Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 29th December 2006, 09:29 PM
johnrbek Offline
Registered User
 
Join Date: Nov 2006
Posts: 13
iptables / transparent proxy / dansguardian - please look at my iptables script

Can some of you experienced guys take a look at my iptables script below and tell me why my transparent proxy isn't working?? I've got an FC6 firewall/gateway/dansguardian/squid proxy server that I had working fine previoiusly, so I'm confident my squid.conf and dansguardian.conf files are set up correctly... I lost my working iptables script and started over with the one below... When I comment out the "Forward HTTP Connections... " section below, I get access to the web, but no DG/Squid interaction. When I invoke that line, I just get timeouts... Experienced input is greatly appreciated...

#!/bin/sh
#iptables firewall script for sharing a cable or DSL Internet
#connection, with no public services

#define variables
ipt="/sbin/iptables"
mod="/sbin/modprobe"
LAN_IFACE="eth1"
WAN_IFACE="eth0"

#load kernel modules
$mod ip_tables
$mod iptable_filter
$mod iptable_nat
$mod ip_conntrack
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod iptable_mangle
$mod ipt_MASQUERADE

# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X

#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT

#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT

# Forward HTTP connections to Squid/Dansguardian
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080

#Enable IP masquerading
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

#AlLow incoming SSH from the LAN only to the gateway box
$ipt -A INPUT -p tcp -i $LAN_IFACE -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT

#Enable Webmin access from the LAN only
$ipt -A INPUT -p tcp -i $LAN_IFACE -s 192.168.1.0/24 --dport 10000 -m state --state NEW -j ACCEPT

#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Accept ICMP echo-request and time-exceeded
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

#Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j DROP

echo "The firewall has now started up and is faithfully protecting your system"

Last edited by johnrbek; 29th December 2006 at 09:41 PM.
Reply With Quote
  #2  
Old 30th December 2006, 06:58 AM
marcelkraan Offline
Registered User
 
Join Date: Jul 2006
Location: Netherlands/Velsen (5km from amsterdam)
Posts: 230
this is in a perl script.
you will understand i think


if ($masq == 1){
print "\nLoad MASQUERADE rules\n";
system("echo 1 > /proc/sys/net/ipv4/ip_forward");
chop(my $masqcheck = `$iptables -L -t nat`);
if ($masqcheck =~ /MASQUERADE/ig){
# first delete the old masq rules
system("$iptables -D POSTROUTING -t nat -o $eth -j MASQUERADE");
system("$iptables -A POSTROUTING -t nat -o $eth -j MASQUERADE");
}

}
Reply With Quote
Reply

Tags
dansguardian, iptables, proxy, transparent

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Transparent Proxy av1611 Servers & Networking 9 30th April 2009 12:56 PM
transparent proxy av1611 Servers & Networking 1 10th September 2008 09:26 AM
Problem configuring IPTABLES for SQUID transparent proxy popacio Servers & Networking 12 5th April 2008 02:43 PM
DansGuardian with Proxy masterlodi Using Fedora 2 11th May 2005 11:08 AM
HELP NAT Transparent Proxy savage1 Servers & Networking 4 8th October 2004 08:10 AM


Current GMT-time: 12:30 (Thursday, 17-04-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat