with the use of social
networking in office hours. so that was the reason i didn't used
Transparent proxy. if there is any solution or suggestion please
share.

>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/4F89541A.8080501@plouf.fr.eu.org
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAGWVfMmeNoi5s6YJ_bokQdFMa4LEs9nKAQ4Lzn9q5nV-14G90w@mail.gmail.com">http://lists.debian.org/CAGWVfMmeNoi5s6YJ_bokQdFMa4LEs9nKAQ4Lzn9q5nV-14G90w@mail.gmail.com
 
Old 04-15-2012, 11:49 AM
Pascal Hambourg
 
Default Squid as default gateway in proxy mode.

Muhammad Yousuf Khan a écrit :
>
> i know ICMP didnt have ports and it is a layer 4 proto.

ICMP is tranported on top on IP which is a layer 3 (network) protocol,
but that does not make it a layer 4 protocol. ICMP provides services
that are part of the IP protocol, so it is rather a layer 3 protocol.

> secondly the concern that this is not the right approach. i know that
> this is not a way of blocking stuff. i should have drop the traffic
> one by one after opening all the traffic.

Rather the other way around : you should accept specific traffic and
block everything else by default.

> i know in other words we are talking about "Transparent " proxy.

No, this is packet filtering and has nothing to do with transparent proxy.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F8AB5BB.2050802@plouf.fr.eu.org">http://lists.debian.org/4F8AB5BB.2050802@plouf.fr.eu.org
 
Old 04-15-2012, 02:05 PM
Muhammad Yousuf Khan
 
Default Squid as default gateway in proxy mode.

On Sun, Apr 15, 2012 at 4:49 PM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> Muhammad Yousuf Khan a écrit :
>>
>> i know ICMP didnt have ports and it is a layer 4 proto.
>
> ICMP is tranported on top on IP which is a layer 3 (network) protocol,
> but that does not make it a layer 4 protocol. ICMP provides services
> that are part of the IP protocol, so it is rather a layer 3 protocol.
>
>> secondly the concern that this is not the right approach. i know that
>> this is not a way of blocking stuff. i should have drop the traffic
>> one by one after opening *all the traffic.
>
> Rather the other way around : you should accept specific traffic and
> block everything else by default.
>
>> i know in other words we are talking about "Transparent " proxy.
>
> No, this is packet filtering and has nothing to do with transparent proxy.

did you mean this.


1, PAT all the traffice by iptables
2. Block everything
3, accept only specific traffice
4, on port 80 Squid will be acting as a proxy.


if it is what you mean , can you please give me just few liner script
in which i will PAT all the traffic and then i block every thing and
accept only particular one, like port 110, 25, 80 and etc.


Thanks,


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAGWVfMnZOZ6uajuQjqa7WM_1z6xCwk8dxnFP8sqn7e9GPbBKi g@mail.gmail.com">http://lists.debian.org/CAGWVfMnZOZ6uajuQjqa7WM_1z6xCwk8dxnFP8sqn7e9GPbBKi g@mail.gmail.com
 
Old 04-15-2012, 07:01 PM
Pascal Hambourg
 
Default Squid as default gateway in proxy mode.

Muhammad Yousuf Khan a écrit :
>
> did you mean this.
>
> 1, PAT all the traffice by iptables

Not PAT, NAT. And specifically source NAT (SNAT or MASQUERADE).

> 2. Block everything
> 3, accept only specific traffice
> 4, on port 80 Squid will be acting as a proxy.

Yes.

> if it is what you mean , can you please give me just few liner script
> in which i will PAT all the traffic and then i block every thing and
> accept only particular one, like port 110, 25, 80 and etc.

I already did in my first reply to this thread.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F8B1B14.8050502@plouf.fr.eu.org">http://lists.debian.org/4F8B1B14.8050502@plouf.fr.eu.org
 
Old 04-15-2012, 09:04 PM
Joe
 
Default Squid as default gateway in proxy mode.

On Sun, 15 Apr 2012 19:05:24 +0500
Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:

> 4, on port 80 Squid will be acting as a proxy.
>
>

Yes, this is the meaning of 'transparent' in terms of a proxy. It means
that the web browsers don't have to be set to a specific port, when
users who know a bit more can use a different browser and get around
the proxy. If it runs on port 80 then it intercepts any http traffic
without the user even being aware of it, hence 'transparent'. It needs
a line or two in the iptables script to work, since the proxy actually
runs on a different port and needs redirection.

--
Joe


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120415220445.67715a14@jretrading.com">http://lists.debian.org/20120415220445.67715a14@jretrading.com
 
Old 04-20-2012, 03:56 PM
Muhammad Yousuf Khan
 
Default Squid as default gateway in proxy mode.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
ok worked after one restart i dont know what was the problem but
worked, but still didnt drop the connection by this command. i can
stil ssh and even send receive email
iptables -t filter -P FORWARD DROP

as shared, so i can open all the ports 1 by 1.

Thanks


On Fri, Apr 20, 2012 at 8:15 PM, Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:
> On Sat, Apr 14, 2012 at 3:40 PM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>> Hello,
>>
>>> Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:
>>>
>>>> now the problem part is i want to ping outside host to verify the
>>>> connectivity of internet for that all the time i have to open the SSH
>>>> the console and ping. but what i want is, i should also ping it from
>>>> host computers as well. however i don't want to NAT all the traffic
>>>> coming from inside and going outside. rather what i want is just to
>>>> NAT only ICMP Echo Rep and Req so that i can at least ping outside
>>>> host
>>
>> As Joe wrote, this is not the right way to do things. See below.
>>
>>> with out SSH the Squid console. which is very bothering.
>>>> My network diagram is very simple
>>>>
>>>> <Squid
>>>> Box>--------eth0(192.18.30.2)----------------------<192.168.30.1-ISP
>>>> Router>
>>>> * * * *I
>>>> * * * *I
>>>> * *eth1(192.168.1.1)
>>>> * * * *I
>>>> * * * *I
>>>> * *(local network 192.168.1.0/24)
>>>>
>>>>
>>>> And why i am using Squid as a Gateway because i just want to minimize
>>>> unwanted nods that needs to be monitor all the time and batter
>>>> control over traffic with IPtables firewall. i am using this line to
>>>> NAT very specific ports to allow certain facilities like Email ,
>>>> Remote desktop and stuff. and this is working for me.
>>>>
>>>> iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE
>>
>> This is not the right way to do things. NAT is not intended for
>> filtering. By not masquerading outgoing traffic, you just let packets go
>> out with their original source address instead of dropping them. You
>> just rely on the ISP router not knowing how to handle the original
>> source address. This is wrong.
>>
>> The right way is to only accept specific through your router, and then
>> NAT all traffic that was allowed to go out. Ok, it is a bit more
>> complicated.
>>
>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>> iptables -t filter -P FORWARD DROP
>> iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED
>> * -j ACCEPT
>> iptables -t filter -A FORWARD -o eth0 -m state --state NEW
>> * -p tcp --dport 110 -j ACCEPT
>>
> sorry for the late responce but i was stucked in some other taskes.
> now its my time to hit my head by the wall i tried every single
> configuration on the internet. but i can not reach nor *ping the
> destination by below example. even fwbuilder is also generating the
> same script but its not working
> however my outside interface was eth1 and inside eth0 so i repeace my
> setting accordingly but it doest work either.
> please share
>
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>
> i check several website telling me the same thing but when i can not
> ping the outside destination 8.8.4.4 which is google DNS . i am lost
> kindly help
>
>
>
>>>> now i am stuck on allowing the ping traffic. please help
>>
>> iptables -t filter -A FORWARD -0 eth0 -p icmp --icmp-type echo-request
>> * -j ACCEPT
>>
>> Joe wrote :
>>> only TCP and UDP have 'ports'
>>
>> No. ICMP does not have ports, but other protocols such as SCTP and DCCP
>> have ports too.
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>> Archive: http://lists.debian.org/4F89541A.8080501@plouf.fr.eu.org
>>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAGWVfM=zeBd0QLwPQmcSmvEzm8JDuUu1mswfW1ZDfuuF+7KAQ g@mail.gmail.com">http://lists.debian.org/CAGWVfM=zeBd0QLwPQmcSmvEzm8JDuUu1mswfW1ZDfuuF+7KAQ g@mail.gmail.com
 

Thread Tools




All times are GMT. The time now is 08:27 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org