CCNA Video Training Series

Instant Access, Web or Mobile!

Only $99 for 30 days...
Renew at half price!

Buy/Renew

Includes FREE Practice Exams!

Member Login

Lost your password?

Not a member yet? Sign Up!

Official Lammle User Forum

Results 1 to 10 of 10
  1. #1
    Join Date
    Nov 2008
    Location
    Birmingham, UK
    Posts
    1,447

    Default Securing transparent proxy

    I'm not sure where to pop this as it's not Cisco, but it is about security! Is there anyone who can help with a litle Linux/proxy server query?

    I have a proxy server set up running Squid and Dansguardian for content filtering. I'm having trouble figuring out the iptables rules to secure the server as much as possible.

    I have the redirection working, and with 'an open system' everything works fine. Once I start locking down with iptables, the whole thing breaks. I've narrowed it down to a particular rule, and I believe it's due to having DG on the proxy, as before when I used these rules on just a Squid box, there was no problem. I've looked into using Shorewall, but his complicated things further (at least for me with limited Unix skills).

    If anyone is knowledgable on this subject, please reply and I'll provide the rules I'm currently using.

    Thanks
    CCNP R&S, CCNA DC
    Currently studying: CCIE R&S, CCNP Data Centre
    Follow my CCIE progress with study notes on my blog: http://beyondccna.blogspot.co.uk/

  2. #2
    Join Date
    Mar 2008
    Posts
    2,888

    Default

    Pop up as much as you can Fuzz or PM me. I know someone who i can ask.
    Maddox Thomas-Clark 14/10/2008
    Bean Thomas-Clark 18/09/2007
    Big Evils Cisco World
    Linkedin

  3. #3
    Join Date
    Nov 2008
    Location
    Birmingham, UK
    Posts
    1,447

    Default

    Current setup:

    single linux server, single nic (eth0)
    dansguardian listening on port 8080 and forwarding to 3128
    squid listening on port 3128

    iptables

    *nat
    PREROUTING -p tcp -m tcp -s <local net> --dport 80 -j REDIRECT --to_ports 8080
    *filter
    INPUT -i lo -j ACCEPT
    INPUT -m state -s <local net> -i eth0 --state NEW -j ACCEPT
    INPUT -m state -i eth0 --state ESTABLISHED,REL ATED -j ACCEPT
    OUTPUT -o lo -j ACCEPT
    OUTPUT -o eth0 -j ACCEPT

    Defaults to DROP for all filter chains

    This config works, but isn't as locked down as I'd like. I don't know if I can restrict OUTPUT chain any further. If I remove the 'local net NEW' line and instead use:
    INPUT -s <local net> -i eth0 --dport 80 -j ACCEPT
    it breaks :S

    I guess it must be down to dansguardian, as it worked when it was just a simple transparent proxy (no dans). I had it much more locked down.

    Thanks for any assistance.
    CCNP R&S, CCNA DC
    Currently studying: CCIE R&S, CCNP Data Centre
    Follow my CCIE progress with study notes on my blog: http://beyondccna.blogspot.co.uk/

  4. #4
    Join Date
    Dec 2010
    Posts
    49

    Default

    I don't have a lot of experience here, so feel free to ignore me if this makes no sense.


    In the prerouting section, destination ports that are incoming as 80 are re-written to be 8080.

    In the input chain, the line that you say does not work, is trying to match 80. I don't believe anything will ever match.

    Perhaps it's a typo in your post, or...

    Perhaps, that was previously a 3128, pre Dan's Gaurdian. When you modified the line for dg, you inadvertantly put in an 80 instead of 8080?

    Or perhaps I know even less than I think about all this.

  5. #5
    Join Date
    Dec 2010
    Posts
    49

    Default

    It would be a stretch to say that I am knowledgable on the subject, but I do see one thing that seems odd to me.

    In the prerouting section, destination ports that are incoming as port 80 are re-written to be port 8080.

    In the input chain, the line that you say does not work is trying to match port 80. Shouldn't that be 8080? I don't believe anything will ever match, as all port 80s have been rewritten prior to this point.

