Firewall Wizards mailing list archives
RE: Transparent Proxy and IPChains
From: "Jason L. Esman" <jesman () edpm com>
Date: Tue, 25 Apr 2000 08:37:32 -0500
I figured out my problems I had a accept all from the internal interface setup at the top of my firewall rules. I removed it and only put in the ports I want the internal side to access, and it worked by denying 80 and redirecting to port 3128 it worked. Thanks, Jason L. Esman -----Original Message----- From: owner-firewall-wizards () lists nfr net [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Michael Walter Sent: Friday, April 21, 2000 9:39 AM To: 'firewall-wizards () nfr net' Subject: RE: [fw-wiz] Transparent Proxy and IPChains Sorry, the previous instructions were a bit incomplete, these rules will prevent fragmentation on an interface # Don't output fragments ipchains -A output -i $LOCAL_NIC -f -j DENY # Don't Accept Fragments ipchains -A input -i $LOCAL_NIC -f -j DENY Thanks, Michael J. Walter mcse mcp+i rhce a+ Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm () gliatech com <mailto:walterm () gliatech com> -----Original Message----- From: Michael Walter Sent: Friday, April 21, 2000 9:02 AM To: 'Jason L. Esman' Cc: 'firewall-wizards () nfr net' Subject: RE: [fw-wiz] Transparent Proxy and IPChains ipchains -A output -i $LOCAL_NIC -f -j DENY Replace $LOCAL_NIC with your interface, this will drop all packet fragments after the first, causing the interface to re-submit them and forcing defragmenting at the interface. Michael J. Walter mcse mcp+i rhce a+ Gliatech, Inc. 23420 Commerce Park Rd. Beachwood, Ohio 44122 Tel: (216) 831-3200 Email: walterm () gliatech com <mailto:walterm () gliatech com> -----Original Message----- From: Jason L. Esman [SMTP:jesman () edpm com] Sent: Wednesday, April 19, 2000 3:13 PM To: 'Ryan Russell'; 'Jason L. Esman' Cc: firewall-wizards () nfr net Subject: RE: [fw-wiz] Transparent Proxy and IPChains IP: always defragment is not an option in the kernel configuration. I am using 2.2.14 I've tried this and it still isn't working. I am now hunting through all my rules to see if I missed something. I have everything else listed below right except for the IP: always defragment Jason L. Esman -----Original Message----- From: Ryan Russell [mailto:ryan () securityfocus com] Sent: Wednesday, April 19, 2000 1:20 PM To: Jason L. Esman Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] Transparent Proxy and IPChains Pardon me asking the obvious... Have you checked out: http://squid.nlanr.net/Squid/FAQ/FAQ-17.html#ss17.7 (Never done it myself.. but i was curious, and went looking. That's what I found.) This seems relevent, and I don't think you said if you had it on: "You must include the IP: always defragment, otherwise it prevents you from using the REDIRECT chain." And perhaps: "Also, Andrew Shipton notes that with 2.0.x kernels you don't need to enable packet forwarding, but with the 2.1.x and 2.2.x kernels using ipchains you do. Packet forwarding is enabled with the following command: echo 1 > /proc/sys/net/ipv4/ip_forward" Though I suspect if IPChains is working otherwise, this is already the case. Ryan
Current thread:
- Transparent Proxy and IPChains Jason L. Esman (Apr 18)
- Re: Transparent Proxy and IPChains Ryan Russell (Apr 20)
- RE: Transparent Proxy and IPChains Jason L. Esman (Apr 20)
- RE: Transparent Proxy and IPChains Paul D. Robertson (Apr 24)
- RE: Transparent Proxy and IPChains Jason L. Esman (Apr 20)
- <Possible follow-ups>
- RE: Transparent Proxy and IPChains Michael Walter (Apr 24)
- RE: Transparent Proxy and IPChains Jason L. Esman (Apr 26)
- RE: Transparent Proxy and IPChains Michael Walter (Apr 24)
- Re: Transparent Proxy and IPChains Ryan Russell (Apr 20)