Author Topic: Security In Transparent proxy (Read 12215 times)

ilias · « **on:** August 30, 2005, 06:45:59 AM »

Hi all <-> Ricky

As I have successfully configured Squid Transparent proxy using the tutorial using this forum. This happnd 3 month back.

Now I am facing some problems. My squid server Ip has been in Included in the black list stating some one is using my Ip for spaming. So my clients are not able to send mails and browse certain servers.

Now what i have to do, what security tunning has b done. I am putting the transparent proxy script which i have written in rc.nat.

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

iptables --append FORWARD --in-interface eth1 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

echo 1 > /proc/sys/net/ipv4/ip_forward

and i have open ssh port 22 for remote access. Do i need to blcok that.
if s how can i enable to a particular IP say 61.9.89.2

I need help desperately

Ricky · « **Reply #1 on:** August 31, 2005, 07:15:48 AM »

You can only have a good firewall and you should so some monitoring and check out that what sorta application are running on your network and you have to analyse then you will be alble to decide the solution.

BTW.. for a firewall ... you can use firestarter ! or create firewall manually. YOu have asked something similar and I have answered it ---> Opening SSH port

ilias · « **Reply #2 on:** September 01, 2005, 03:25:05 AM »

HI all

By using this forum lot of newbies like me are learning and installing transparent proxy and reaping the benefits, without knowing the risk of outside attack. To aviod this we all must do some thing. HOpe !!!!!!

As i have given my transparent proxy script, pls ricky give some manual firewall script to protect my network and my ISP has given 2 days time to secure or he vil block my IP

ilias · « **Reply #3 on:** September 01, 2005, 05:43:04 AM »

MY ISP is saying my proxy is open proxy server. How to aviod this my iptable commands

Ricky · « **Reply #4 on:** September 01, 2005, 05:17:49 PM »

Ilias.
first of all I want to tell you that your proxy is not an open proxy at all (if you have followed my tutorial). This is because in squid.conf we are only allowing our lan to access and use it. So any request from internet will not work. ..

Anyways. I can give you one line which can be enough for your current situation, add this to rc.nat .
Taking eth0 as your internet connection..

Code: [Select]

iptables -A INPUT -i eth0 -p tcp --syn -j DROP
Above rule will accept only those connection from internet those are initiated by your computer. Which means if someone wants to access your proxy server then he will not be able to do so as he has to first ask your computer (send request) but your computer will ignore as this connection is not initiated by itself.
Hope you understand..
Say you want to open a single port like port 22 ! then u can do

Code: [Select]

iptables -A INPUT -i eth0 -p tcp --syn --destination-port ! 22 -j DROP By above anyone can ask for service available on port 22.

I want to tell you another rule by which you can disable any port to for internet yet available to your LAN. Say we want to drop all incoming request from internet on port 3128 then we can do following (considering eth0 as ur internet)

Code: [Select]

iptables -A INPUT -p tcp --destination-port 3128 -i eth0 -j DROP

Hope now you got even more idea !

ilias · « **Reply #5 on:** September 02, 2005, 07:37:11 AM »

Tks a ton ricky once again

using a link http:// http://www.richard.zonnet.nl/cgi-bin/nph-proxycheck, i have screened my box. pls go through it. And as per the output what is the term 'filtered' means

Open proxy check

Checking your computer (x.x.x.x) for common open proxies... Please wait until the page is loaded

To check: hosts=1, proto:ports=63, host:proto:ports=63
x.x.x.x:ho:80: HTTP request refused or failed (403)
x.x.x.x:hu:80: HTTP request refused or failed (403)
x.x.x.x:hc:80: HTTP request refused or failed (403)
NumOpen=0(0) NRead=3992 Time=10

If 'NumOpen' is larger than 0 you have an open proxy. Please close it down as soon as possible.
If 'NumOpen' is 0 no proxy could be detected, we only test a few of the many possible ports.

