[NoCat] Squid Transparent Proxy

[Scott Tully]

Add this to the bottom of the file

iptables -t nat -A PREROUTING -s ! 127.0.0.1 -p tcp --dport 8080 -j DROP

Scott

*-----Original Message-----
*From: nocat-admin@lists.nocat.net 
*[mailto:nocat-admin@lists.nocat.net] On Behalf Of E Roberts
*Sent: Sunday, March 21, 2004 3:55 PM
*To: NoCat@lists.nocat.net
*Subject: [NoCat] Squid Transparent Proxy
*
*
*I found the attached message on the mailing list.  After 
*putting in the 4 
*rules shown here I have found a bit of a hole now in my nocat 
*server.  If 
*a user puts the proxy directly into their browser and connects 
*straight to 
*port 8080 they are allowed internet access with no login page. 
* Any ideas 
*on how to only allow access to the transparent proxy though 
*the firewall 
*redirect and not a straight connection to port 8080?
*
*<old message from mailing list>
*
*[NoCat] Squid Transparent Proxy
*Matt Barclay mbarclay at openfbo.com
*Tue, 28 Oct 2003 22:53:39 -0800 (PST)
*
*Previous message: [NoCat] Squid Transparent Proxy
*Next message: [NoCat] NoCat Auth and OpenLDAP
*Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
*
*Try this:  edit 
*/usr/local/nocat/libexec/iptables/initialize.fw and at the
*end of the file add:
*
*iptables -t nat -I PREROUTING -m mark --mark 1 -i 
*$InternalDevice -p tcp 
*-s $LocalNetwork --dport 80 -j REDIRECT --to-port 8080
*iptables -t nat -I PREROUTING -m mark --mark 2 -i 
*$InternalDevice -p tcp 
*-s $LocalNetwork --dport 80 -j REDIRECT --to-port 8080
*iptables -t nat -I PREROUTING -m mark --mark 3 -i 
*$InternalDevice -p tcp 
*-s $LocalNetwork --dport 80 -j REDIRECT --to-port 8080
*iptables -t nat -I PREROUTING -m mark --mark 4 -i 
*$InternalDevice -p tcp 
*-s $LocalNetwork -d $AuthServiceAddr --dport 80 -j REDIRECT 
*--to-port 8080
*
*This assumes you aren't running in Open mode, you want to proxy the
*request to the auth server, and you have only 1 InternalDevice and
*LocalNetwork.
*
*The idea being that clients who've authenticated into the Owner, Co-op,
*and public class should be redirected to squid for proxying onto the
*internet rather than being masqueraded.
*
*If you want a clean(er) solution, you should take a look at the "Handle
*tagged traffic" section of initialize.fw and write in the above rules.
*Something like (Under the "Masquerade permitted connections" comment):
*$redirect -i $iface -p tcp -s $net -m mark --mark $fwmark -j REDIRECT 
*--to-port 8080
*
*And not quite sure where to put the rule dealing with $AuthServiceAddr.
*
*Anyway, Good luck!
*
*Matt
*
*On Tue, 28 Oct 2003, Lists wrote:
*
*> From: Lists <lists@uc9.net>
*> To: nocatnet@lists.nocat.net, nocat@lists.nocat.net
*> Subject: [NoCat] Squid Transparent Proxy
*> Date: Tue, 28 Oct 2003 08:36:21 -0500 (EST)
*>
*> before I used nocat, I would put a line like
*>
*> iptables -t nat -A PREROUTING -i eth1 -p tcp  -s $ip --dport 80 -j 
*> REDIRECT --to-port 8080
*>
*> into iptables.
*>
*> Where do I have to put that line now?  Squid and Nocat are 
*on the same
*> box.
*>
*> Please Help,
*>
*> Michael
*>
*>
*>
*> _______________________________________________
*> NoCat mailing list
*> NoCat@lists.nocat.net
*> http://lists.nocat.net/mailman/listinfo/nocat
*
*_______________________________________________
*NoCat mailing list
*NoCat@lists.nocat.net
*http://lists.nocat.net/mailman/listinfo/nocat
*
*
*