Re: squid + transparent proxying + ssl prots ?

From: David Cunningham (delta_at_radiusweb.com)
Date: 05/10/04

  • Next message: paul_at_thirdaspect.net: "Re: Secure OS's" 
    To: <linuxinfo@linuxpro.co.za>, <debian-user@lists.debian.org>
Date: Mon, 10 May 2004 06:27:05 -0700

    > >> Hi.
    > >>
    > >> Please can some one advise how to setup squid to transparently proxy
    ssl
    > >> ports, it's currently proxing http with no problem..
    > >>
    > >> Many thanks
    > >> Gregory Machin
    > >>
    > >
    > > It sounds like what you need is masquerading or possibly port
    forwarding.
    > > I
    > > manage a squid proxy for my company but no other connections are
    proxied.
    > > Instead we use a machine as an internet gateway and use masquerading to
    > > route SSH connections off the local private subnet to the internet.
    Many
    > > organizations do this. One way to do this is with iptables. Let me
    know
    > > if
    > > you'd like some examples.
    > >
    > > <|>/\\/|<|>
    > >
    >
    > yip that sounds corrcet do you have an example for me ? of how to forward
    > from my internal nic to the gatway nic ?
    >
    > Thanks a stack

    The best way to do this depends on what you already have set up and your
    company's security policies. I'll give you an example of how I do it and
    perhaps you can figure out the best way to apply these ideas to your own
    setup. Please note, I'm not an "expert" in this area. I can however tell
    you what works for me and what my understanding is of the subject. You're
    likely to get some follow up emails with corrections about my explanation
    here.

    First of all the company I work for has a number of machines on their
    private network. We use "net 10" for our lan. There is one gateway machine
    and all internet access from clients on net 10 gets routed through the
    gateway machine. The gateway machine is connected both to net 10 and to an
    internet router by way of a firewall.

    Here's a crude picture of that setup:

    Clients on net 10.
    10.0.0.1 though 10.0.0.253
                |
    Connect via lan cable and switches to
                |
    Gateway machine (10.0.0.254 lan side / 62.192.14.212 internet side)
                |
    Connects via lan cable to
                |
    Internet firewall
                |
    Connects via cable and router to
                |
    Our ISP which in turn connects us to the internet

    The default gateway of all the lan clients is set to the lan side address of
    the gateway machine (10.0.0.254)
    This means all internet requests must pass through this one machine to reach
    the internet.
    The internet IP of our gateway is (hypothetically) 62.192.14.212.

    The iptables command can be used to perform a range of functions in Linux
    including forwarding, firewalling with stateful packet inspection and the
    masquerading function so that all your clients may access the internet.
    When properly configured, the gateway will forward packets from any of your
    lan clients to the internet and forward any returning traffic back to the
    correct client on your lan. This is similar to proxying but (put simply)
    there is no caching involved.

    Here's is a VERY BASIC script for iptables that demonstrates a way to
    perform masquerading. You run this script on your Linux gateway. Generally
    you will want to add a number of additional firewall rules to help secure
    your gateway. While this script should work for your setup, it is not to be
    considered the final or complete solution for your setup. I expressly
    disclaim any liability for what this script will do once used in your
    organization. It's simply the minimum required to successfully activate ip
    masquerading for your network. For more information on iptables you can go
    check out http://www.netfilter.org/ . You'll find a lot of valuable
    information there.

    Basically what this script does is allow most lan traffic unrestricted
    access to the internet and only allow internet traffic to reach the lan if
    it is in response to a host on the lan. There are many ways to configure
    this to accomplish your own tasks. This is just one way. It really should
    be hardened with additional rules to afford your gateway more protection.
    However this script has been sufficient (security wise) on my personal lan
    at home because my internet router is also a firewall. The script I use at
    my company is more complex and involves firewalling as a layer of redundancy
    to the commercial firewall.

    #!/bin/bash

    IPTABLES=/usr/sbin/iptables
    MODPROBE=/sbin/modprobe
    LOCALNET=10.0.0.0/8
    INT=eth0 # Name of the internal lan side network card
    EXT=eth1 # Name of the external internet side network card

    $MODPROBE ipt_MASQUERADE
    $MODPROBE ip_conntrack_ftp
    $MODPROBE ip_nat_ftp

    # Enable forwarding
    echo "1" > /proc/sys/net/ipv4/ip_forward

    # This clears existing rules and sets default policies
    # These policies assume you have a firewall between the gateway and the
    internet
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -F INPUT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -F OUTPUT
    $IPTABLES -P FORWARD DROP
    $IPTABLES -F FORWARD
    $IPTABLES -t nat -F
    $IPTABLES -t mangle -F

    # Masquerading rules
    $IPTABLES -A FORWARD -i $EXT -o $INT -d $LOCALNET -m state --state
    ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -i $INT -o $EXT -s $LOCALNET -j ACCEPT

    # Perform actual masquerading in postrouting
    $IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE

    To customize this script to your network be sure to adjust the first 5 lines
    to match your environment. You will need the ipfilter suite of kernel
    modules as well. These may already be available on your machine. Example:
    ipt_state
    iptable_mangle
    iptable_filter
    ip_nat_ftp
    ip_conntrack_ftp
    ipt_MASQUERADE
    iptable_nat
    ip_tables
    ip_conntrack

    And you will need the iptables package installed on your machine. Try
    iptables --version from the command prompt to see if it's installed. Be
    root to run this script.

    <|>/\\/|<|> 

    -- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: paul_at_thirdaspect.net: "Re: Secure OS's"

    Relevant Pages