Find the answer to your Linux question:
Results 1 to 6 of 6
G'day everyone, I've been having some troubles when it comes to setting up IPTables and I humbly request your assistance because I just don't get it. Basically I'm attempting to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2010
    Location
    Sydney, Australia
    Posts
    68

    IPTables, Squid in a restricted network


    G'day everyone,
    I've been having some troubles when it comes to setting up IPTables and I humbly request your assistance because I just don't get it.

    Basically I'm attempting to setup a network with very limited internet access. All addresses resolve internally except for a few that resolve externally. I have Squid3 setup in transparent mode on port 3128 and it is working great. However due to the limitations of transparent proxies on HTTPS I am not able to achieve everything through Squid

    This limitation I'm hoping to get around through the use of IPTables as I only need access to a very limited number of websites.

    Below was my attempt to get this all working...however the HTTPS part needs a complete redo. I was attempting to get just 443 to masquerade through the server however when I turn the proxy off I can also FTP to IP addresses, I believe this demonstrates I am NAT'ing more than just port 443.

    Please help, in short I'd like to setup the following rules:
    - allow all from lo (I think the below is correct)
    - NAT transparent proxy port 80 to 172.16.0.5:3128 (think it is correct)
    - Masquerade all outgoing TCP/UDP 443 to a limited number of IP address ranges

    This is my current IPTables rules. Thank you in advance,
    Griffo

    # loopback allow all - working
    iptables -I INPUT -i lo -j ACCEPT

    # Transparent proxy with NAT - working
    iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.0.5:3128
    iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

    # This is supposed to NAT only TCP 443. other ports getting through too, but I'd like to convert this to add acceptable IP ranges.
    iptables -A FORWARD -o eth1 -i eth0 -s 172.16.0.0/22 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
    iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -t nat -F POSTROUTING
    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

    EDIT***Sorry, I really should add the following:
    Server network config
    eth0: 172.16.0.5/22 - LAN network
    eth1: 192.168.0.1/24 gateway: 192.168.0.254 - WAN network - hoping this will be a public IP when it is deployed...but if it is possible to just use the interface (without the need for the IP) that would be awesome
    Last edited by r31griffo; 01-27-2013 at 03:20 AM.

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    You might want to start looking at your firewall another way. I either allow or block traffic on the inbound interface. Because I am already allowing it there is no reason to allow it again on exit. for example your rule;
    Code:
    iptables -A FORWARD -o eth1 -i eth0 -s 172.16.0.0/22 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
    could be written like this;
    Code:
    iptables -A FORWARD -i eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
    Notice there is no need for IP Addresses or the outbound interface. This rule allows all traffic heading to 443 from any machine on your network. Should you require to block certain ip addresses then you can add ip address information to the rule.

    You only really need to add outbound interfaces to the rules when there is more then one interface outbound and you want to ensure that it goes out the proper interface.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jan 2010
    Location
    Sydney, Australia
    Posts
    68
    Excellent, thanks for the reply. I'll try it out when I get home.

    Regarding the outbound IP ranges, would you have any suggestions regarding that?

    Cheers,

    Brad

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    What are you looking to do?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Jan 2010
    Location
    Sydney, Australia
    Posts
    68
    Sorry Robert, I didn't explain what I was after. I must have been trying to do too many things at once.

    I'm hoping to create a white list of IP ranges for port 443 packets leaving the output interface.
    For the tcp 443 packets that go out the outbound interface, I want to create a white list of IP ranges and deny all other outbound 443 packets (or would this be better achieved on the incoming interface?). Squid is doing an excellent job of looking after HTTP.

    Some P2P applications use port 443 due to the lack of control proxies have over SSL, I'm hoping to avoid the whole issue as I only need to access a limited number of IP addresses over 443.

    For example, I'm attempting to get a website to work correctly that accesses googleapis.com (using HTTPS to access an AJAX .js file), using dig I find that several A records between the following range: 173.194.69.99-173.194.69.147...this is the only one I know of so far, but I'm sure there will be more in the future

    Cheers,

    Brad

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Have a look at this IP Range Match.
    Replace INPUT with FORWARD and ensure that you are filtering on the LAN interface.
    Take a look at the whole Tutorial which you may find very helpful.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •