Transparent Proxy with SafeSquid + Ubuntu 8.04 and HTTPS

Is there a SafeSquid application that you found difficult to figure out! See if this was done before.

Transparent Proxy with SafeSquid + Ubuntu 8.04 and HTTPS

Postby mgdevel » Tue Jul 29, 2008 10:15 am

Hi there,

I installed SafeSquid free version to my linux box running ubuntu 8.04. I have 3 other computers in my home network, which runs Windows XP professional. I followed the instructions given on the site and help provided by online live support (that was very helpful).

It took about 15-20 minutes and my transparent proxy server was ready to use :)

I configured my window clients to use Ubuntu box's IP which is 192.168.1.101 as primary gateway and name server address. All systems are using static ip, so i made changes to all 3 window systems.

After that I launched the browser, and opened site http://www.google.com and it worked. However, when I tried to open https://www.paypal.com or https://mail.google.com it didn't worked. So I think HTTPS requests were not being forwarded by IPTABLES to SafeSquid.

I launched terminal and entered following command:

Code: Select all
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport https -j REDIRECT --to-port 8080


and saved ip tables using iptables-save command.

Even after that results are same. I can see browser status bar showing message connecting to https://www.paypal.com for 1-2 minute which lead to timeout error.

When I setup my browser to use PROXY server (by entering proxy server ip (192.168.1.101) and port 8080), it worked perfectly. But in transparent proxy mode it doesn't.

Please guide me what I am missing. Same applies for email (I use Thunderbird to access my mails from a pop3 server and send using SMTP server) and I can't access that as well with transparent proxy.
mgdevel
 
Posts: 4
Joined: Mon Jul 28, 2008 3:11 pm

Re: Transparent Proxy with SafeSquid + Ubuntu 8.04 and HTTPS

Postby sachin » Tue Jul 29, 2008 1:39 pm

Hi,

You can not access an HTTPS site through any transparent proxy. It will also not support authenticated access.

Any specific reasons for setting up transparent proxy for 3-4 systems? Maybe we could give you other suggestions if we could know more about what you want to achieve.

Regards.
sachin
 

Re: Transparent Proxy with SafeSquid + Ubuntu 8.04 and HTTPS

Postby mgdevel » Wed Jul 30, 2008 9:39 am

Hi,

Thanks for your reply. What I need is extensive logging and caching and ACL. Thats all. I need to log the site, ftp accessed by my network computers. If I can also get ACL working along with these, this would be great.

So, can you suggest the best way, without configuring individual application in each system, how I can make this working.

Thanks.
mgdevel
 
Posts: 4
Joined: Mon Jul 28, 2008 3:11 pm

Re: Transparent Proxy with SafeSquid + Ubuntu 8.04 and HTTPS

Postby sachin » Wed Jul 30, 2008 10:47 am

Hi,

All the requests going through safeSquid, are logged in 3 logs.
See SafeSquid Logs for details.

You can create multiple cache volumes, and memory cache.
See Content Caching for creating cache and configuring cache volumes.

In SafeSquid, you control access by creating rules under Access Restrictions and creating Profiles.

You can check out Training Videos on Documentation page, and also on Howtoforge

Transparent proxying has its limitations, as described in my earlier post.
It is better to either manually set proxy if you have a small setup, or use other methods like proxy.pac or wdap.dat

Regards.
sachin
 

Re: Transparent Proxy with SafeSquid + Ubuntu 8.04 and HTTPS

Postby satish7619 » Wed Jul 30, 2008 12:12 pm

Hello,

If your are using linux box as the gateway for your clients . then ip forwading should be enable on the linux box . and you should open the ports 25,110 on Ubnuntu box .

Give this command Ubuntu Box and send us the output.

1) ifconfig -a

2) iptables -L -n -v

3) iptables -L -n -v -t nat

4) cat /proc/sys/net/ipv4/ip_forward

Also give this command for opening ports for 25,110

iptables -I FORWARD 1 -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD 2 -p tcp --dport 110 -j ACCEPT

To save the rules of iptables give this command

iptables-save



/
satish7619
 
Posts: 1138
Joined: Thu Apr 15, 2004 3:55 pm
Location: India

Re: Transparent Proxy with SafeSquid + Ubuntu 8.04 and HTTPS

Postby mgdevel » Thu Jul 31, 2008 10:07 am

Hello,

I have followed these steps on ubuntu and following is the output for each command as asked:


satish7619";p="9468 wrote:Hello,

If your are using linux box as the gateway for your clients . then ip forwading should be enable on the linux box . and you should open the ports 25,110 on Ubnuntu box .

Give this command Ubuntu Box and send us the output.

1) ifconfig -a


Code: Select all
eth0      Link encap:Ethernet  HWaddr 00:50:bf:6a:42:7f 
          inet addr:192.168.1.51  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::250:bfff:fe6a:427f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32195 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14885 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:41768586 (39.8 MB)  TX bytes:1278927 (1.2 MB)
          Interrupt:16 Base address:0xac00

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:896 (896.0 B)  TX bytes:896 (896.0 B)



satish7619";p="9468 wrote:
2) iptables -L -n -v



Code: Select all
Chain INPUT (policy ACCEPT 30955 packets, 41M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 13918 packets, 890K bytes)
 pkts bytes target     prot opt in     out     source               destination         


satish7619";p="9468 wrote:3) iptables -L -n -v -t nat


Code: Select all
Chain PREROUTING (policy ACCEPT 14 packets, 1550 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

Chain POSTROUTING (policy ACCEPT 2 packets, 294 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2 packets, 294 bytes)
 pkts bytes target     prot opt in     out     source               destination         


satish7619";p="9468 wrote:4) cat /proc/sys/net/ipv4/ip_forward


Code: Select all
0


satish7619";p="9468 wrote:Also give this command for opening ports for 25,110

iptables -I FORWARD 1 -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD 2 -p tcp --dport 110 -j ACCEPT

To save the rules of iptables give this command

iptables-save



Code: Select all
# Generated by iptables-save v1.3.8 on Thu Jul 31 09:59:31 2008
*nat
:PREROUTING ACCEPT [24:2265]
:POSTROUTING ACCEPT [9:749]
:OUTPUT ACCEPT [9:749]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
# Completed on Thu Jul 31 09:59:31 2008
# Generated by iptables-save v1.3.8 on Thu Jul 31 09:59:31 2008
*filter
:INPUT ACCEPT [31801:41264394]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14597:970908]
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
COMMIT
# Completed on Thu Jul 31 09:59:31 2008


Please let me know about the next steps.

Thanks.
mgdevel
 
Posts: 4
Joined: Mon Jul 28, 2008 3:11 pm

Re: Transparent Proxy with SafeSquid + Ubuntu 8.04 and HTTPS

Postby satish7619 » Thu Jul 31, 2008 11:59 am

Hello,

Make Changes in the /etc/sysctl.conf file for enabling forwading of the packets.

From

net.ipv4.ip_forward = 0

to

net.ipv4.ip_forward = 1

These settings will take place when you reboot the linux box .

if you want dont want reboot the linux box and enable the ip forwading give the following command

echo 1 > /proc/sys/net/ipv4/ip_forward

After this check if the thunderbird client can send and receive the mails .
satish7619
 
Posts: 1138
Joined: Thu Apr 15, 2004 3:55 pm
Location: India

Postby mgdevel » Thu Jul 31, 2008 3:10 pm

Hi,

Now I am able to access the HTTPS sites and also able to check emails using POP3 server. So it works now.

Thanks for the support which you provided.
mgdevel
 
Posts: 4
Joined: Mon Jul 28, 2008 3:11 pm

Re: Transparent Proxy with SafeSquid + Ubuntu 8.04 and HTTPS

Postby MD5Hash » Wed Jan 14, 2009 7:46 pm

I am going to need to have a transparent proxy for my computer lab of 20 computers or so, but I don't want to have to configure them manually all the time (they get reformatted a lot)...I was wondering, is there any way that I can just set things up so that any time a client requests something through HTTPS, it can be bypassed from the proxy entirely so that it's not filtered at all?

(my apologies if this was already mentioned, but it seems like the best thing to go through if transparent proxy blocks all HTTPS)
MD5Hash
 
Posts: 42
Joined: Tue Dec 16, 2008 8:55 pm

Re: Transparent Proxy with SafeSquid + Ubuntu 8.04 and HTTPS

Postby satish7619 » Thu Jan 15, 2009 12:32 pm

Hello,

In transparent proxy you can redirect only the http requests . you cannot redirect the ftp and connect requests.

for the bypassing requests other than the http Your client gateway should point to linux box ipaddress .