    Perhaps it's a typo in your post???

    Also, I would think that the two -m state lines work as a pair; if you take the first one out, the second would not be useful (though I suppose it would be harmless). If you never accept new connections, then there would never be any established connections.

  6. #6
    Join Date
    Nov 2008
    Location
    Birmingham, UK
    Posts
    1,447

    Default

    I've just been looking over my old configuration - where it was a simple squid proxy - and it appears the 'accept dest port 80' was only for input from another another proxy server. I should really pay more attention to what I'm reading! You know what it's like when you've spent 2 days trying to build a clustered, load-balanced, high-availability proxy solution. We've all done it at some point.....

    The output packets are still a concern though. I'll have another go at locking it down and see how far I get.

    Thanks for the input.
    CCNP R&S, CCNA DC
    Currently studying: CCIE R&S, CCNP Data Centre
    Follow my CCIE progress with study notes on my blog: http://beyondccna.blogspot.co.uk/

  7. #7
    Join Date
    Nov 2008
    Location
    Birmingham, UK
    Posts
    1,447

    Default

    OK, I think I've cracked the OUTPUT chain too. However, I have a new problem with this damn thing!

    When directing my browser to this proxy and attempting to log on to this site, it accepts my login details but then returns me to the index page logged out. For some reason it's not remembering the session. I've been through the whole squid.conf but I can't find anything that relates to cookies, sessions, php or anything that may affect it. Google was also very unhelpful (maybe I'm just not searching the exact problem).

    Any suggstions?
    CCNP R&S, CCNA DC
    Currently studying: CCIE R&S, CCNP Data Centre
    Follow my CCIE progress with study notes on my blog: http://beyondccna.blogspot.co.uk/

  8. #8
    Join Date
    Mar 2008
    Posts
    2,888

    Default

    Can you set the cookie to persitant Fuzz?
    Maddox Thomas-Clark 14/10/2008
    Bean Thomas-Clark 18/09/2007
    Big Evils Cisco World
    Linkedin

  9. #9
    Join Date
    Nov 2008
    Location
    Birmingham, UK
    Posts
    1,447

    Default

    I had a search for that, but I could only find results relating to 'header_access Cookie allow all', which has been deprecated as of version 3. I've tried the config in it's place (request_header _access) but this still didn't work.

    I might revert to an older version of squid and see if I can get it to work that way.
    CCNP R&S, CCNA DC
    Currently studying: CCIE R&S, CCNP Data Centre
    Follow my CCIE progress with study notes on my blog: http://beyondccna.blogspot.co.uk/

  10. #10
    Join Date
    Dec 2010
    Posts
    49

    Default

    Quote Originally Posted by Fuzz View Post
    it appears the 'accept dest port 80' was only for input from another another proxy server. I should really pay more attention to what I'm reading!

    I wondered as I was typing my previous post whether this might be one of those situations. We all have those slap-yourself-in-the-forehead kind of moments.


    Can you post your new output rules?

    I would think that if it works with the output chain passing everything, then there should be a way to make it work while locking down the output chain (as oppossed to changing a configuration in squid; which I understand you are looking at).

    I would try opening up the output chain and running tcpdump while logging in to the forum to see if there is any traffic on ports you were not expecting.

    Also, can you not temporarily set iptables to log what it denies?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. VTP server and transparent mode
    By Coo1On3 in forum Chapter 11: Virtual LANs (VLANs)
    Replies: 11
    Last Post: 03-15-2013, 09:41 AM
  2. VTP mode: Transparent
    By bibekdeep in forum Switching
    Replies: 7
    Last Post: 09-06-2011, 07:43 AM
  3. Proxy Arp
    By jwc2919 in forum Internetworking
    Replies: 1
    Last Post: 03-20-2009, 06:16 AM
  4. Securing Access with AAA
    By lildeezul in forum ISCW
    Replies: 0
    Last Post: 02-11-2009, 10:56 PM
  5. Authentication Proxy
    By gabrielshorn in forum Access Lists
    Replies: 0
    Last Post: 08-19-2008, 01:06 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •