[NoCat] Squid Transparent Proxy

E Roberts eroberts-nocat at omninet-solutions.com
Sun, 21 Mar 2004 15:55:27 -0500 

I found the attached message on the mailing list.  After putting in the 4=
=20
rules shown here I have found a bit of a hole now in my nocat server.  If=
=20
a user puts the proxy directly into their browser and connects straight t=
o=20
port 8080 they are allowed internet access with no login page.  Any ideas=
=20
on how to only allow access to the transparent proxy though the firewall=20
redirect and not a straight connection to port 8080?

<old message from mailing list>

[NoCat] Squid Transparent Proxy
Matt Barclay mbarclay at openfbo.com
Tue, 28 Oct 2003 22:53:39 -0800 (PST)

Previous message: [NoCat] Squid Transparent Proxy
Next message: [NoCat] NoCat Auth and OpenLDAP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Try this:  edit /usr/local/nocat/libexec/iptables/initialize.fw and at th=
e
end of the file add:

iptables -t nat -I PREROUTING -m mark --mark 1 -i $InternalDevice -p tcp=20
-s $LocalNetwork --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -m mark --mark 2 -i $InternalDevice -p tcp=20
-s $LocalNetwork --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -m mark --mark 3 -i $InternalDevice -p tcp=20
-s $LocalNetwork --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -m mark --mark 4 -i $InternalDevice -p tcp=20
-s $LocalNetwork -d $AuthServiceAddr --dport 80 -j REDIRECT --to-port 808=
0

This assumes you aren't running in Open mode, you want to proxy the
request to the auth server, and you have only 1 InternalDevice and
LocalNetwork.

The idea being that clients who've authenticated into the Owner, Co-op,
and public class should be redirected to squid for proxying onto the
internet rather than being masqueraded.

If you want a clean(er) solution, you should take a look at the "Handle
tagged traffic" section of initialize.fw and write in the above rules.
Something like (Under the "Masquerade permitted connections" comment):
$redirect -i $iface -p tcp -s $net -m mark --mark $fwmark -j REDIRECT=20
--to-port 8080

And not quite sure where to put the rule dealing with $AuthServiceAddr.

Anyway, Good luck!

Matt

On Tue, 28 Oct 2003, Lists wrote:

> From: Lists <lists@uc9.net>
> To: nocatnet@lists.nocat.net, nocat@lists.nocat.net
> Subject: [NoCat] Squid Transparent Proxy
> Date: Tue, 28 Oct 2003 08:36:21 -0500 (EST)
>
> before I used nocat, I would put a line like
>
> iptables -t nat -A PREROUTING -i eth1 -p tcp  -s $ip --dport 80 -j=20
> REDIRECT --to-port 8080
>
> into iptables.
>
> Where do I have to put that line now?  Squid and Nocat are on the same
> box.
>
> Please Help,
>
> Michael
>
>
>
> _______________________________________________
> NoCat mailing list
> NoCat@lists.nocat.net
> http://lists.nocat.net/mailman/listinfo/nocat