In linux box you have to enable ip forwading .

if you are planning to use transparent proxy for your users, then consider using WPAD. You can use some really cool customisations of proxy.pac / wpad.dat with SafeSquid.
satish7619
 
Posts: 1138
Joined: Thu Apr 15, 2004 3:55 pm
Location: India

Re: Transparent Proxy with SafeSquid + Ubuntu 8.04 and HTTPS

Postby MD5Hash » Thu Jan 15, 2009 3:53 pm

After my most recent comment that you answered, I managed to get my own transparent proxy working. However, our students here use a combination of IMAP, POP, and SMTP for their email, and they need to access secure sites as well.

Using the method described above that worked for this user, would it be possible to just keep forwarding the correct ports? 443 for SSL, 993/143 for IMAP etc.

I tried it with iptables already using the same format that was mentioned and ubuntu replied, "index of insertion too big"

I love safesquid already, and I love that I don't have to worry about adding each computer individually now that I have a transparent proxy, but there has to be a way to just not bother filtering/proxying secure content. The main reason I have the transparent proxy is to block bandwidth hogs like youtube, and porn sites. I don't think that there are any encrypted video sites or porn sites, so I don't need to filter them :)

Any advice that you have at all would be very helpful!
MD5Hash
 
Posts: 42
Joined: Tue Dec 16, 2008 8:55 pm

Re: Transparent Proxy with SafeSquid + Ubuntu 8.04 and HTTPS

Postby satish7619 » Thu Jan 15, 2009 5:37 pm

Hello,

For Client Side Configuration

Check the link below . then you can decide which options suits you best.

http://www.safesquid.com/html/portal.php?page=13
satish7619
 
Posts: 1138
Joined: Thu Apr 15, 2004 3:55 pm
Location: India

Postby MD5Hash » Thu Jan 15, 2009 8:07 pm

satish7619";p="10729 wrote:Hello,

For Client Side Configuration

Check the link below . then you can decide which options suits you best.

http://www.safesquid.com/html/portal.php?page=13


Wonderfully enough, after restarting the server again, I'm pleased to report that all SSL-based traffic seems to be getting through just fine, thanks to instructions to the original poster! Amazing; safesquid is now pretty much perfect.
MD5Hash
 
Posts: 42
Joined: Tue Dec 16, 2008 8:55 pm

Re: Transparent Proxy with SafeSquid + Ubuntu 8.04 and HTTPS

Postby satish7619 » Fri Jan 16, 2009 11:46 am

Hello,

You can set the rules through the iptables command to allow the traffic for your End-Users.

# This is iptables rules for FORWARD chain
#iptables -A FORWARD -s <sort ip or source net> -p tcp --dport <destination port> -j ACCEPT
#Following rules to allow the trafic to port the forwarding
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 143 -j ACCEPT

#The rule below blocks the traffic for other ports.

iptables -A FORWARD -s 192.168.0.0/24 -p tcp -j DROP


For setting the transparent proxy . give this rule .

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport http -j REDIRECT --to-port 8080

Note -: You have to specify your Network Address in the rules.
satish7619
 
Posts: 1138
Joined: Thu Apr 15, 2004 3:55 pm
Location: India

Re: Transparent Proxy with SafeSquid + Ubuntu 8.04 and HTTPS

Postby MD5Hash » Sun Jan 18, 2009 3:33 pm

Thank you for your help. I understand all of this, and was able to make the forwarding rules. However, is it true that you need to restart the machine, or just restart etc/init.d/networking on the server to make it work? Because right now, it's not forwarding.

My problem is that iptables does not seem to be saving.

I'm using ubuntu, and so the command is "sudo iptables-save".

But after I restart the machine, then I have to put all the FORWARD and PREROUTING commands in all over again, every time. is this normal? i thought that saving iptables was supposed to make it so that they were saved beyond restarting.
MD5Hash
 
Posts: 42
Joined: Tue Dec 16, 2008 8:55 pm

Next

Return to How To..?

Who is online

Users browsing this forum: No registered users and 0 guests

cron