Shorewall users - Jul 2012 - How to send DNS request to another server (VM server on the same Box)

I have a dilemma with https from some users and i need to resolve this.

My problem:

I have users with full access and restricted access, squid solve this 
problem at this moment but i can´t block https (secure http) on port 443.

What i do:
#######################################################################
I''m reading about this problem and i found a solution using the latest 
squid 3.2.x. the problem is this type of filter make some changes on the 
SSL and sometimes the web browser make noise (with https://www.gmail.com 
is one of this).
This solution is in this link 
http://blog.davidvassallo.me/2011/03/22/squid-transparent-ssl-interception/
this solution don''t work for me.

#######################################################################
Another solution is using shorewall and block the different host per IP 
like this rule:
REJECT loc   net:69.171.224.0/19,66.220.144.0/20        tcp     443
this solution is explained here 
http://comments.gmane.org/gmane.comp.security.shorewall/27475
But this is too complicated to get working for every IP for each page to 
block.

#######################################################################
At the end of reading i think "it''s possible to block like OpenDNS
do?"
http://www.opendns.com/parental-controls/
I try something like this 
http://www.deer-run.com/~hal/sysadmin/dns-advert.html and get fully 
working and functional!
But i forgot to remember i need to have users with full access. My 
configuration block all IPs on the lan to get access to this.

What i do?

I create a Virtual Machine with bind9 and make the same configuration on 
bind9. I''m trying to send requests from IPs with restricted access to 
this VM but i don''t know how to do in the right way!

I try (all in /etc/shorewall/rules:

DNAT  loc:192.168.2.12	virt:192.168.122.10:53	udp 53


where
loc:192.168.2.12 is the IP who will has restricted access
virt:192.168.122.10 is the IP of the VM who has internet and resolve OK 
(can ping ok)

I''m stuck again.

If you need more information please let me know.
Any help will be appreciated.

Best regards.


-- 
Emiliano Vazquez | PcCentro Informatica & CCTV
Office: +54 (11) 4951-0203 Interno 4
Movil: 011-15-6253-7165
Mail: emilianovazquez@gmail.com
Web: http://www.pccentro.com.ar

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Den 2012-07-27 02:32, Emiliano Vazquez skrev:
> What i do?
nothing, since there is no problem imho :)

but if one like to try, do your squid server have your own ssl cert 
that is not selfsigned ?

if so good :)

but since users try other ssl certs on diff homepages, then it breaks, 
so one really need an single cert that is not self signed with all users 
homepages so ssl will stay valid for any dest, very simple :)

giving up on ssl ?, hehe drop it




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

>
>> What i do?
>
> nothing, since there is no problem imho :)
hehehehe.
>
> but if one like to try, do your squid server have your own ssl cert
> that is not selfsigned ?
>
> if so good :)
>
> but since users try other ssl certs on diff homepages, then it breaks,
> so one really need an single cert that is not self signed with all users
> homepages so ssl will stay valid for any dest, very simple :)
>
> giving up on ssl ?, hehe drop it
I gave a try on it but the web-browsers knows thereś is a man in the midle.


I only ask for make a redirect port to another PC like "Squid 
(transparent) Running in the DMZ" 
http://www.shorewall.net/Shorewall_Squid_Usage.html

thanks for your reply.


Emiliano Vazquez | PcCentro Informatica & CCTV
Office: +54 (11) 4951-0203 Interno 4
Movil: 011-15-6253-7165
Mail: emilianovazquez@gmail.com
Web: http://www.pccentro.com.ar

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On 07/26/2012 05:32 PM, Emiliano Vazquez wrote:
>
>
> What i do?
>
> I create a Virtual Machine with bind9 and make the same configuration on
> bind9. I''m trying to send requests from IPs with restricted access
to
> this VM but i don''t know how to do in the right way!
>
> I try (all in /etc/shorewall/rules:
>
> DNAT  loc:192.168.2.12	virt:192.168.122.10:53	udp 53
>
>
> where
> loc:192.168.2.12 is the IP who will has restricted access
> virt:192.168.122.10 is the IP of the VM who has internet and resolve OK
> (can ping ok)
I guess this didn''t work somehow? If so, what problem did you see?

That''s the right approach -- did you try the DNAT troubleshooting steps
in Shorewall FAQs 1a through 1c?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Den 2012-07-27 14:34, Emiliano Vazquez skrev:
> I only ask for make a redirect port to another PC like "Squid
> (transparent) Running in the DMZ"
> http://www.shorewall.net/Shorewall_Squid_Usage.html
try the tproxy with port 443 ?

or squid with direct https ?

if tproxy and port 443 works add this to wiki :)



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> try the tproxy with port 443 ?
>
> or squid with direct https ?
>
> if tproxy and port 443 works add this to wiki :)
>
Hi, i try with squid direct https but did not work ok. Seems to browsers 
don''t trust in my certificate :(

I''m working on a solution to block and i will post the result here
soon.


Best regards.



-- 

Emiliano Vazquez | PcCentro Informatica & CCTV
Office: +54 (11) 4951-0203 Interno 4
Movil: 011-15-6253-7165
Mail: emilianovazquez@gmail.com
Web: http://www.pccentro.com.ar

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/