Now scanning your computer for common open ports... Please wait until the page is loaded
Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-09-01 08:12 CEST
Interesting ports on x.x.x.x (The 1639 ports scanned but not shown below are in state: closed)

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
103/tcp filtered gppitnp
111/tcp open rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1025/tcp filtered NFS-or-IIS
1080/tcp filtered socks
1241/tcp filtered nessus
1720/tcp filtered H.323/Q.931
3128/tcp filtered squid-http
4444/tcp filtered krb524
4899/tcp filtered radmin
5000/tcp filtered UPnP
6000/tcp open X11
6112/tcp filtered dtspc
6588/tcp filtered analogx
8080/tcp filtered http-proxy
10000/tcp open snet-sensor-mgmt
12345/tcp filtered NetBus

Nmap run completed -- 1 IP address (1 host up) scanned in 16.750 seconds
If you see open ports like 135, 137 and 445 your computer is potentially vulnerable.

Ricky · « **Reply #6 on:** September 02, 2005, 10:41:30 AM »

btw that test is showing that you don't have any open proxy server now as NumOpen = 0 .

I think filtered here means blocked or something ie. handled by firewall.

ilias · « **Reply #7 on:** September 02, 2005, 02:16:11 PM »

S ricky i have noticed that, and conveyed to my ISP. And searching for what this "filtered" means. It shows some ports filtered how to close those ports i have written iptable command in rc.nat still it shows filtered.

iptables -A INPUT -p tcp -i eth0 --dport 4899 -j ACCEPT

Ricky · « **Reply #8 on:** September 04, 2005, 07:14:54 AM »

Whatever you want to drop from internet (eth0 in ur case) then you can use following rule per port.

Code: [Select]

iptable -A INPUT -p tcp -i eth0 --dport 6588 -j DROP

Replace 6588 with any port you want.

Ricky · « **Reply #9 on:** September 04, 2005, 07:16:42 AM »

btw.. I think filtered means block because in our rule we are not even replying the request so when there is no reply for their request then their computer knows that ports are being filtered ie. are firewalled.

sothy · « **Reply #10 on:** September 05, 2005, 03:46:32 AM »

Dear Ilias and Ricky

i have readed your explaintation about firewall on proxy but i have some wonder need you to show me clearly than . i want to know how to block port from out side that want to log in our sever and monitor for controll all port that we access one thing i hear my friend in here they talk about firewall that they make by them sefl so can you tell me if i use scripts you show me on forum so i shout install firewall ornt . and if i install can you tell me pakage for install it . Thank you for you help all the time when i need you to help me and about my trainsparent proxy it woking fine but about the port that i ask you befor now i use tow ways i use script
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 : for suffing internet
and i use MASQURADE for suffing port like i ask you befor 8080 or 32000 ........ it working fine
....................Wish you have agood Luck oh if you want to visite Cambodia pleased contact with me i will show you the best view in Cambodia ...............................................

Best Regard
Sothy.Sorn

ilias · « **Reply #11 on:** September 05, 2005, 05:48:02 AM »

HI Ricky

As per my request, the Iptable command which u gave works best for me

iptables -A INPUT -i eth0 -p tcp --syn -j DROP
iptables -A INPUT -p tcp --destination-port 3128 -i eth0 -j DROP

Now outside request is not allowed into my network.
But I want to allow one public IP(head office) for certain ports. I have given the command

iptables -A INPUT -s x.x.x.x -j ACCEPT

but it doesnt work. pls help

Ricky · « **Reply #12 on:** September 06, 2005, 05:34:17 AM »

At Ilias !

You have to give that rule before rejecting and dropping rules.
Also you can specify ports to be allowed.

Code: [Select]


iptables -A INPUT -s x.x.x.x -p tcp --dport <port> -j ACCEPT

@Sothy
I will answer you shortly.

ilias · « **Reply #13 on:** September 06, 2005, 08:49:27 AM »

tks ricky,

i vil try and convey u. As i have to visit my Head office.

Ricky · « **Reply #14 on:** September 06, 2005, 11:21:02 AM »

Sothy
Thanks for your invitation

Anyways,
If I am getting it right then you are asking that how about firewall in transparent proxy ?

You can use various methods, you can use a software like "firestarter" or created your own firewall using iptables.
In iptables we basically things that what might be potential way where our security is compramised and we protect that part . So here our proxy is running on port 3128 so to stop people discovering our proxy (say our internet is eth0) then we simply drop request from internet for 3128.

Code: [Select]

iptables -A INPUT -p tcp --destination-port 3128 -i eth0 -j DROP
This way you can safegaurd many ports, for udp, replay -p tcp with -p udp .
There are many other things which you use. I suggest you to better goto www.netfilter.org and download good tutorial for it.

We then put all those rules in a file which we execute mostly on startup...