rmillisl@mailhost.isa-geek.net
2002-Dec-11 19:19 UTC
[Shorewall-users] Force Users to use Proxy?
How can I force my users to use my proxy server for web and ftp at the firewall?
--On Wednesday, December 11, 2002 12:19:58 PM -0700 rmillisl@mailhost.isa-geek.net wrote:> How can I force my users to use my proxy server for web and ftp at the > firewall? >REJECT loc net tcp 80 REJECT loc net tcp 443 REJECT loc net tcp 21 -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
--On Wednesday, December 11, 2002 01:47:08 PM -0700 rmillisl@mailhost.isa-geek.net wrote:>>> How can I force my users to use my proxy server for web and ftp at the >>> firewall? >>> >> >> REJECT loc net tcp 80 >> REJECT loc net tcp 443 >> REJECT loc net tcp 21 > > Ok, my question was not precise enough. :-) > > Thanks for showing me how to block the traffic, now can you tell me how I > allow the proxy only to pass these items? The proxy is on the loc > interface. I assume it will be somewhat the reverse of forwarding a port > from net to dmz?Change the above three rules to: REJECT loc:!<proxy ip> net tcp 80 REJECT LOC:!<proxy ip> ... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
rmillisl@mailhost.isa-geek.net
2002-Dec-11 20:47 UTC
[Shorewall-users] Force Users to use Proxy?
>> How can I force my users to use my proxy server for web and ftp at the >> firewall? >> > > REJECT loc net tcp 80 > REJECT loc net tcp 443 > REJECT loc net tcp 21Ok, my question was not precise enough. :-) Thanks for showing me how to block the traffic, now can you tell me how I allow the proxy only to pass these items? The proxy is on the loc interface. I assume it will be somewhat the reverse of forwarding a port from net to dmz? Thank you!
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> Cc: <shorewall-users@shorewall.net> Sent: Wednesday, December 11, 2002 9:42 PM Subject: Re: [Shorewall-users] Force Users to use Proxy?> > > --On Wednesday, December 11, 2002 01:47:08 PM -0700 > rmillisl@mailhost.isa-geek.net wrote: > > >>> How can I force my users to use my proxy server for web and ftp at the > >>> firewall? > >>> > >> > >> REJECT loc net tcp 80 > >> REJECT loc net tcp 443 > >> REJECT loc net tcp 21 > > > > Ok, my question was not precise enough. :-) > > > > Thanks for showing me how to block the traffic, now can you tell me howI> > allow the proxy only to pass these items? The proxy is on the loc > > interface. I assume it will be somewhat the reverse of forwarding a port > > from net to dmz? > > Change the above three rules to: > > REJECT loc:!<proxy ip> net tcp 80 > REJECT LOC:!<proxy ip> ... >Ok, but if I whish use transparent proxy? is this rules correct? REDIRECT loc <proxy ip>:<proxy port> tcp 80 - !<proxy ip> REDIRECT loc <proxy ip>:<proxy port> tcp 443 - !<proxy ip> Thanks Dario Lesca
--On Thursday, December 12, 2002 07:28:24 PM +0100 Dario Lesca <d.lesca@ivrea.osra.it> wrote:>> > Ok, but if I whish use transparent proxy? is this rules correct? > > REDIRECT loc <proxy ip>:<proxy port> tcp 80 - !<proxy ip> > REDIRECT loc <proxy ip>:<proxy port> tcp 443 - !<proxy ip> >Hmmm -- why don''t you tell us EXACTLY what you are trying to do and then we''ll tell you how to do it (assuming that it is possible). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
The configuration here follows: REDIRECT loc 3128 tcp www - !192.168.10.0 And that''s it. Of course Squid needs to be set up correctly for this to work. If you''d like a copy of my squid.conf let me know. On Thu, 12 Dec 2002 10:32:21 -0800 Tom Eastep <teastep@shorewall.net> opened up to us and said:> > > --On Thursday, December 12, 2002 07:28:24 PM +0100 Dario Lesca > <d.lesca@ivrea.osra.it> wrote: > > >> > > Ok, but if I whish use transparent proxy? is this rules correct? > > > > REDIRECT loc <proxy ip>:<proxy port> tcp 80 - !<proxy ip> > > REDIRECT loc <proxy ip>:<proxy port> tcp 443 - !<proxy ip> > > > > Hmmm -- why don''t you tell us EXACTLY what you are trying to do and > then we''ll tell you how to do it (assuming that it is possible). > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.sf.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users-- Paul Slinski System Administrator Global IQX http://www.globaliqx.com/ pauls@globaliqx.com
--On Thursday, December 12, 2002 01:52:47 PM -0500 Paul Slinski <pauls@globaliqx.com> wrote:> The configuration here follows: > > REDIRECT loc 3128 tcp www - !192.168.10.0 > > And that''s it. > > Of course Squid needs to be set up correctly for this to work. If you''d > like a copy of my squid.conf let me know. >I think Dario''s proxy server is in his local zone! I want to get a complete picture of what he is trying to do before advising him further. So far, this thread has been like pounding down pegs; hammeer one down and another pops up :-) -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Dario Lesca" <d.lesca@ivrea.osra.it>; <shorewall-users@shorewall.net> Sent: Thursday, December 12, 2002 7:32 PM Subject: Re: [Shorewall-users] Force Users to use Proxy?> > > --On Thursday, December 12, 2002 07:28:24 PM +0100 Dario Lesca > <d.lesca@ivrea.osra.it> wrote: > > >> > > Ok, but if I whish use transparent proxy? is this rules correct? > > > > REDIRECT loc <proxy ip>:<proxy port> tcp 80 - !<proxy ip> > > REDIRECT loc <proxy ip>:<proxy port> tcp 443 - !<proxy ip> > > > > Hmmm -- why don''t you tell us EXACTLY what you are trying to do and then > we''ll tell you how to do it (assuming that it is possible).ok, ok, it is possible ... eth1 of fw (loc zone) = 10.1.1.254 proxy is in loc zone = 10.1.1.154 REDIRECT loc 10.1.1.154:3128 tcp 80 - !10.1.1.154 REDIRECT loc 10.1.1.154:3128 tcp 443 - !10.1.1.154 is correct? P.S.... Many Thanks for your Great Great work! ------- Dario Lesca (d.lesca@ivrea.osra.it)
--On Thursday, December 12, 2002 09:20:59 PM +0100 Dario Lesca <d.lesca@ivrea.osra.it> wrote:> > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Dario Lesca" <d.lesca@ivrea.osra.it>; <shorewall-users@shorewall.net> > Sent: Thursday, December 12, 2002 7:32 PM > Subject: Re: [Shorewall-users] Force Users to use Proxy? >> > >> >> Hmmm -- why don''t you tell us EXACTLY what you are trying to do and then >> we''ll tell you how to do it (assuming that it is possible). > > ok, ok, it is possible ... > > eth1 of fw (loc zone) = 10.1.1.254 > proxy is in loc zone = 10.1.1.154 > > REDIRECT loc 10.1.1.154:3128 tcp 80 - !10.1.1.154 > REDIRECT loc 10.1.1.154:3128 tcp 443 - !10.1.1.154 >> is correct?No. You want: DNAT loc!10.1.1.154 loc:10.1.1.154:3128 tcp 80 - all:10.1.1.254 DNAT loc!10.1.1.154 loc:10.1.1.154:3128 tcp 443 - all:10.1.1.254 Warning: From the Proxy''s viewpoint, this make ALL requests look like they are coming from 10.1.1.254!!! To solve that problem, you need to use policy routing. I haven''t tried it but there are instructions in the Linux Advanced Routing and Traffic Control Howto (http://www.lartc.org).> > P.S.... > Many Thanks for your Great Great work! >You''re welcome. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net