[gentoo-user] squid - allowing only one domain

[gentoo-user] squid - allowing only one domain

[Joseph]

I'm testing squid and want to allow only one domain but it is not working (using iptable + squid)
iptable:
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http owner UID match squid
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:3128 owner UID match squid
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 3128

squid:
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

acl GOOD dstdomain .google.ca
http_access allow GOOD
http_access deny all

Why it doesn't work?

Squid access log entry:
1263964263.464      0 192.168.1.5 NONE/400 1828 GET / - NONE/- text/html

-- 
Joseph

Re: [gentoo-user] squid - allowing only one domain

[Adam]

On 01/20/10 16:53, Joseph wrote:
> I'm testing squid and want to allow only one domain but it is not
> working (using iptable + squid)
> iptable:
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:http owner UID match squid
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:3128 owner UID match squid
> REDIRECT   tcp  --  anywhere             anywhere            tcp
> dpt:http redir ports 3128
> 
> squid:
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> 
> acl GOOD dstdomain .google.ca
> http_access allow GOOD
> http_access deny all
> 
> Why it doesn't work?

You havent said how its failing; ie
1. Its not intercepting the traffic
2. It is intercepting but doesnt allow acces to google.ca
3. It is intercepting but allows access to everything

Re: [gentoo-user] squid - allowing only one domain

[Adam]

On 01/20/10 16:53, Joseph wrote:
> I'm testing squid and want to allow only one domain but it is not
> working (using iptable + squid)
> iptable:
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:http owner UID match squid
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:3128 owner UID match squid
> REDIRECT   tcp  --  anywhere             anywhere            tcp
> dpt:http redir ports 3128

Using "owner" is incorrect, as the packets are not locally generated so
the OS has no user context for them.

Re: [gentoo-user] squid - allowing only one domain

[Joseph]

On 01/20/10 21:24, Adam wrote:
>On 01/20/10 16:53, Joseph wrote:
>> I'm testing squid and want to allow only one domain but it is not
>> working (using iptable + squid)
>> iptable:
>> ACCEPT     tcp  --  anywhere             anywhere            tcp
>> dpt:http owner UID match squid
>> ACCEPT     tcp  --  anywhere             anywhere            tcp
>> dpt:3128 owner UID match squid
>> REDIRECT   tcp  --  anywhere             anywhere            tcp
>> dpt:http redir ports 3128
>
>Using "owner" is incorrect, as the packets are not locally generated so
>the OS has no user context for them.

In a squid log I get:

1263964263.464      0 192.168.1.5 NONE/400 1828 GET / - NONE/- text/html

All I have access is to localhost:361 anything else local is denied including www
What should I use instead of owner?
I was following this guide:
http://www.linux.com/archive/articles/113733

It worked with dansguardian in between but I was trying to by-pass the dansguardian as I only need to allow access to one or two web-pages.


-- 
Joseph

Re: [gentoo-user] squid - allowing only one domain

[Adam]

On 01/21/10 00:49, Joseph wrote:
> On 01/20/10 21:24, Adam wrote:
>> On 01/20/10 16:53, Joseph wrote:
>>> I'm testing squid and want to allow only one domain but it is not
>>> working (using iptable + squid)
>>> iptable:
>>> ACCEPT     tcp  --  anywhere             anywhere            tcp
>>> dpt:http owner UID match squid
>>> ACCEPT     tcp  --  anywhere             anywhere            tcp
>>> dpt:3128 owner UID match squid
>>> REDIRECT   tcp  --  anywhere             anywhere            tcp
>>> dpt:http redir ports 3128
>>
>> Using "owner" is incorrect, as the packets are not locally generated so
>> the OS has no user context for them.
> 
> In a squid log I get:
> 
> 1263964263.464      0 192.168.1.5 NONE/400 1828 GET / - NONE/- text/html
> 
> All I have access is to localhost:361 anything else local is denied
> including www
> What should I use instead of owner?
> I was following this guide:
> http://www.linux.com/archive/articles/113733

Sorry my mistake, for the OUTPUT chain it makes sense as all those
packets are from squid.

