Hi,
I had installed squid with ntlm authentication and content filtering
from this tutorial:
http://www.howtoforge.com/dansguardian-with-multi-group-filtering-and-squid-with-ntlm-auth-on-debian-etch.
Next to last point is firewall configuration by ipmasq but I have
installed shorewall. This is content of I89tproxy.rul file:
#!/bin/sh
#
# redirect http requests to non-local hosts to the transparent proxy
# GPL 2.0 or later (C) 2004 Johannes Martin <jmartin@notamusica.com>
# 1. do not redirect http requests to localhost
case $MASQMETHOD in
ipfwadm)
$IPFWADM -I -a accept -P tcp -D localhost 80
;;
ipchains)
$IPCHAINS -A input -p tcp -d localhost 80 -j ACCEPT
;;
netfilter)
$IPTABLES -A INPUT -p tcp -d localhost --dport 80 -j ACCEPT
;;
esac
# 2. do not redirect http request to hosts on the local network
for i in $INTERNAL; do
ipnm_cache $i
case $MASQMETHOD in
ipfwadm)
$IPFWADM -I -a accept -P tcp -D $IPOFIF/$NMOFIF 80
;;
ipchains)
$IPCHAINS -A input -p tcp -d $IPOFIF/$NMOFIF 80 -j ACCEPT
;;
netfilter)
$IPTABLES -A INPUT -p tcp -d $IPOFIF/$NMOFIF --dport 80 -j ACCEPT
;;
esac
done
# 3. redirect non-local http requests to transparent proxy
for i in $INTERNAL; do
ipnm_cache $i
case $MASQMETHOD in
ipfwadm)
$IPFWADM -I -a accept -P tcp -S $IPOFIF/$NMOFIF -D 0.0.0.0/0 80
-r 8081
;;
ipchains)
$IPCHAINS -A input -p tcp -s $IPOFIF/$NMOFIF -d 0.0.0.0/0 80 -j
REDIRECT 8081
;;
netfilter)
$IPTABLES -t nat -A PREROUTING -p tcp -s $IPOFIF/$NMOFIF -d
0.0.0.0/0 --dport 80 -j REDIRECT --to-ports 8081
;;
esac
done
# 4. block port 8081 on external interfaces
for i in $EXTERNAL_IN; do
ipnm_cache $i
case $MASQMETHOD in
ipfwadm)
$IPFWADM -I -a deny -P tcp -D $IPOFIF/$NMOFIF 8081
;;
ipchains)
$IPCHAINS -A input -j DENY -p tcp -d $IPOFIF/$NMOFIF 8081
;;
netfilter)
$IPTABLES -A INPUT -j DROP -p tcp -d $IPOFIF/$NMOFIF --dport 8081
;;
esac
done
And this is my shorewall rules:
#HTTP
HTTP/ACCEPT net $FW
HTTP/ACCEPT loc $FW
REDIRECT loc:!10.0.0.0/9 8081 tcp 80 -
This are good rules?
Thanx for help!
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what''s new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sebastian wrote:> > > And this is my shorewall rules: > #HTTP > HTTP/ACCEPT net $FWI assume you want: HTTP/ACCEPT $FW new That will allow your proxy to access the internet.> HTTP/ACCEPT loc $FW > REDIRECT loc:!10.0.0.0/9 8081 tcp 80 -I rather doubt that rule is what you want. It will redirect port 80 to local port 8081 EXCEPT IF THEY ARE SENT BY 10.0.0.0/9.> > This are good rules?When you show us a few rules out of context, we really cannot tell if they are ''good'' or not. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkqLPkEACgkQO/MAbZfjDLJAUQCfYqlIp/yeh2kYvhR4f+vCWZ6V taYAn21JJuNySttHiRc5LDJK+WmNz6vg =yZE4 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Tom Eastep pisze:> I rather doubt that rule is what you want. It will redirect port 80 to > local port 8081 EXCEPT IF THEY ARE SENT BY 10.0.0.0/9. >I will redirect only 10.128.0.0/9 network to dansguardian/proxy with ntlm authentication.> When you show us a few rules out of context, we really cannot tell if > they are ''good'' or not. > >I enclose my rules: #SSH SSH/ACCEPT loc $FW #PING Ping/ACCEPT loc $FW Ping/ACCEPT net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp #SAMBA SMB/ACCEPT $FW loc SMB/ACCEPT loc $FW #DNS DNS/ACCEPT loc $FW DNS/ACCEPT $FW loc DNS/ACCEPT $FW net #SSH SSH/ACCEPT net $FW #SQUID & DANSGUARDIAN HTTP/ACCEPT $FW net REDIRECT loc:!10.0.0.0/9 8081 tcp 80 - DROP net $FW tcp 8081 DROP net $FW tcp 8080 #HTTP HTTP/ACCEPT net $FW HTTP/ACCEPT loc $FW #HTTPS HTTPS/ACCEPT loc $FW HTTPS/ACCEPT net $FW #SMTP SMTP/ACCEPT net $FW SMTP/ACCEPT loc $FW #POP POP3/ACCEPT net $FW POP3/ACCEPT loc $FW #IMAP IMAP/ACCEPT net $FW IMAP/ACCEPT loc $FW #IMAP SSL IMAPS/ACCEPT net $FW IMAPS/ACCEPT loc $FW #POP3S POP3S/ACCEPT net $FW POP3S/ACCEPT loc $FW #TFTP ACCEPT $FW loc udp 69 ACCEPT loc $FW udp 69 Thanks for help! ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Sebastian wrote:> Tom Eastep pisze: >> I rather doubt that rule is what you want. It will redirect port 80 to >> local port 8081 EXCEPT IF THEY ARE SENT BY 10.0.0.0/9. >> > I will redirect only 10.128.0.0/9 network to dansguardian/proxy with > ntlm authentication. >> When you show us a few rules out of context, we really cannot tell if >> they are ''good'' or not. >> >> > > I enclose my rules: >My point was, *I don''t know what you are trying to do*. You have shown us a script that used variables which were never defined and then you ask us if your rules are okay. We can''t answer that. Even seeing the output of ''shorewall dump'' (which is what we prefer to look at) won''t tell us if your configuration is ''correct'' if we don''t know what your definition of ''correct'' is. My *quess* about what you want is: HTTP/ACCEPT $FW new REDIRECT loc 8081 tcp 80 - !10.0.0.0/9 That will: a) Allow your proxy to access the net (first rule) b) Redirect TCP 80 requests to local port 8081 unless they were originally addressed to 10.0.0.0/9 But that''s only my guess. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july