Re: squid + transparent proxying + ssl prots ?
> >> Hi.
> >>
> >> Please can some one advise how to setup squid to transparently proxy
ssl
> >> ports, it's currently proxing http with no problem..
> >>
> >> Many thanks
> >> Gregory Machin
> >>
> >
> > It sounds like what you need is masquerading or possibly port
forwarding.
> > I
> > manage a squid proxy for my company but no other connections are
proxied.
> > Instead we use a machine as an internet gateway and use masquerading to
> > route SSH connections off the local private subnet to the internet.
Many
> > organizations do this. One way to do this is with iptables. Let me
know
> > if
> > you'd like some examples.
> >
> > <|>/\\/|<|>
> >
>
> yip that sounds corrcet do you have an example for me ? of how to forward
> from my internal nic to the gatway nic ?
>
> Thanks a stack
The best way to do this depends on what you already have set up and your
company's security policies. I'll give you an example of how I do it and
perhaps you can figure out the best way to apply these ideas to your own
setup. Please note, I'm not an "expert" in this area. I can however tell
you what works for me and what my understanding is of the subject. You're
likely to get some follow up emails with corrections about my explanation
here.
First of all the company I work for has a number of machines on their
private network. We use "net 10" for our lan. There is one gateway machine
and all internet access from clients on net 10 gets routed through the
gateway machine. The gateway machine is connected both to net 10 and to an
internet router by way of a firewall.
Here's a crude picture of that setup:
Clients on net 10.
10.0.0.1 though 10.0.0.253
|
Connect via lan cable and switches to
|
Gateway machine (10.0.0.254 lan side / 62.192.14.212 internet side)
|
Connects via lan cable to
|
Internet firewall
|
Connects via cable and router to
|
Our ISP which in turn connects us to the internet
The default gateway of all the lan clients is set to the lan side address of
the gateway machine (10.0.0.254)
This means all internet requests must pass through this one machine to reach
the internet.
The internet IP of our gateway is (hypothetically) 62.192.14.212.
The iptables command can be used to perform a range of functions in Linux
including forwarding, firewalling with stateful packet inspection and the
masquerading function so that all your clients may access the internet.
When properly configured, the gateway will forward packets from any of your
lan clients to the internet and forward any returning traffic back to the
correct client on your lan. This is similar to proxying but (put simply)
there is no caching involved.
Here's is a VERY BASIC script for iptables that demonstrates a way to
perform masquerading. You run this script on your Linux gateway. Generally
you will want to add a number of additional firewall rules to help secure
your gateway. While this script should work for your setup, it is not to be
considered the final or complete solution for your setup. I expressly
disclaim any liability for what this script will do once used in your
organization. It's simply the minimum required to successfully activate ip
masquerading for your network. For more information on iptables you can go
check out http://www.netfilter.org/ . You'll find a lot of valuable
information there.
Basically what this script does is allow most lan traffic unrestricted
access to the internet and only allow internet traffic to reach the lan if
it is in response to a host on the lan. There are many ways to configure
this to accomplish your own tasks. This is just one way. It really should
be hardened with additional rules to afford your gateway more protection.
However this script has been sufficient (security wise) on my personal lan
at home because my internet router is also a firewall. The script I use at
my company is more complex and involves firewalling as a layer of redundancy
to the commercial firewall.
#!/bin/bash
IPTABLES=/usr/sbin/iptables
MODPROBE=/sbin/modprobe
LOCALNET=10.0.0.0/8
INT=eth0 # Name of the internal lan side network card
EXT=eth1 # Name of the external internet side network card
$MODPROBE ipt_MASQUERADE
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
# Enable forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
# This clears existing rules and sets default policies
# These policies assume you have a firewall between the gateway and the
internet
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
# Masquerading rules
$IPTABLES -A FORWARD -i $EXT -o $INT -d $LOCALNET -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT -o $EXT -s $LOCALNET -j ACCEPT
# Perform actual masquerading in postrouting
$IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE
To customize this script to your network be sure to adjust the first 5 lines
to match your environment. You will need the ipfilter suite of kernel
modules as well. These may already be available on your machine. Example:
ipt_state
iptable_mangle
iptable_filter
ip_nat_ftp
ip_conntrack_ftp
ipt_MASQUERADE
iptable_nat
ip_tables
ip_conntrack
And you will need the iptables package installed on your machine. Try
iptables --version from the command prompt to see if it's installed. Be
root to run this script.
<|>/\\/|<|>
Reply to: