Hello and welcome to CertForums.co.uk, here we host free active certification forums with links to the best free resources for Microsoft's MCSA MCSE MCDBA Cisco's CCNA CCDA and CCNP, and CompTIA's A+ Network+ i-NET+ and Security+ certifications in the UK. If you wish to post or use other advanced features you will need to register first. Registration is absolutely free and takes only a few minutes to complete so sign up today!
If you have any problems with the registration
process or your account login, please contact support
This is working fine but i want to redirect all traffic into the proxy not just port 80 but i need some exceptions for that because oviously you cant transparently redirect encrypted traffic so i tried this rule:
The rule works when theres just 443 in the ! --dports bit but when i add 443 & 22 i get a error, ive also tried seperating the ports by a space but that doesnt work because its not supposed to be set out like that. So any ideas how i could have multiple ports that dont go through the proxy using iptables
This is working fine but i want to redirect all traffic into the proxy not just port 80 but i need some exceptions for that because oviously you cant transparently redirect encrypted traffic so i tried this rule:
The rule works when theres just 443 in the ! --dports bit but when i add 443 & 22 i get a error, ive also tried seperating the ports by a space but that doesnt work because its not supposed to be set out like that. So any ideas how i could have multiple ports that dont go through the proxy using iptables
Jack
”
Just make two rules, one for https and the other for ssh. The only way more than 1 port is used is to use a range of ports, and that's not what you're looking to do. Here's a link to some documentation.
Just make two rules, one for https and the other for ssh. The only way more than 1 port is used is to use a range of ports, and that's not what you're looking to do. Here's a link to some documentation.
Yeps - Freddie's right. If you wanted to, for instance, bypass 21, 22 and 23 you could go about doing it that way, but you'll need separate lines for non-consecutive ports. Also, it'll be excellent preparation work for you when you step into the 'real world' (though I know that's quite a way away for you Jack - seeing as you've got at least another five years of lazing around (sorry) 'studying' before you have to go out and earn your keep - all firewall rulesets are easier to understand when there is a specific entry/ACL/rule defined for particular traffic
@zebulebu
Yes my lazing (if thats a word) is very important
”
LOL - don't I know it! I only wish my nephews had the common sense you seem to have at 13 - I can't get them to understand the absolute basics of computers cos they're too busy playing wrestling games on them!
Each with a different port that i want to stop going through the proxy
”
I've not used IPTables for a long time, so Freddie or one of the other linux bods should be able to confirm this for sure, but as far as I remember it you just add extra lines depending on what you want to proxy. incidentally, what are you running this on - an IPTables-compatible router or a dedicated FW box?
Its running on ubuntu server which is basically the same as the standard debian install both have no GUI or anything just a standard linux box ive got running with squid to block ads, and the cache web pages!
Each with a different port that i want to stop going through the proxy
@zebulebu
Yes my lazing (if thats a word) is very important
”
Yup. That's what you want. If you wanted to do a consecutive range of ports you would do it like this: -A PREROUTING -p tcp -m tcp ! --dport 22:32 -j REDIRECT --to-ports 3128
The above would affect the range of ports from 22 through 32.
Behold, the turtle. He makes progress only when he sticks his neck out.
Nope webmin doesnt seem to work,ssh doesnt work either.
Note that webmin is accessed using ssh at https://servername:10000
Jack
”
It seems as if things have changed with squid configuration in the last couple of releases, especially with transparent proxying. I'd recommend that you go to the squid site and take a look at their latest documentation for the version you have. They also have some example configs and a user guide that is pretty good.
You could have squid itself mis-configured as the docs say that now it's much easier to configure it now than it used to be. The example rules they show for are very simple too.
Why would that make any difference, surely you still cant proxy encrypted traffic transparently or else that would be a man-in-the-middle attack. The squid configuration is working correctly.
Why would that make any difference, surely you still cant proxy encrypted traffic transparently or else that would be a man-in-the-middle attack. The squid configuration is working correctly.
”
If you will take a look at the documentation it would help. I can't see your entire configuration, don't know what version you're using, etc.... Read the docs and see if you're configured correctly. I'm basically shooting in the dark at this right now as I know so little about your setup. Going to the documentation from the squid project for the version of squid you have will be the most accurate information you can get.
The squid documentation says they have changed the way they do things in this area, so go look at it. It makes no sense that https will work when only one rule is being used, but won't work when multiple rules are in force. That's why I'm saying go take a look and make sure you're configured the way they say you should be. They know far more about this than I do.
Behold, the turtle. He makes progress only when he sticks his neck out.
Ill give you a little background info for a better idea of my setup
The machine is running Ubuntu Server 7.10 squid version is 2.6, everything on my squid setup should be working fine if i set the proxy manually in the clients then everything is fine even https works as it should, but oviously i dont want to setup the clients manually i'd just like it to be transparent.
Heres the nat iptable on my /etc/iptables.up.rules
How many changes have you made to your squid.conf file? Highlight the changes you've made for me in it. I'm not going to read all 91 pages of the example conf file you are using because I just don't have the time. If you want my help you'll have to highlight all the things you have changed.
Behold, the turtle. He makes progress only when he sticks his neck out.
26-Dec-2007, 08:54 AM
- all firewall rulesets are easier to understand when there is a specific entry/ACL/rule defined for particular traffic
