Re: Squid as default gateway in proxy mode.
On Sat, Apr 14, 2012 at 3:40 PM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>
> Hello,
>
> > Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:
> >
> >> now the problem part is i want to ping outside host to verify the
> >> connectivity of internet for that all the time i have to open the SSH
> >> the console and ping. but what i want is, i should also ping it from
> >> host computers as well. however i don't want to NAT all the traffic
> >> coming from inside and going outside. rather what i want is just to
> >> NAT only ICMP Echo Rep and Req so that i can at least ping outside
> >> host
>
> As Joe wrote, this is not the right way to do things. See below.
>
> > with out SSH the Squid console. which is very bothering.
> >> My network diagram is very simple
> >>
> >> <Squid
> >> Box>--------eth0(192.18.30.2)----------------------<192.168.30.1-ISP
> >> Router>
> >> I
> >> I
> >> eth1(192.168.1.1)
> >> I
> >> I
> >> (local network 192.168.1.0/24)
> >>
> >>
> >> And why i am using Squid as a Gateway because i just want to minimize
> >> unwanted nods that needs to be monitor all the time and batter
> >> control over traffic with IPtables firewall. i am using this line to
> >> NAT very specific ports to allow certain facilities like Email ,
> >> Remote desktop and stuff. and this is working for me.
> >>
> >> iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE
>
> This is not the right way to do things. NAT is not intended for
> filtering. By not masquerading outgoing traffic, you just let packets go
> out with their original source address instead of dropping them. You
> just rely on the ISP router not knowing how to handle the original
> source address. This is wrong.
>
> The right way is to only accept specific through your router, and then
> NAT all traffic that was allowed to go out. Ok, it is a bit more
> complicated.
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -t filter -P FORWARD DROP
> iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED \
> -j ACCEPT
> iptables -t filter -A FORWARD -o eth0 -m state --state NEW \
> -p tcp --dport 110 -j ACCEPT
>
> >> now i am stuck on allowing the ping traffic. please help
>
> iptables -t filter -A FORWARD -0 eth0 -p icmp --icmp-type echo-request \
> -j ACCEPT
Thanks ill try this line on Monday, since this is a weekend. ill let
you know the results though.
>
> Joe wrote :
> > only TCP and UDP have 'ports'
>
> No. ICMP does not have ports, but other protocols such as SCTP and DCCP
> have ports too.
>
i know ICMP didnt have ports and it is a layer 4 proto. but if it
works on ports then i didn't ask this question here.
secondly the concern that this is not the right approach. i know that
this is not a way of blocking stuff. i should have drop the traffic
one by one after opening all the traffic. i know in other words we
are talking about "Transparent " proxy. but the biggest problem of
transparent proxy for me is that i can not block particular domains on
port 443 (HTTPS) like twitter, facebook and stuff which supports
HTTPS and my management is very strict with the use of social
networking in office hours. so that was the reason i didn't used
Transparent proxy. if there is any solution or suggestion please
share.
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 4F89541A.8080501@plouf.fr.eu.org">http://lists.debian.org/[🔎] 4F89541A.8080501@plouf.fr.eu.org
>
Reply to: