Re: [squid-users] Squid as only a transparent cache

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 01 Apr 2011 13:50:59 +1300

On 01/04/11 06:27, Saurabh Agarwal wrote:
> That link
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat was
> helpful Amos. Though instead of a mangle INPUT chain rule(as
> mentioned in the link) in iptables I had to add a mangle PREROUTING
> Chain rule in iptables as follows
>
> iptables -t mangle -A PREROUTING -p tcp -i ! lo --dport 3128 -j DROP
>
> This rule gets is allowing cachemgr access to port 3128 while deny
> access to port 3128 from other machines. The link
> http://www.faqs.org/docs/iptables/traversingoftables.html tells that
> mangle PREROUTING table chain is traversed first than nat PREROUTING
> table.
>
> DO we need to modify the text in there?

Thanks. I've re-tested and you are right about using PREROUTING. Wiki
changed.

Do not add a cachemgr exception to the DROP rule. The point of that rule
is that absolutely *zero* forward-proxy requests are permitted to the
intercept port. The NAT handling screws with the request and TCP details
in ways which open the proxy to some nasty little security
vulnerabilities (CVE-2009-0801 describes the combined result).

The recommended practice is to use some randomly chosen port for the NAT
intercept receiving. With that strict rule in the wiki protecting it.
Leaving the well-known 3128 as a second forward-proxy port available for
management and other desired accesses.

Your lo restriction rule you could leave unchanged as extra limit on the
way to contact the management access port. Or move to the filter table
INPUT chain and use REJECT.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5
Received on Fri Apr 01 2011 - 00:51:05 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 01 2011 - 12:00:02 MDT