The log should have a URL after the GET command, ie;

1264070023.044    103 192.168.1.12 TCP_MISS/200 33140 GET
http://safebrowsing-cache.google.com/safebrowsing/rd/goog-phish-shavar_a_82561-82720.82561-82614.82615-82720:
- DIRECT/150.101.98.208 application/vnd.google.safebrowsing-chunk

Have you tried configuring the proxy in your browser to check that
squid's working? Once you've established that you then know if you have
to fix the squid config or the iptables config

Re: [gentoo-user] squid - allowing only one domain

[Joseph]

On 01/21/10 21:49, Adam wrote:
>> http://www.linux.com/archive/articles/113733
>
>Sorry my mistake, for the OUTPUT chain it makes sense as all those
>packets are from squid.
>
>The log should have a URL after the GET command, ie;
>
>1264070023.044    103 192.168.1.12 TCP_MISS/200 33140 GET
>http://safebrowsing-cache.google.com/safebrowsing/rd/goog-phish-shavar_a_82561-82720.82561-82614.82615-82720:
>- DIRECT/150.101.98.208 application/vnd.google.safebrowsing-chunk
>
>Have you tried configuring the proxy in your browser to check that
>squid's working? Once you've established that you then know if you have
>to fix the squid config or the iptables config

Yes, the squid is working OK.
But I'm not sure if it is possible to accomplish what I want.

iptable + squid are running on a single box: so I want:
INCOMING access from Internet is OPEN - I don't need or want to block anything; as I have an external firewall.
OUTBOUND access to Internet denied (except one or two domains) - so I think squid is perfectly suitable to it and it is working OK.
iptable I only wanted to use to forwarder to squid proxy, so doesn't matter what Browser user will use everything will go via squid except access to localhost 
(127.0.0.1).

And this is the part I'm having problem with, anything localhost (127.0.0.1) does not go through squid
All I have in iptable for now:
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128

maybe it is not possible with single interface eth0

-- 
Joseph

Re: [gentoo-user] squid - allowing only one domain

[Stroller]

On 21 Jan 2010, at 18:59, Joseph wrote:
> ...
> Yes, the squid is working OK.
> But I'm not sure if it is possible to accomplish what I want.
>
> iptable + squid are running on a single box: so I want:
> INCOMING access from Internet is OPEN - I don't need or want to  
> block anything; as I have an external firewall.
> OUTBOUND access to Internet denied (except one or two domains) - so  
> I think squid is perfectly suitable to it and it is working OK.
> iptable I only wanted to use to forwarder to squid proxy, so doesn't  
> matter what Browser user will use everything will go via squid  
> except access to localhost (127.0.0.1).
>
> ...
> maybe it is not possible with single interface eth0

I believe that running Squid in conjunction with iptables is known as  
running in "interception" mode.

It may well indeed not be possible to do this with only one interface.  
How do you ensure that packets reach this machine? I think usually  
interception mode is run on a machine with two interfaces - you'd  
route or (I guess) bridge through it. iptables can then snatch the  
packets. I don't believe you can route through a machine with only one  
interface (although my memory of routing is hazy, so I may be quite  
mistaken) because packets going out will collide with those coming in.  
So I'm not really sure how the machines on your LAN know to send web  
packets to your Squid machine. Perhaps you can explain?

I manage a site at which Squid sits on a machine with only one  
interface. That machine is not a router, and Squid does not run in  
interception mode. I ended up writing a wpad.dat file and pointing the  
DNS for wpad.domain.local to the local webserver. This is not a  
properly secure method of forcing the users to use the proxy - really,  
the gateway should additionally use iptables to drop any web  
connections coming from any machine except the proxy - but at this  
site all the users are on a Windows domain, and they're unable (and  
too clueless, anyway) to configure their browsers not to use the proxy.

I don't remember why I configured the site exactly this way - there's  
a little more I want to do with Squid, but I haven't got around to it.  
I set up this site a while ago and forgot about it. But I do know that  
Squid can be run in different ways and interception mode isn't  
suitable for all purposes (I had myself, as a beginner, assumed  
everyone did use interception mode).

This stuff is very well documented at the Squid site - http://wiki.squid-cache.org/SquidFaq 
  is a good start. My experience was excellent support - which really  
answered my question and helped me see where I was going wrong - from  
a Squid developer within 48 hours of posting to the Squid mailing list.

Stroller.

