Firewall Problem

General discussion about PLUC and Linux in Pakistan.

Firewall Problem

Postby zAm » Wed Nov 30, 2005 12:09 pm

Hello Guys ,
I am having a problem with our internet cable network. we'r using Linux Redhat Fedora Core 3 as a gateway with Squid Proxy Server & IPtables firewall & other 2 servers , one is ISA Server for Browsing & the another one is for socks . the problem is that linux is forwarding all the SSL sites to our socks server that we don't want. we setup socks server to listen only for Instant Messengers .. can somebody tell me how could i resolve this issue.
Regards,
zAm (Lyarianz Internet Cable Network - Network Administrator)
Proud To Be Lyarianz !
zAm
Havaldaar
 
Posts: 148
Joined: Wed Oct 19, 2005 9:28 am
Website: http://www.zubair.moghal.ukonline.co.uk
WLM: z_moghal@hotmail.com
Yahoo Messenger: z_moghal@yahoo.com
Location: Pakistan, Karachi

Re:

Postby LinuxFreaK » Thu Dec 01, 2005 1:38 pm

Dear zAm,
Salam,

FYI, http://www.linuxpakistan.net/forum2x/vi ... php?t=3772

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Re: What Should I Need To Do ?

Postby zAm » Fri Dec 02, 2005 10:31 am

LinuxFreaK wrote:Dear zAm,
Salam,

FYI, http://www.linuxpakistan.net/forum2x/vi ... php?t=3772

Best Regards.


Hello,
Farrukh .... i read all the posts .. i think the better one for me is to re-compile squid with --enable-ssl because our Linux Administrator just copy paste the entire squid directory ... or maybe he uses the rpm package .... i think that --enable-ss option is not integrated with squid rpm package.we'r using "squid-2.5.STABLE11-1.FC3" .. so should i re-compile with --enable-ssl & then backup my current existing squid.conf in /etc/squid/ , i hope that won't create any problems ... i'm hesistating to do this because we'r running a large network ... & i don't want to disturb them .... but i really need to fix my problem ... when i use manual proxy in IE so the ssl works from the same browsing server but when using without proxy it tries to access from the socks server .... ? so what you would recommend me ? re-compiling squid with --enable-ssl ? Sorry for bugging you alot... Thanks for being so helpful
Regards,
zAm (Lyarianz Internet Cable Network)
Proud To Be Lyarianz !
zAm
Havaldaar
 
Posts: 148
Joined: Wed Oct 19, 2005 9:28 am
Website: http://www.zubair.moghal.ukonline.co.uk
WLM: z_moghal@hotmail.com
Yahoo Messenger: z_moghal@yahoo.com
Location: Pakistan, Karachi

Re:

Postby LinuxFreaK » Fri Dec 02, 2005 12:27 pm

Dear zAm,
Salam,

Then Install Linux on another machine and test it few clients :)

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Postby zAm » Fri Dec 02, 2005 12:44 pm

Hello,
Farrukh.. hehe nice idea ! , but that would take alot of time ......
if there is not any problem to re-compiling squid so i should go for it ........... ?
Regards,
zAm (Lyarianz Internet Cable Network)
Proud To Be Lyarianz !
zAm
Havaldaar
 
Posts: 148
Joined: Wed Oct 19, 2005 9:28 am
Website: http://www.zubair.moghal.ukonline.co.uk
WLM: z_moghal@hotmail.com
Yahoo Messenger: z_moghal@yahoo.com
Location: Pakistan, Karachi

Re:

Postby LinuxFreaK » Fri Dec 02, 2005 3:31 pm

Dear zAm,
Salam,

Your Wish :)

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

the Problem still exists

Postby zAm » Mon Dec 05, 2005 7:23 am

Hello,
Farrukh ...my problem turns another way ... i thought that could be the problem of re-compiling squid with --enable-ssl . but i think that wouldn't help me out ... because i can access https webpaeges while using proxy in IE , but why shouldn't it works without proxy .. all the websites (80) works fine without proxy then why doesn't these https, ssl sites ? i remove the port 443 from safe_port ACL from my squid.conf but it doesn't helped me yet ... what else do i need to change ? if you don't mind so may i send u my iptables file & squid configuration file to your inbox , to have a look over & check what's happening ? help me out , i'm really pissed off due to this bad sticky problem ...
Regards,
zAm (Lyarianz Internet Cable Network)
Proud To Be Lyarianz !
zAm
Havaldaar
 
Posts: 148
Joined: Wed Oct 19, 2005 9:28 am
Website: http://www.zubair.moghal.ukonline.co.uk
WLM: z_moghal@hotmail.com
Yahoo Messenger: z_moghal@yahoo.com
Location: Pakistan, Karachi

Re: the Problem still exists

Postby LinuxFreaK » Mon Dec 05, 2005 9:04 am

Dear zAm,
Salam,

Not a proper way but might help you.

# iptables -t nat -A PREROUTING -s LANIP -p tcp --dport 443 -j REDIRECT --to-port SUQIDPORT

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

please look as my squid & iptables configuration files

Postby zAm » Mon Dec 05, 2005 6:05 pm

Hello,
LinuxFreak......... now you must looking for me to kill me after knowing that my problem still exists :p hehe ... i am really pissed off now for this sticky problem ......
here's my squid & iptables configurations files ....
please check out these & suggest me what to do , which really works ......
thanks
Regards,
zAm (Lyarianz Internet Cable Network)
Last edited by zAm on Fri Dec 09, 2005 8:26 am, edited 1 time in total.
Proud To Be Lyarianz !
zAm
Havaldaar
 
Posts: 148
Joined: Wed Oct 19, 2005 9:28 am
Website: http://www.zubair.moghal.ukonline.co.uk
WLM: z_moghal@hotmail.com
Yahoo Messenger: z_moghal@yahoo.com
Location: Pakistan, Karachi

Re:

Postby LinuxFreaK » Wed Dec 07, 2005 1:11 am

Dear zAm,
Salam,

Edit your squid.conf and change following line.

Code: Select all

http_access allow CONNECT !SSL_ports


TO

Code: Select all

http_access allow CONNECT SSL_ports


Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

the problem still exists

Postby zAm » Wed Dec 07, 2005 4:43 am

Hello,
LinuxFreak, well whatever you told me to change in squid.conf , doesn't make a sense because i could access httpS webpages while using Proxy in IE , as i could see ..... it's all about Transparent Proxying which is done with port 80 --to-port 8080 (squid box port) ... it's working fine but it's not working with another port like 443 which u told me before to ....
anyway's i edit the following line
"http_access allow CONNECT !SSL_ports"
TO
"http_access allow CONNECT SSL_ports"
but still the problem exists .... have u tried transparent proxying with port 443 ?? does it works to you ? anyway's thanks alot for helping me out .. i must find a good Linux Administrator for our network ........ hope i got one sooon ..... thanks once again for your kind replies ........ take care buddy ......... Allah Hafiz
Regards,
zAm (Lyarianz Internet Cable Network)
Proud To Be Lyarianz !
zAm
Havaldaar
 
Posts: 148
Joined: Wed Oct 19, 2005 9:28 am
Website: http://www.zubair.moghal.ukonline.co.uk
WLM: z_moghal@hotmail.com
Yahoo Messenger: z_moghal@yahoo.com
Location: Pakistan, Karachi


Return to “%s” General

Who is online

Users browsing this forum: No registered users and 1 guest

cron