[Firehol-support] Transparent Proxy help

Costa Tsaousis costa at tsaousis.gr
Wed Dec 3 21:16:26 GMT 2003 

I guess that when you say that the trasparent proxy is not working, you
mean that it allows web browsing from the unroutable IPs.

If this is the problem, then change the transparent_squid statement to this:

transparent_squid 8080 "squid root" inface eth0 src "${accepted_ips}"

This is because, a proxy is not ROUTING the packets, it re-plays them at
the other side of your firewall.

If your transparent squid does not work at all, please check the squid
logs and verify that it gets the requests from the clients. If it gets the
requests, then check your squid configuration.

If it does get the requests but it complains that it cannot connect to
remote hosts, first check this:

transparent_squid 8080 "" inface eth0 src "${accepted_ips}"

this will disable proxied browsing from the firewall itself (with a
browser on the linux host). If that works, check the user under which
squid is running and make sure it is included in the first command line
above.

Costa

PS: Your eth0 interface does not state any clients. This means that you
will not even be able to ping the other hosts from the linux firewall. Is
that what you want?


> Hi,
>
> What I am trying to accomplish is to denigh access to the internet from
> certain users and enable for others, but the transparent proxy doesn't
> seem to be working.
>
> My firehol.conf is as follows:
>
> --------------------------------------------
> #
> # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
> #
> # This configuration file will allow all requests originating from the
> # local machine to be send through all network interfaces.
> #
> # No requests are allowed to come from the network. The host will be
> # completely stealthed! It will not respond to anything, and it will
> # not be pingable, although it will be able to originate anything
> # (even pings to other hosts).
> #
>
> # Require release 5 of FireHOL configuration directives
> version 5
>
> # Internal Network IP Address
> lan_ips="192.168.69.0/24"
> accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`"
>
> # Transparent Proxy
> transparent_squid 8080 "squid root" inface eth0 src "${lan_ips}"
>
> # My LAN. Everything is allowed here.
> interface eth0 lan src "${lan_ips}"
>         server  dns     accept
>         server  squid   accept
>         server  ssh     accept
>         server  http    accept
>         server  ftp     accept
>         server  smtp    accept
>         server  dhcp    accept
>         policy  reject
>
> interface eth1 internet src not "${lan_ips} ${UNROUTABLE_IPS}"
>         protection      strong  10/sec 10
>         server  ssh     accept
>         server  http    accept
>         server  ident   reject with tcp-reset
>         client  all     accept
>
> router internet2lan inface eth1 outface eth0
>         masquerade      reverse
>         client  all     accept src "${accepted_ips}"
>         server  ident   reject with tcp-reset
> -----------------------------------
>
> ips.txt is as follows
>
> 192.168.69.1
> 192.168.69.5
> 192.168.69.69
> 192.168.69.205
>
> But I need the other machines in the network to receive there dhcp from
> the box, there IP just won't be allowed at the router rule.
>
> At the moment that seems to be working, except the transparent proxy
> doesn't seem to be working corrently, if I do the rules manually with a
> plain iptables set of rules it works no problems, I seem to have
> something wrong in the firehol configuration.
>
> Any help would be very much appreciated.
>
> J
>

More information about the Firehol-support mailing list