Re: [gentoo-user] [SOLVED] squid - allowing only one domain

[Joseph]

On 01/21/10 21:51, Stroller wrote:
>>maybe it is not possible with single interface eth0
>
>I believe that running Squid in conjunction with iptables is known as 
>running in "interception" mode.
>
>It may well indeed not be possible to do this with only one 
>interface. How do you ensure that packets reach this machine? I think 
>usually interception mode is run on a machine with two interfaces - 
>you'd route or (I guess) bridge through it. iptables can then snatch 
>the packets. I don't believe you can route through a machine with 
>only one interface (although my memory of routing is hazy, so I may 
>be quite mistaken) because packets going out will collide with those 
>coming in. So I'm not really sure how the machines on your LAN know 
>to send web packets to your Squid machine. Perhaps you can explain?
>
>I manage a site at which Squid sits on a machine with only one 
>interface. That machine is not a router, and Squid does not run in 
>interception mode. I ended up writing a wpad.dat file and pointing 
>the DNS for wpad.domain.local to the local webserver. This is not a 
>properly secure method of forcing the users to use the proxy - 
>really, the gateway should additionally use iptables to drop any web 
>connections coming from any machine except the proxy - but at this 
>site all the users are on a Windows domain, and they're unable (and 
>too clueless, anyway) to configure their browsers not to use the 
>proxy.
>
>I don't remember why I configured the site exactly this way - there's 
>a little more I want to do with Squid, but I haven't got around to 
>it. I set up this site a while ago and forgot about it. But I do know 
>that Squid can be run in different ways and interception mode isn't 
>suitable for all purposes (I had myself, as a beginner, assumed 
>everyone did use interception mode).
>
>This stuff is very well documented at the Squid site - 
>http://wiki.squid-cache.org/SquidFaq is a good start. My experience 
>was excellent support - which really answered my question and helped 
>me see where I was going wrong - from a Squid developer within 48 
>hours of posting to the Squid mailing list.
>
>Stroller.

Yes, it is possible, it took me a day to figure it out as I'm not a pro with iptables, check my post and follow the instructions:
http://forums.gentoo.org/viewtopic-p-6142685.html#6142685

-- 
Joseph

Re: [gentoo-user] [SOLVED] squid - allowing only one domain

[Stroller]

Thanks for posting Joseph.

I would love to understand this better.


On 21 Jan 2010, at 23:52, Joseph wrote:
> On 01/21/10 21:51, Stroller wrote:
>>> maybe it is not possible with single interface eth0
>>
>> I believe that running Squid in conjunction with iptables is known  
>> as running in "interception" mode.
>>
>> It may well indeed not be possible to do this with only one  
>> interface. How do you ensure that packets reach this machine? I  
>> think usually ... So I'm not really sure how the machines on your  
>> LAN know to send web packets to your Squid machine. Perhaps you can  
>> explain?

^ Could you answer these questions, please?

> Yes, it is possible, it took me a day to figure it out as I'm not a  
> pro with iptables, check my post and follow the instructions:
> http://forums.gentoo.org/viewtopic-p-6142685.html#6142685

I don't see the explanation in this link.

Stroller.

Re: [gentoo-user] [SOLVED] squid - allowing only one domain

[Joseph]

On 01/22/10 03:49, Stroller wrote:
>Thanks for posting Joseph.
>
>I would love to understand this better.
>
>
>On 21 Jan 2010, at 23:52, Joseph wrote:
>>On 01/21/10 21:51, Stroller wrote:
>>>>maybe it is not possible with single interface eth0
>>>
>>>I believe that running Squid in conjunction with iptables is 
>>>known as running in "interception" mode.
>>>
>>>It may well indeed not be possible to do this with only one 
>>>interface. How do you ensure that packets reach this machine? I 
>>>think usually ... So I'm not really sure how the machines on your 
>>>LAN know to send web packets to your Squid machine. Perhaps you 
>>>can explain?
>
>^ Could you answer these questions, please?

Simple, it is done by iptable in the kernel.
You are sending the packets to port 80 (http) to go out via eth0 that is the only way out, iptabls (your firewall) intercept the traffic and does whatever 
you instruct it to do in my case below:

Intercept everything to 127.0.0.1 (localhost) and let it go no need to forward it to squid, harmless traffic :-)
iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.1 -j ACCEPT

exempting squid, joseph, root from forwarding it to squid and allowing Internet access without filtering; simple and self explanatory
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner joseph -j ACCEPT

everything else passes through squid, which permits or allow the traffic; in my case I only allow access to two domain, everything thing else is denied (squid 
is redirecting the traffic to port 80 eth0 if permitted)
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128

It is very simple.

>
>>Yes, it is possible, it took me a day to figure it out as I'm not a 
>>pro with iptables, check my post and follow the instructions:
>>http://forums.gentoo.org/viewtopic-p-6142685.html#6142685
>
>I don't see the explanation in this link.
>
>Stroller.

I don't understand what kind of explanation you expect, just emerge squid iptable (make sure kernel has the correct entries compiled IN) and type those 
commends in at the command line; read the post above some other users clearly suggested what to type at the command line :-)

It just works! I stated my objectives and I accomplished them.

-- 
Joseph

Re: [gentoo-user] [SOLVED] squid - allowing only one domain

[Stroller]

On 22 Jan 2010, at 04:30, Joseph wrote:
>> On 21 Jan 2010, at 23:52, Joseph wrote:
>>> On 01/21/10 21:51, Stroller wrote:
>>>>> maybe it is not possible with single interface eth0
>>>>
>>>> I believe that running Squid in conjunction with iptables is  
>>>> known as running in "interception" mode.
>>>>
>>>> It may well indeed not be possible to do this with only one  
>>>> interface. How do you ensure that packets reach this machine? I  
>>>> think usually ... So I'm not really sure how the machines on your  
>>>> LAN know to send web packets to your Squid machine. Perhaps you  
>>>> can explain?
>>
>> ^ Could you answer these questions, please?
>
> Simple, it is done by iptable in the kernel.
> You are sending the packets to port 80 (http) to go out via eth0  
> that is the only way out, iptabls (your firewall) intercept the  
> traffic and does whatever you instruct it to do in my case below:
>
> Intercept everything to 127.0.0.1 (localhost) and let it go no need  
> to forward it to squid, harmless traffic :-)
> iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.1 -j ACCEPT
>
> exempting squid, joseph, root from forwarding it to squid and  
> allowing Internet access without filtering; simple and self  
> explanatory
> iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner  
> squid -j ACCEPT
> iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner  
> squid -j ACCEPT
> iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner  
> root -j ACCEPT
> iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner  
> joseph -j ACCEPT
>
> everything else passes through squid, which permits or allow the  
> traffic; in my case I only allow access to two domain, everything  
> thing else is denied (squid is redirecting the traffic to port 80  
> eth0 if permitted)
> iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports  
> 3128
>
> It is very simple.

So squid is run on the same PC that you're browsing from?

>>> Yes, it is possible, it took me a day to figure it out as I'm not  
>>> a pro with iptables, check my post and follow the instructions:
>>> http://forums.gentoo.org/viewtopic-p-6142685.html#6142685
>>
>> I don't see the explanation in this link.
>>
>> Stroller.
>
> I don't understand what kind of explanation you expect, just emerge  
> squid iptable (make sure kernel has the correct entries compiled IN)  
> and type those commends in at the command line; read the post above  
> some other users clearly suggested what to type at the command  
> line :-)
>
> It just works! I stated my objectives and I accomplished them.

Maybe I'm being very dumb. I assumed a situation of router A, with  
Squid running on server B. The office staff are using browsers on  
client machines X, Y & Z. When a user on machine X browses to a  
website, his PC sends the packet to router A. The packet never reaches  
server B in order to be intercepted by B. We can configure B as the  
proxy in the browser settings of X, Y & Z, but then that no longer  
needs iptables configuration or interception mode.

I'm not trying to argue with you, BTW. I'm just trying to learn from  
you.

Stroller.

Re: [gentoo-user] [SOLVED] squid - allowing only one domain

[Joseph]

On 01/22/10 10:43, Stroller wrote:
>>
>>I don't understand what kind of explanation you expect, just emerge 
>>squid iptable (make sure kernel has the correct entries compiled 
>>IN) and type those commends in at the command line; read the post 
>>above some other users clearly suggested what to type at the 
>>command line :-)
>>
>>It just works! I stated my objectives and I accomplished them.
>
>Maybe I'm being very dumb. I assumed a situation of router A, with 
>Squid running on server B. The office staff are using browsers on 
>client machines X, Y & Z. When a user on machine X browses to a 
>website, his PC sends the packet to router A. The packet never 
>reaches server B in order to be intercepted by B. We can configure B 
>as the proxy in the browser settings of X, Y & Z, but then that no 
>longer needs iptables configuration or interception mode.
>
>I'm not trying to argue with you, BTW. I'm just trying to learn from 
>you.
>
>Stroller.

I'm not an expert with iptables but since you have multiple machine on your network your best option is to configure single machine to run squid on it and 
forward the traffic to it. 
You have to tell us your setup, what kind of equipment you have, it it a small firewall/router from store you build it etc.
How the traffic flow, I might suggest something. 

I think in your situation best option would be if router A runs squid if possible; if not router A intercept all packets from X,Y,X and sends them to squid B 
machine, B process the traffic and send it back to router A (rotter A forward all traffic from squid B to Internet).

-- 
Joseph

Re: [gentoo-user] [SOLVED] squid - allowing only one domain

[Stroller]

On 22 Jan 2010, at 14:41, Joseph wrote:

> On 01/22/10 10:43, Stroller wrote:
>>> 
>>> I don't understand what kind of explanation you expect, just emerge squid iptable (make sure kernel has the correct entries compiled IN) and type those commends in at the command line; read the post above some other users clearly suggested what to type at the command line :-)
>>> 
>>> It just works! I stated my objectives and I accomplished them.
>> 
>> Maybe I'm being very dumb. I assumed a situation of router A, with Squid running on server B. The office staff are using browsers on client machines X, Y & Z. When a user on machine X browses to a website, his PC sends the packet to router A. The packet never reaches server B in order to be intercepted by B. We can configure B as the proxy in the browser settings of X, Y & Z, but then that no longer needs iptables configuration or interception mode.
>> 
>> I'm not trying to argue with you, BTW. I'm just trying to learn from you.
>> 
>> Stroller.
> 
> I'm not an expert with iptables but since you have multiple machine on your network your best option is to configure single machine to run squid on it and forward the traffic to it. You have to tell us your setup, what kind of equipment you have, it it a small firewall/router from store you build it etc.
> How the traffic flow, I might suggest something. 
> I think in your situation best option would be if router A runs squid if possible; if not router A intercept all packets from X,Y,X and sends them to squid B machine, B process the traffic and send it back to router A (rotter A forward all traffic from squid B to Internet).

I'm not asking for help with my configuration, because it works just fine as it is.

You asserted, I think, that Squid works in interception mode on a server with a single NIC. 

Is that server a router?

Does it filter for the benefit of other computers?

How do the other computers know to send packets to the server?

Stroller.

Re: [gentoo-user] [SOLVED] squid - allowing only one domain

[Joseph]

On 01/22/10 16:40, Stroller wrote:
>
>> I'm not an expert with iptables but since you have multiple machine on your network your best option is to configure single machine to run squid on it and forward the traffic to it. You have to tell us your setup, what kind of equipment you have, it it a small firewall/router from store you build it etc.
>> How the traffic flow, I might suggest something.
>> I think in your situation best option would be if router A runs squid if possible; if not router A intercept all packets from X,Y,X and sends them to squid B machine, B process the traffic and send it back to router A (rotter A forward all traffic from squid B to Internet).
>
>I'm not asking for help with my configuration, because it works just fine as it is.
>
>You asserted, I think, that Squid works in interception mode on a server with a single NIC.

Yes, that is correct!

>
>Is that server a router?

No, it is not a router it is just a single workstation running Windows XP in VirtualBox; since this machine is a critical workstation I don't want to expose 
it to Internet environment, I only need to allow access to one or two domains over https most likely.

>
>Does it filter for the benefit of other computers?
>
>How do the other computers know to send packets to the server?

No, it doesn't but it could and it could be done very easily.  All is needed is to redirect the Internet traffic on your firewall back to box "B" (running 
squid + iptables).  I assume all your boxes on the LAN get their IP addresses from DHCPD server running on the firewall, isn't it?  So all you need to do is 
to direct all know IP address X,Y,Z to box "B".  It might not be that simple, it depends on firewall type and flexibility.
In box B just write a simple one liner in iptables to instruct iptables that all incoming traffic goes to port 3128 (squid is listing on this port by default).

-- 
Joseph