Configuring iptables to Support the Squid Transparent Proxy

 If your firewall is connected to the Internet on interface eth0 and to the home network on interface eth1. The firewall is also the default gateway for the home network and handles network address translation on all the network's traffic to the Internet.
If the Squid server and firewall are the same server, all HTTP traffic from the home network is redirected to the firewall itself on the Squid port of 3128 and then only the firewall itself is allowed to access the Internet on port 80.
 
[root@squid ~]# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80  -j REDIRECT --to-port 3128
[root@squid ~]# iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i eth1 -p tcp --dport 3128
[root@squid ~]# iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp --dport 80
[root@squid ~]# iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp --sport 80
[root@squid ~]# iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -o eth1 -p tcp --sport 80
[root@squid ~]# /etc/init.d/iptables save
 
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]
 
[root@squid ~]# /etc/init.d/iptables restart
 
this only works for port 80 and not https 443
 
hope this helps all
No comments:

how is it possible to route traffic through another network class and all http traffic

installed cent OS on one PC with 2 network cards
 eth0 and eth1
eth0 = 192.168.0.244
eth1 =s 10.0.0.1 
gateway to access the net is 192.168.0.254

In order that the 10.X network range  can access the internet i added the a route
# route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.0.254 but this didnt work so i deleted the same
 
My resolv.conf file looks like this
search linuxbox.com
nameserver 203.199.113.44
nameserver 203.199.113.27
 
So i change the following in vi /etc/sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

vi /proc/sys/net/ipv4/ip_forward

1

nedd to start iptables 

and need to add the following rules 

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

or you can use the command --- system-config-securitylevel enable http and https

here is is my sample conf file of iptables

########################################################################

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -j MARK --set-mark 0x9
-A PREROUTING -i eth0 -j MARK --set-mark 0x9
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
COMMIT
############################################################

Hope this helps you out

now you should be able to ping google.com :-)

--

1 comment:

V2AL -comptrixsys.


http://www.comptrixsys.com/V2AL_Course_Outlines_CSPL-V-0.1.pdf
No comments:

link for source RPM ---- BIND

http://people.redhat.com/atkac/bind/

--

No comments:

Installation instructions for BIND 9.5 DLZ ( continuation... )

my named.conf file is look like this

##########################################################
//

options {
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursion yes;
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "0.0.127.in-addr.arpa" {
type master;
file "named.localhost";

};
zone "0.168.192.in-addr.arpa" {
notify no;
type master;
file "named.192.168.0.244";
};

dlz "Mysql zone" {
database "mysql
{host=127.0.0.1 dbname=binddlzdb user=binddlzuser pass=binddlzpassword}
{select zone from records where zone = '%zone%'}
{select ttl, type, mx_priority, case when lower(type)='txt' then
concat('\"', data, '\"')
else data end from records where zone = '%zone%' and host = '%record%'
and not (type = 'SOA' or type = 'NS')}
{select ttl, type, mx_priority, data, resp_contact, serial,
refresh, retry, expire, minimum
from records where zone = '%zone%' and (type = 'SOA' or type='NS')}
{select ttl, type, host, mx_priority, data, resp_contact, serial,
refresh, retry, expire,
minimum from records where zone = '%zone%' and not (type =
'SOA' or type = 'NS')}
{select zone from xfr where zone = '%zone%' and client = '%client%'}
{update data_count set count = count + 1 where zone ='%zone%'}";
};

########################################################

[root@testserver ~]# ls /var/named/chroot/var/named/
named.192.168.0.244
named.empty
named.localhost
named.ca
named.loopback

vi named.192.168.0.244

$TTL 1D
@ IN SOA ns1.testserver.com. hostmaster.testserver.com (
1999021004 ; Serial, todays date + todays serial
8H ; Refresh
2H ; Retry
1W ; Expire
1D) ; Minimum TTL
NS ns1.testserver.com.


244 PTR testserver.com.


vi named.localhost

$TTL 1D
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.

1 IN PTR localhost.

--

No comments:

Installation instructions for BIND 9.5 DLZ

Installation instructions for BIND 9.5 DLZ


cd /usr/src
wget http://people.redhat.com/atkac/bind/bind-9.5.0-16.3.a6.fc9.src.rpm
rpm -ivvh bind-9.5.0-16.3.a6.fc9.src.rpm
cd redhat/SPEC
rpmbuild -ba bind.spec
cd /usr/src/redhat/RPM/i386/
rmp -ivvh bind-9.5.0-16.3.a6.fc9.i386.rpm

Instruction for BIND to insteract with MySQL

mysqladmin -u root password agnello


mysqladmin -u root -p create binddlzdb

Change to the MySQL database administration and add the bind-dlz user
and password:

USE mysql;
INSERT INTO user (Host, User, Password) VALUES
('localhost','binddlzuser',password('binddlzpassword'));
INSERT INTO db (Host, Db, User, Select_priv) VALUES
('localhost','binddlzdb','binddlzuser','Y');

Setup the rights for the just created users:


FLUSH PRIVILEGES;
GRANT USAGE ON binddlzdb.* TO binddlzuser@localhost;
GRANT SELECT, INSERT, DELETE, UPDATE ON binddlzdb.* TO binddlzuser@localhost;

USE binddlzdb;

we create the record table . The table "records" holds all information
about your zones,

CREATE TABLE `records` ( `id` int(10) unsigned NOT NULL
auto_increment, `zone` varchar(255) NOT NULL, `ttl` int(11) NOT NULL
default '86400', `type` varchar(255) NOT NULL, `host` varchar(255) NOT
NULL default '@', `mx_priority` int(11) default NULL, `data` text,
`primary_ns` varchar(255) default NULL, `resp_contact` varchar(255)
default NULL, `serial` bigint(20) default NULL, `refresh` int(11)
default NULL, `retry` int(11) default NULL, `expire` int(11) default
NULL, `minimum` int(11) default NULL, PRIMARY KEY (`id`), KEY `type`
(`type`), KEY `host` (`host`), KEY `zone` (`zone`) );

then create xfr table . "xfr" can be used to allow AXFR/IXFR zone
transfers per zone and host
CREATE TABLE `xfr` ( `zone` varchar(255) NOT NULL, `client`
varchar(255) NOT NULL, KEY `zone` (`zone`), KEY `client` (`client`) );


Edit the named.conf

vi /etc/named.conf

dlz "Mysql zone" {
database "mysql
{host=127.0.0.1 dbname=binddlzdb user=binddlzuser pass=binddlzpassword}
{select zone from dns_records where zone = '%zone%'}
{select ttl, type, mx_priority, case when lower(type)='txt' then
concat('\"', data, '\"')
else data end from dns_records where zone = '%zone%' and host
= '%record%'
and not (type = 'SOA' or type = 'NS')}
{select ttl, type, mx_priority, data, resp_person, serial, refresh,
retry, expire, minimum
from dns_records where zone = '%zone%' and (type = 'SOA' or type='NS')}
{select ttl, type, host, mx_priority, data, resp_person, serial,
refresh, retry, expire,
minimum from dns_records where zone = '%zone%' and not (type =
'SOA' or type = 'NS')}
{select zone from xfr_table where zone = '%zone%' and client = '%client%'}
{update data_count set count = count + 1 where zone ='%zone%'}";
};

############################################################


Need to disable SElinux
setenforce 0


Starting service from boot
chkconfig --levels 235 named
chkconfig --levels 235 mysqld
/etc/init.d/mysqld start
/etc/init.d/named start

Log location
tail -f /var/log/messages

--

No comments:

E-books !!! amazing

ftp://202.96.64.144/pub/

No comments:

smtp-AUTH :relay access denied

I have solved the problem with smtp -auth. ( relay access denied ) and thought i would share my configuration the with those who are facing similar issues My system is FC4 and i wanted a basic requirement of system users on my mail server ( only one domain ) . setting up of postfix in this case is pretty easy but smth-AUTH as major problem. Here are some of my tips and configuration files i sued to authenticate users through PAM instead of the /etc/shadow . { note: for to users authenticate r through /etc/shadow you would need to allow postfix have read permission to the /etc/shadow file , which would be a security risk by default /etc/shadow is 400 }

the testsaslauthd is a command to check is system user authenticate testsaslauthd -u testpostfix -p testpostfix

vi /etc/sysconfig/saslauthd # Directory in which to place saslauthd's listening socket, pid file, and so # on. This directory must already exist. SOCKETDIR=/var/run/saslauthd # Mechanism to use when checking passwords. Run "saslauthd -v" to get a list # of which mechanism your installation was compiled to use. MECH="PAM" # Additional flags to pass to saslauthd on the command line. See saslauthd(8) # for the list of accepted flags. FLAGS=

vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd mech_list: PLAIN LOGIN

[root@server227 ~]# rpm -qa grep cyrus cyrus-sasl-2.1.20-6 cyrus-sasl-plain-2.1.20-6 cyrus-sasl-sql-2.1.20-6 cyrus-sasl-md5-2.1.20-6 cyrus-sasl-devel-2.1.20-6 cyrus-sasl-gssapi-2.1.20-6 cyrus-sasl-ntlm-2.1.20-6

vi main.cf

enable_server_options = yes smtpd_sasl2_auth_enable = yes smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sasl_application_name = smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = broken_sasl_auth_clients = yes server_enabled = 1 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_relay_domains

telnet ipaddress 25

220 mail.foostor.com ESMTP Postfix ehlo localhost 250-mail.foostor.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250 8BITMIME

You can alo check the mynetwork_style = subnet and it should work

No comments:

free web templates

http://www.freelayouts.com/template_categories/1?page=7

--
No comments:

most amazing HOW TO

http://gentoo-wiki.com/Index:HOWTO

--
No comments:
Subscribe to: Posts (Atom)

Other Articles

Enter your email address: