Re: transparent proxy
On 06/03/14 16:31, Chris wrote: Hi Scott, On 03/04/2014 10:17 AM, Scott Ferguson wrote: I route suspect boxes through a transparent proxy to see if there are channels in use that shouldn't be. are you using port mirroring or any special software? iptables logging? - Chris virtualbox, ipcop and wireshark Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/531837cf@gmail.com
Re: transparent proxy
yazmış olduğum bir döküman belki işinize yarayabilir... http://www.debianturkiye.org/forum/proxy_server_kurulumu_squid_dansguardian_clamav-t288.0.html;msg1208#msg1208
Re: Transparent proxy - forwarding does not work
On Jan 14, 2008 7:26 PM, Eduardo M KALINOWSKI [EMAIL PROTECTED] wrote: I'm trying to setup a transparent caching proxy with Squid. I've installed Squid, configured it, in particular using the line http_port 3128 transparent The proxy is working fine. If I specify the proxy manually, I can see it being used from access.log, and note the results of caching. However, the automatic forwarding is not working. First, I've enabled forwarding with echo 1 /proc/sys/net/ipv4/ip_forward Then, following instructions found in the internet, I've run iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 to setup automatic forwarding of http requests. The command runs fine, and the rule is added: # iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywheretcp dpt:www redir ports 3128 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination However, the forwarding simply does not happen. Requests do not pass through the proxy, everything works as before. Is there anything that is missing? Kernel is linux-image-2.6.22-2-amd64, version 2.6.22-4 . Now I'm using squid3 version 3.0.STABLE1-1, but I've also tried with squid 2.6.17-1, and the results are the same. Thanks in advance, -- History repeats itself. That's one thing wrong with history. Eduardo M KALINOWSKI [EMAIL PROTECTED] http://move.to/hpkb I have the almost exact setup with Squid 2.6 and it works fine. One point though, I have 2 network interfaces, eth0 for internet and eth1 for LAN. Squid listens only on eth1 and loop back on transparent mode. http_port my.lan.ip:3128 transparent http_port 127.0.0.1:3128 transparent Mihira. -- Random Quotes From Megas XLR Coop: You see? The mysteries of the Universe are revealed when you break stuff. Jamie: When in doubt, blow up a planet. Kiva: It's an 80 foot robot, if we can't see it, absolutely it's not here. Glorft Technician: Unnecessary use of force in capturing the Earthers has been approved. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Transparent proxy - forwarding does not work
On Jan 17, 2008 2:37 PM, Mihira Fernando [EMAIL PROTECTED] wrote: On Jan 14, 2008 7:26 PM, Eduardo M KALINOWSKI [EMAIL PROTECTED] wrote: I'm trying to setup a transparent caching proxy with Squid. I've installed Squid, configured it, in particular using the line http_port 3128 transparent The proxy is working fine. If I specify the proxy manually, I can see it being used from access.log, and note the results of caching. However, the automatic forwarding is not working. First, I've enabled forwarding with echo 1 /proc/sys/net/ipv4/ip_forward Then, following instructions found in the internet, I've run iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 to setup automatic forwarding of http requests. The command runs fine, and the rule is added: # iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywheretcp dpt:www redir ports 3128 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination However, the forwarding simply does not happen. Requests do not pass through the proxy, everything works as before. Is there anything that is missing? Kernel is linux-image-2.6.22-2-amd64, version 2.6.22-4 . Now I'm using squid3 version 3.0.STABLE1-1, but I've also tried with squid 2.6.17-1, and the results are the same. Thanks in advance, -- History repeats itself. That's one thing wrong with history. Eduardo M KALINOWSKI [EMAIL PROTECTED] http://move.to/hpkb I have the almost exact setup with Squid 2.6 and it works fine. One point though, I have 2 network interfaces, eth0 for internet and eth1 for LAN. Squid listens only on eth1 and loop back on transparent mode. http_port my.lan.ip:3128 transparent http_port 127.0.0.1:3128 transparent Mihira. Forgot to add : iptabes is set for the LAN interface (eth1) for the port redirection iptablies -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 and port redirection on the internet interface (eth0) Mihira. -- Random Quotes From Megas XLR Coop: You see? The mysteries of the Universe are revealed when you break stuff. Jamie: When in doubt, blow up a planet. Kiva: It's an 80 foot robot, if we can't see it, absolutely it's not here. Glorft Technician: Unnecessary use of force in capturing the Earthers has been approved. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SOLVED] Re: Transparent proxy - forwarding does not work
Alex Samad wrote: On Tue, Jan 15, 2008 at 03:08:55PM -0200, Eduardo M KALINOWSKI wrote: Alex Samad wrote: On Tue, Jan 15, 2008 at 08:11:34AM -0200, Eduardo M KALINOWSKI wrote: Alex Samad wrote: [snip] Well, this solution is far more complicated than what I wanted, so I took a look at iptables' manpage and discovered that matching can be done based on the UID that is running the process, so the idea is to let requests made by user 'proxy' through, and redirect all others to the proxy. This accounts to the two lines iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128 I think there is a caveat it only works on non smp boxes ! Happens to be the case. ;-) According to the iptables manpage, matching by uid and gid are fine (well, at least there is no mention that it is not fine), but there are problems for pid, sid and cmd-name for SMP. (And they require special kernel support, etc, etc.) -- if (instr(buf,sys_errlist[errno])) /* you don't see this */ -- Larry Wall in eval.c from the perl source code Eduardo M KALINOWSKI [EMAIL PROTECTED] http://move.to/hpkb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Transparent proxy - forwarding does not work
Alex Samad wrote: On Mon, Jan 14, 2008 at 05:26:17PM -0200, Eduardo M KALINOWSKI wrote: I'm trying to setup a transparent caching proxy with Squid. I've installed Squid, configured it, in particular using the line http_port 3128 transparent The proxy is working fine. If I specify the proxy manually, I can see it being used from access.log, and note the results of caching. However, the automatic forwarding is not working. First, I've enabled forwarding with echo 1 /proc/sys/net/ipv4/ip_forward are you only trying to capture http request from this machine ? if so you don't need this Then, following instructions found in the internet, I've run iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 if you are only trying to capture http request from this machine (the same as the proxy) then you need to use the output chain OK, so I changed the line and ran iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128 This does make the requests go through the proxy. However, I can only access objects which are already in cache. When squid needs to fetch an object from some server, the browser or wget stay at Waiting connection. Possibly the proxy's request is being again forwarded to the proxy. -- There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann Eduardo M KALINOWSKI [EMAIL PROTECTED] http://move.to/hpkb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Transparent proxy - forwarding does not work
On Tue, Jan 15, 2008 at 08:11:34AM -0200, Eduardo M KALINOWSKI wrote: Alex Samad wrote: On Mon, Jan 14, 2008 at 05:26:17PM -0200, Eduardo M KALINOWSKI wrote: I'm trying to setup a transparent caching proxy with Squid. I've installed Squid, configured it, in particular using the line http_port 3128 transparent The proxy is working fine. If I specify the proxy manually, I can see it being used from access.log, and note the results of caching. However, the automatic forwarding is not working. First, I've enabled forwarding with echo 1 /proc/sys/net/ipv4/ip_forward are you only trying to capture http request from this machine ? if so you don't need this Then, following instructions found in the internet, I've run iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 if you are only trying to capture http request from this machine (the same as the proxy) then you need to use the output chain OK, so I changed the line and ran iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128 This does make the requests go through the proxy. However, I can only access objects which are already in cache. When squid needs to fetch an sounds like the problem set tcp_outgoing_address in squid.conf, assign you box 2 addresses, 1 for normal use and the other for squid use and then setup the iptables filter to only pick up from the first object from some server, the browser or wget stay at Waiting connection. Possibly the proxy's request is being again forwarded to the proxy. -- There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann Eduardo M KALINOWSKI [EMAIL PROTECTED] http://move.to/hpkb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- My administration has been calling upon all the leaders in the -- in the Middle East to do everything they can to stop the violence, to tell the different parties involved that peace will never happen. - George W. Bush 08/13/2001 Crawford, TX signature.asc Description: Digital signature
[SOLVED] Re: Transparent proxy - forwarding does not work
Alex Samad wrote: On Tue, Jan 15, 2008 at 08:11:34AM -0200, Eduardo M KALINOWSKI wrote: Alex Samad wrote: if you are only trying to capture http request from this machine (the same as the proxy) then you need to use the output chain OK, so I changed the line and ran iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128 This does make the requests go through the proxy. However, I can only access objects which are already in cache. When squid needs to fetch an sounds like the problem set tcp_outgoing_address in squid.conf, assign you box 2 addresses, 1 for normal use and the other for squid use and then setup the iptables filter to only pick up from the first Well, this solution is far more complicated than what I wanted, so I took a look at iptables' manpage and discovered that matching can be done based on the UID that is running the process, so the idea is to let requests made by user 'proxy' through, and redirect all others to the proxy. This accounts to the two lines iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128 -- Well, it's hard for a mere man to believe that woman doesn't have equal rights. -- Dwight D. Eisenhower Eduardo M KALINOWSKI [EMAIL PROTECTED] http://move.to/hpkb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SOLVED] Re: Transparent proxy - forwarding does not work
On Tue, Jan 15, 2008 at 03:08:55PM -0200, Eduardo M KALINOWSKI wrote: Alex Samad wrote: On Tue, Jan 15, 2008 at 08:11:34AM -0200, Eduardo M KALINOWSKI wrote: Alex Samad wrote: [snip] Well, this solution is far more complicated than what I wanted, so I took a look at iptables' manpage and discovered that matching can be done based on the UID that is running the process, so the idea is to let requests made by user 'proxy' through, and redirect all others to the proxy. This accounts to the two lines iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128 I think there is a caveat it only works on non smp boxes ! -- Well, it's hard for a mere man to believe that woman doesn't have equal rights. -- Dwight D. Eisenhower Eduardo M KALINOWSKI [EMAIL PROTECTED] http://move.to/hpkb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- One of the most meaningful things that's happened to me since I've been the governor -- the president -- governor -- president. Oops. Ex-governor. I went to Bethesda Naval Hospital to give a fellow a Purple Heart, and at the same moment I watched him--get a Purple Heart for action in Iraq - and at that same - right after I gave him the Purple Heart, he was sworn in as a citizen of the United States - a Mexican citizen, now a United States citizen. - George W. Bush 01/09/2004 Washington, DC signature.asc Description: Digital signature
Re: Transparent proxy - forwarding does not work
On Mon, Jan 14, 2008 at 05:26:17PM -0200, Eduardo M KALINOWSKI wrote: I'm trying to setup a transparent caching proxy with Squid. I've installed Squid, configured it, in particular using the line http_port 3128 transparent The proxy is working fine. If I specify the proxy manually, I can see it being used from access.log, and note the results of caching. However, the automatic forwarding is not working. First, I've enabled forwarding with echo 1 /proc/sys/net/ipv4/ip_forward are you only trying to capture http request from this machine ? if so you don't need this Then, following instructions found in the internet, I've run iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 if you are only trying to capture http request from this machine (the same as the proxy) then you need to use the output chain to setup automatic forwarding of http requests. The command runs fine, and the rule is added: # iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywheretcp dpt:www redir ports 3128 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination However, the forwarding simply does not happen. Requests do not pass through the proxy, everything works as before. Is there anything that is missing? Kernel is linux-image-2.6.22-2-amd64, version 2.6.22-4 . Now I'm using squid3 version 3.0.STABLE1-1, but I've also tried with squid 2.6.17-1, and the results are the same. Thanks in advance, -- History repeats itself. That's one thing wrong with history. Eduardo M KALINOWSKI [EMAIL PROTECTED] http://move.to/hpkb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Perhaps one way will be, if we use military force, in the post-Saddam Iraq the U.N. will definitely need to have a role. And that way it can begin to get its legs, legs of responsibility back. - George W. Bush 03/16/2003 the Azores, Portugal signature.asc Description: Digital signature
Re: Transparent proxy + masquerading - problem (dlugie)
On Fri, Feb 21, 2003 at 07:35:26PM +0100, Marcin Juszkiewicz wrote: It was 2003-02-21 18:27 when czerw czerw wrote: Ja tak tylko chciałem zwrócić uwagę.. Wszystkie adresy IP są rutowalne - część z nich jest po prostu prywatna.. Swego czasu używałem kompa w dużej sieci 10.x.x.x - było kilka podsieci :) Sorry, bede musial bardziej zastanowic sie nad tym co pisze :) -- Pozdrawiam CZERW = Remember, information is not knowledge, knowledge is not wisdom, wisdom is not truth, truth is not beauty, beauty is not love, love is not music, music is the best. Frank Zappa
Re: Transparent proxy + masquerading - problem (dlugie)
It was 2003-02-21 18:27 when czerw czerw wrote: Mam sobie skonfigurowana na woodym brameczke, za ktora stoi ok 10 kompow oczywiscie z debianem, tworzac siec lokalna (z adresam nierutowalnymi). Ja tak tylko chciałem zwrócić uwagę.. Wszystkie adresy IP są rutowalne - część z nich jest po prostu prywatna.. Swego czasu używałem kompa w dużej sieci 10.x.x.x - było kilka podsieci :) -- WWW: http://users.stone.pl/szczepan/ APT: deb http://users.stone.pl/szczepan/ apt/ You don't have to be crazy to live in this planet, but it helps.
Re: Transparent Proxy
Saturday, April 6, 2002, 9:35:52 AM, Michael Hierweck wrote: wie konfiguriert man den Squid denn so, dass er als transparent Proxy wirkt... Hilft Dir http://www.linuxdoc.org/HOWTO/mini/TransparentProxy.html weiter? Gruß, Marcus -- Fickle minds, pretentious attitudes and ugly make-up on ugly faces... The Goth Goose Of The Week: http://www.gothgoose.net -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Transparent Proxy
Hallo, Michael! * Michael Hierweck [EMAIL PROTECTED] [020406 09:35]: wie konfiguriert man den Squid denn so, dass er als transparent Proxy wirkt... http://www.linuxdoc.org/HOWTO/mini/TransparentProxy.html hat mich schnell zum Ziel geführt. grundsätzlich habe ich das, glaube ich verstanden, man rcihtet einen REDIRECT mit iptables NAT ein, so dass ausgehende Daten mit Zielport 80 auf den lokalen Port 3128 umgelenkt werden. Wenn man einen Proxyserver mit eth0 und ppp0 Interface hat, wird in der Doku dazu vorgeschlagen, den REDIRECT in die PREROUTING des eth0 aufzunehmen... Du hast die Doku anscheinend auch gelesen, genauso läuft es bei mir. Wie macht man das denn, wenn man einen Einzelplatzrechner hat bzw. auch Port 80 Anfragen vom Rechner, auf dem Squid läuft, an den Squid lenken will? Geht das überhaupt, oder gerät man dann in eine endlos Schleife? Anfrage - Redirect - Squid - Anfrage - Redirect - Squid... Weil der Squid, wenn er im Web nachfragen muss, ja auch den Zielport 80 verwendet... Genau das dürfte das Problem sein. 1. Lösung: Bei lokalen Programmen den Proxy eintragen. 2. Lösung: Das owner modul von iptables verwenden: z.B: (in output) iptables -A OUTPUT -m owner --uid-owner proxy -j ACCEPT iptables -A OUTPUT -tcp -dport 80 -j REDIRECT --to-port 3128 (Also: Jeder Prozess, der proxy gehört, darf alle Anfragen nahc draußen direkt machen, von allen anderen werden Anfragen nach Port 80 weitergeleitet.) Natürlich nicht getestet! HTH, Alex -- Alexander Weiß, Germany [EMAIL PROTECTED] -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: transparent proxy with Squid?
On %M 0, Louis-David Mitterrand wrote Has anybody successfuly configured Linux and Squid to act as a transparent proxy? I have looked at the Squid FAQ and an interesting pointer provided by it (http://alderan.gurulink.com/transproxy-linux21-squid2.html) but have not succeded yet. All squid configuration options and and ipchains commands having been entred the www requests still go right past squid. It worked for me; I installed tproxyd, booted a kernel with transparent proxy support, and followed the advice in /usr/doc/tproxyd (from memory). I am using the latest Debian-potato snapshot with Squid-2.2 and kernel 2.2.7 on our masquerading firewall. Thanks in advance for any help. PS: are there well-known disadvantages in using transparent proxying? (vs. configuring each browser on our LAN) The only ones I am aware of are: - If squid is 'fooled' into treating a dynamic page as static, you may see the wrong page, just like with any proxy; - If a server provides non-HTTP services (e.g., SSL) on port 80 you won't be able to access them, as you are going via squid; - You don't get proxying for HTTP servers on unusual ports (81, 8080); - If squid stops/exercises a bug you can't just turn off or change your proxy from your workstation. I don't know how serious these are in the real world, but #4 is quite rare. John P. -- [EMAIL PROTECTED] [EMAIL PROTECTED] Oh - I - you know - my job is to fear everything. - Bill Gates in Denmark