[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Squid als transparenter Proxy ohne manuelle Proxyeinstellung im Browser

Liebe Liste,

ich habe einen Squid aufgesetzt und der funktioniert wunderprächtig.
Aber nur, wenn ich ihn manuell im Browser als Proxy einstelle. Jetzt
hätte ich es gerne so, dass jeder HTTP zugriff über Squid läuft (hört
auf Port 8080).

Dazu kann man - soweit ich gegooglet habe - einfach den Port 80 umbiegen
- eben auf Port 8080. Aber das funktioniert bei mir nicht so wie es
soll. Ich vermute, dass es damit zusammenhängt, dass ich endoshield als
Firewallskript habe und wenn ich dann noch einen iptables befehl eingebe
wird der hinten angehänt und ist damit ohne Wirkung.

Kann mir jemand sagen, welchen Befehl ich eingeben muss, damit alle
HTTP-aufrufe auf Port 8080 von Squid umgebogen werden? eth0 ist das
lokale Netzwerk, eth1 ist im Internet.

Wäre um einen Tipp sehr dankbar!

Grüssle, Tobias

Nachfolgend das endoshield skript:
---
#
#**ENDOSHIELD 1.2**
#Written by Endo (Dave Cheeseman) cheeseman@users.sourceforge.net
#EndoShield Site - http://www.sourceforge.net/projects/endoshield

#******************************************************************************************************************************
#Configuration Part of the script - If you are unsure of any of these
points, leave them as the default setting, changing these
#options can seriously affect the security of your firewall.

#Do you want to run a ipchains firewall or iptables?
#If you are unsure about this, you need to find out what kernel you are
running.
#See the readme file for more information.
TYPE="iptables"

# Change INETDEV to the network device connceted to the Internet
(ppp0/eth0)
# This is ppp0 by default for dial-up connections.  Most cable modem
users
# will probably want eth0 or possibly eth1.  When in doubt look at the
command
# 'ifconfig'.
INETDEV="eth1"
 
# Change LAN to the correct network address and network mask for your
LAN
# this can be found by using ifconfig from one of the clients
LAN="192.168.1.0/24"
 
# Change LANDEV to the network device connected to your LAN
LANDEV="eth0"
 
# There should be no need to change this
LOCALIP=`ifconfig $LANDEV | grep inet | cut -d : -f 2 | cut -d \  -f 1`

#Do you want other machines on the internet to be able to PING your
machine?
#(If unsure, leave as no)
PING="no"

#If you selected no as the previous option, do you want the machine to
log
#the dropped pings?
LOGPINGS="no"

#If you trust all data coming from your local network, put yes.
TRUST="yes"

#If you want to share this machines internet connection, put yes
#(This will provide Masquerading services for you LAN)
#Otherwise, put no
SHARE="yes"

#Is this machine connected to a Samba Network?
#If yes, over a LAN?
SAMBALAN="no"
#Or over a WAN?
SAMBAWAN="no"
#Or over both?
SAMBA="no"

#If you are running any servers on your machine, you need to specify
them below, 
#you also need to specify wether these servers/ports should be open to
just your local
#network, or the whole world. If you answer yes to PORTNAMEPUBLIC, then
the specified port 
#will be open to the whole internet, if this is left to the default,
which is no, but you
#have specified that you are running a server on the port, the port will
only be available to 
#your local lan.

#Do you run a FTP server?
FTP="no"
FTPPUBLIC="no"

#Do you run a SSH server?
SSH="yes"
SSHPUBLIC="yes"

#Do you run a telnet server?
TELNET="no"
TELNETPUBLIC="no"

#Do you run a Web server?
WEB="no"
WEBPUBLIC="no"

#Do you run a mail server?
MAIL="no"
MAILPUBLIC="no"

#Do you run identd?
IDENT="no"
IDENTPUBLIC="no"

#If you want to add any trusted hosts, that is, machines on the internet
or on your local network
#which you want to fully trust (Allow all data from these machines pass
through the firewall), then
#list these machines below.
TRUSTEDHOST1="131.211.28.48"
TRUSTEDHOST2="195.92.249.253"
TRUSTEDHOST3="194.159.164.195"
TRUSTEDHOST4="129.27.3.9"
TRUSTEDHOST5="1.1.1.1"

#If you want to block any hosts from accessing your machine, please list
them below, these machines
#will not be able to access your machine at all, even your public access
servers.
DENYHOST1="1.1.1.1"
DENYHOST2="1.1.1.1"
DENYHOST3="1.1.1.1"
DENYHOST4="1.1.1.1"
DENYHOST5="1.1.1.1"

#End of Configuration.
#************************************************************************************************************

echo "---------------------------------------------------------"
echo "Local Network Device: $LANDEV"
echo "Local IP: $LOCALIP"
echo "Local Network Address: $LAN"
echo "External Network Device: $INETDEV"
echo "---------------------------------------------------------"
echo ""

#Set default chain policy
echo -n "Setting default chain policies..."
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
echo " Done!"

#Flush all chains
echo -n "Flushing chains..."
iptables  -F
iptables  -X
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
echo " Done!"

#Add custom chains
echo -n "Adding custom chains..."
iptables -N inet-in
iptables -N inet-out
echo " Done!"

#Set INPUT rules
echo -n "Setting rules for INPUT chain..."
iptables -A INPUT -i lo -j ACCEPT
if [ "$TRUST" = "yes" -o "$TRUST" = "YES" ]; then
	iptables -A INPUT -i $LANDEV -j ACCEPT
else
	iptables -A INPUT -i $LANDEV -j inet-in
fi
iptables -A INPUT -i $INETDEV -j inet-in
echo " Done!"

#Set FORWARD rules
echo -n "Setting rules for FORWARD chain..."
if [ "$SHARE" = "yes" -o "$SHARE" = "YES" ]; then
	modprobe iptable_nat
	iptables -A FORWARD -s $LAN -j ACCEPT
	iptables -A FORWARD -d $LAN -j ACCEPT
	echo 1 > /proc/sys/net/ipv4/ip_forward
		#Activate masquerade
		echo -n "Activating masquerade..."
		iptables -t nat -A POSTROUTING -o $INETDEV -j MASQUERADE
		echo " Done!"	
fi
echo " Done!"

#Set OUTPUT rules
echo -n "Setting rules for OUTPUT chain..."
iptables -A OUTPUT -j inet-out
echo " Done!"

#Set inet-in rules
echo -n "Setting rules for internet device incoming chain: "
	echo -n "Setting open ports for specified servers / Network Services
.... "i
	if [ "$SAMBALAN" = "YES" -o "$SAMBALAN" = "yes" ]; then
		iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 138:139 -j
ACCEPT
	fi
	if [ "$SAMBAWAN" = "YES" -o "$SAMBAWAN" = "yes" ]; then
		iptables -A inet-in -p tcp -i $INETDEV -o $INETDEV --dport 138:139 -j
ACCEPT
	fi
	if [ "$SAMBA" = "YES" -o "$SAMBA" = "yes" ]; then
		iptables -A inet-in -p tcp --dport 138:139 -j ACCEPT
	fi
	if [ "$FTP" = "YES" -o "$FTP" = "yes" ]; then
		iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 21 -j ACCEPT
		if [ "$FTPPUBLIC" = "YES" -o "$FTPPUBLIC" = "yes" ]; then
			iptables -A inet-in -p tcp --dport 21 -j ACCEPT
		fi
	fi
	if [ "$TELNET" = "YES" -o "$TELNET" = "yes" ]; then
		iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 23 -j ACCEPT
		if [ "$TELNETPUBLIC" = "YES" -o "$TELNETPUBLIC" = "yes" ]; then
			iptables -A inet-in -p tcp --dport 23 -j ACCEPT
		fi
	fi
	if [ "$SSH" = "YES" -o "$SSH" = "yes" ]; then
		iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 22 -j ACCEPT
		if [ "$SSHPUBLIC" = "YES" -o "$SSHPUBLIC" = "yes" ]; then
			iptables -A inet-in -p tcp --dport 22 -j ACCEPT
		fi
	fi
	if [ "$WEB" = "YES" -o "$WEB" = "yes" ]; then
		iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 80 -j ACCEPT
		if [ "$WEBPUBLIC" = "YES" -o "$WEBPUBLIC" = "yes" ]; then
			iptables -A inet-in -p tcp --dport 80 -j ACCEPT
		fi
	fi
	if [ "$MAIL" = "YES" -o "$MAIL" = "yes" ]; then
		iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 110 -j ACCEPT
		if [ "$MAILPUBLIC" = "YES" -o "$MAILPUBLIC" = "yes" ]; then
			iptables -A inet-in -p tcp --dport 110 -j ACCEPT
		fi
	fi
	if [ "$IDENT" = "YES" -o "$IDENT" = "yes" ]; then
		iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 113 -j ACCEPT
		if [ "$IDENTPUBLIC" = "YES" -o "$IDENTPUBLIC" = "yes" ]; then
			iptables -A inet-in -p tcp --dport 113 -j ACCEPT
		fi
	fi
	echo "Done!"

	echo -n "Adding trusted hosts.... "
	iptables -A inet-in -s $TRUSTEDHOST1 -j ACCEPT
	iptables -A inet-in -s $TRUSTEDHOST2 -j ACCEPT
	iptables -A inet-in -s $TRUSTEDHOST3 -j ACCEPT
	iptables -A inet-in -s $TRUSTEDHOST4 -j ACCEPT
	iptables -A inet-in -s $TRUSTEDHOST5 -j ACCEPT
	echo "Done!"

	echo -n "Denying all specified hosts.... "
	iptables -A inet-in -s $DENYHOST1 -j DROP
	iptables -A inet-in -s $DENYHOST2 -j DROP
	iptables -A inet-in -s $DENYHOST3 -j DROP
	iptables -A inet-in -s $DENYHOST4 -j DROP
	iptables -A inet-in -s $DENYHOST5 -j DROP
	echo "Done!"

echo -n "  Setup ping option on/off..."
if [ "$PING" = "YES" -o "$PING" = "yes" ]; then
	iptables -A inet-in -p ICMP -j ACCEPT
fi
if [ "$LOGPINGS" = "YES" -o "$LOGPINGS" = "yes" ]; then
                iptables -A inet-in -p ICMP -j LOG
fi
echo "Done!"

echo -n "  Setup port blocking on vulnerable ports..."
#Block NFS
iptables -A inet-in -p tcp --dport 2049 -j LOG
iptables -A inet-in -p udp --dport 2049 -j LOG
iptables -A inet-in -p tcp --dport 2049 -j DROP
iptables -A inet-in -p udp --dport 2049 -j DROP
#Block postgres
iptables -A inet-in -p tcp --dport postgres -j LOG
iptables -A inet-in -p udp --dport postgres -j LOG
iptables -A inet-in -p tcp --dport postgres -j DROP
iptables -A inet-in -p udp --dport postgres -j DROP
#Block X
iptables -A inet-in -p tcp --dport 5999:6003 -j LOG
iptables -A inet-in -p udp --dport 5999:6003 -j LOG 
iptables -A inet-in -p tcp --dport 5999:6003 -j DROP
iptables -A inet-in -p udp --dport 5999:6003 -j DROP
#Block XFS
iptables -A inet-in -p tcp --dport 7100 -j LOG
iptables -A inet-in -p udp --dport 7100 -j LOG
iptables -A inet-in -p tcp --dport 7100 -j DROP
iptables -A inet-in -p udp --dport 7100 -j DROP
#Block Back Orifice
iptables -A inet-in -p tcp --dport 31337 -j LOG
iptables -A inet-in -p udp --dport 31337 -j LOG 
iptables -A inet-in -p tcp --dport 31337 -j DROP
iptables -A inet-in -p udp --dport 31337 -j DROP
#Block netbus
iptables -A inet-in -p tcp --dport 12345:12346 -j LOG
iptables -A inet-in -p udp --dport 12345:12346 -j LOG
iptables -A inet-in -p tcp --dport 12345:12346 -j DROP
iptables -A inet-in -p udp --dport 12345:12346 -j DROP
echo " Done!"
echo " Done!"
echo -n "  Setting connection tracking..."
iptables -A INPUT -i $INETDEV  -m state --state NEW,INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo " Done!"

if [ "$TYPE" = "ipchains" -o "$TYPE" = "IPCHAINS" ]; then
	echo "MAJOR APOLOGIES - The ipchains version didnt make it into the
first version, but it is the highest priority on my TODO list"
	echo "Check http://www.endoshield.sourceforge.net for the next release"
fi
Reply to: