What I'm trying to do is get Diladele Web Safety filter working in a you cannot bypass it fashion. To that endt, I need to license it and I need to do transparent proxying. This is for home use.
Looking at what Mike Connor suggested, it's not the big picture that I need to make transparent proxying work sadly. I also realize that my temporary license for Web Safety by Diladele is expired and that's probbably why I can't even use the proxy manually. Fundamentally, something is missing... I shouldn't need MASQUERADING, REDIRECT, SNAT, or DNAT because I don't need NAT in a transparent proxy situation... The access to the Internet whether ftp, http, or https is local for the squid process sitting on the gateway as long as the routing happens correctly. Note that there is no NAT being done in this firewall and that forwarding http, https, and ftp is probably inadvisable. Here is /etc/iptables/rules-tproxy.v4: # Generated by xtables-save v1.8.2 on Fri Apr 24 10:00:23 2020 *mangle :PREROUTING ACCEPT [190:18470] :INPUT ACCEPT [688:190446] :FORWARD ACCEPT [4:304] :OUTPUT ACCEPT [659:170422] :POSTROUTING ACCEPT [661:170606] :DIVERT - [0:0] -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -p tcp -m tcp -m multiport --dports 21,80,443 -j TPROXY --on-port 3128 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 -A DIVERT -j MARK --set-xmark 0x1/0x1 -A DIVERT -j ACCEPT COMMIT # Completed on Fri Apr 24 10:00:23 2020 # Generated by xtables-save v1.8.2 on Fri Apr 24 10:00:23 2020 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT DROP [0:0] :FORWARD_LOCAL - [0:0] :FORWARD_http - [0:0] :FORWARD_icmp - [0:0] :FORWARD_ntp - [0:0] :FORWARD_smtp - [0:0] :FORWARD_ssh - [0:0] :FORWARD_whois - [0:0] :input_icmp - [0:0] :input_accept - [0:0] :input_drop - [0:0] :output_accept - [0:0] :output_drop - [0:0] :output_icmp - [0:0] :FORWARD_gopher - [0:0] :FORWARD_ftp - [0:0] :FORWARD_Zoom - [0:0] :FORWARD_dhcp - [0:0] :input_unifi - [0:0] -A INPUT -p gre -j ACCEPT -A INPUT -j input_unifi -A INPUT -j input_accept -A INPUT -j input_drop -A FORWARD -j FORWARD_dhcp -A FORWARD -j FORWARD_LOCAL -A FORWARD -j FORWARD_ftp -A FORWARD -j FORWARD_smtp -A FORWARD -j FORWARD_icmp -A FORWARD -j FORWARD_whois -A FORWARD -j FORWARD_http -A FORWARD -j FORWARD_ssh -A FORWARD -j FORWARD_gopher -A FORWARD -j FORWARD_ntp -A FORWARD -i eth1 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT -A FORWARD -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT -A FORWARD -s 192.168.254.0/24 -d 192.168.254.1/32 -i eth0 -o eth0 -p tcp -m tcp --dport 3128 -j ACCEPT -A FORWARD -j FORWARD_Zoom -A FORWARD -j LOG --log-prefix "FORWARD will drop:" -A OUTPUT -j output_accept -A OUTPUT -j output_drop -A FORWARD_LOCAL -i eth0 -o eth0 -j ACCEPT -A FORWARD_http -i eth1 -o eth0 -p tcp -m tcp --sport 80 --dport 1024:65535 -j ACCEPT -A FORWARD_http -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT -A FORWARD_http -i eth1 -o eth0 -p tcp -m tcp --sport 443 --dport 1024:65535 -j ACCEPT -A FORWARD_http -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT -A FORWARD_http -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 443 -j ACCEPT -A FORWARD_http -i eth1 -o eth0 -p udp -m udp --sport 443 --dport 1024:65535 -j ACCEPT -A FORWARD_http -i eth1 -o eth1 -p udp -m udp --sport 443 -j ACCEPT -A FORWARD_http -i eth1 -o eth1 -p tcp -m tcp --sport 443 -j ACCEPT -A FORWARD_icmp -i eth1 -o eth1 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT -A FORWARD_icmp -i eth1 -o eth0 -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT -A FORWARD_icmp -i eth0 -o eth1 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT -A FORWARD_icmp -i eth0 -o eth1 -p icmp -m icmp --icmp-type 11 -j ACCEPT -A FORWARD_icmp -i eth0 -o eth1 -p icmp -m icmp --icmp-type 3 -j ACCEPT -A FORWARD_icmp -i eth0 -o eth1 -p icmp -m icmp --icmp-type 12 -j ACCEPT -A FORWARD_icmp -i eth1 -o eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT -A FORWARD_icmp -i eth1 -o eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT -A FORWARD_icmp -i eth1 -o eth0 -p icmp -m icmp --icmp-type 12 -j ACCEPT -A FORWARD_icmp -p icmp -j LOG --log-prefix "FORWARD_icmp:" -A FORWARD_ntp -i eth1 -o eth0 -p udp -m udp --sport 123 --dport 1024:65535 -j ACCEPT -A FORWARD_ntp -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 123 -j ACCEPT -A FORWARD_ntp -i eth1 -o eth0 -p udp -m udp --sport 123 --dport 123 -j ACCEPT -A FORWARD_ntp -i eth0 -o eth1 -p udp -m udp --sport 123 --dport 123 -j ACCEPT -A FORWARD_smtp -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 25 -j ACCEPT -A FORWARD_smtp -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 25 -j ACCEPT -A FORWARD_ssh -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT -A FORWARD_ssh -i eth1 -o eth0 -p tcp -m tcp --sport 22 --dport 1024:65535 -j ACCEPT -A FORWARD_whois -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 43 -j ACCEPT -A FORWARD_whois -i eth1 -o eth0 -p tcp -m tcp --sport 43 --dport 1024:65535 -j ACCEPT -A input_icmp -i eth0 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT -A input_icmp -i eth0 -p icmp -m icmp --icmp-type 3/13 -j ACCEPT -A input_icmp -i eth0 -p icmp -m icmp --icmp-type 3/3 -j ACCEPT -A input_icmp -i eth1 -p icmp -m icmp --icmp-type 11/0 -j ACCEPT -A input_icmp -i eth1 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT Here is the output of ip rules show: michael@filter:~$ sudo ip rule show 0: from all lookup local 32765: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default michael@filter:~$ Here is the ip route list table 100 output: michael@filter:~$ ip route list table 100 local default dev lo scope host michael@filter:~$ For thouroughness, here is the ifconfig: michael@filter:~$ /sbin/ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.254.1 netmask 255.255.255.0 broadcast 192.168.254.255 ether 1c:87:2c:63:9f:8c txqueuelen 1000 (Ethernet) RX packets 339771 bytes 41293573 (39.3 MiB) RX errors 0 dropped 1 overruns 0 frame 0 TX packets 545194 bytes 720465480 (687.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 71.90.99.190 netmask 255.255.254.0 broadcast 71.90.99.255 ether 00:e0:4c:69:13:21 txqueuelen 1000 (Ethernet) RX packets 559893 bytes 732481811 (698.5 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 333244 bytes 37643904 (35.9 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth0:any1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 8.8.8.8 netmask 255.255.255.255 broadcast 8.8.8.8 ether 1c:87:2c:63:9f:8c txqueuelen 1000 (Ethernet) eth0:any2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 8.8.8.4 netmask 255.255.255.255 broadcast 8.8.8.4 ether 1c:87:2c:63:9f:8c txqueuelen 1000 (Ethernet) lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 loop txqueuelen 1000 (Local Loopback) RX packets 45450 bytes 16091975 (15.3 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 45450 bytes 16091975 (15.3 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 michael@filter:~$ _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
