transprent proxy stop but clients can access internet why?

[aktiwari4u]

hi friends
i have installed suse linux 10 .
my network requirement is that i have to provide full access to some of my clients and for rest of the other i want to use authantication method with ristricted access.
to do so i have tried to configure my server in transperent proxy mode and also applied few acl,s.
at very first instent all seems to go well .
but now i find that even if i shutdown my squid proxy even then clients can access the internet .

this is a big question for me if my proxy is in picture or not .
the configuration changes what i have made are as follws .


1.  enabled ip forwarding on my system through routing module.
2. made all the chages to make squid to work in transperent mode as suggested by ricky.
3. in my firewall i have done network masquerade for all sorce address of port 80 to port 8080 of my proxy server ie.

0.0.0.0/0.0.0.0:80--->192.168.0.1:8080
while 192.168.0.1 is the ip address of etho of my server .

default gatway of my clients is my linux server ie 192.168.0.1
now even if i stop my proxy even then clients can access the net . so i feel that my proxy is not in picture .

pls tell me where i have done wrong ..

[Ricky]

well.. just redirect all other important port like 21, 8000, 110 etc to port 8080.

People are able to access b'cz in transparent proxy you have to do NAT and proxy .
After stopping proxy people are using NAT only.

[aktiwari4u]

thanks ricky
i added port redirection for all importent well known ports .
but still my problem is same
even i stoped my proxy at boot and tried to check it and i got that client internet access is  totally governed by my firewall .
as soon as i start my firewall clients can access the net and as i stops it client can not access the net .this all happen even when the proxy is not running
in firewall i have defined my etho as the internal network.
what to do next

[Ricky]

well.. after redirecting, also block all ports except the port 8080 for users whom you don't want to give full access. And for those you want to give full access just allow all ports for them.

[aktiwari4u]

thanks ricky but really i was totally fadeup with this situation .
so i reinstalled my os .
now pls pls tell me the shortest way for following

how to give accesss to --
1- few users without proxy direct access like gatway method
2- for rest ot the users by proxy, limited access, with authantication,stoped messangering.

ya one thing more i am a gui lamee so will try to configure all with webmin


i have a fresh copy of suse 10 installed and waiting for your reply.
i am in urgent need for this and will experiment letter thats why want your valuable help.
thanks in advane

[Ricky]

well.. basically I do the following with iptables and squid combined.

As I suggested that block every port except port 3128 or whatever you are using for squid. Then for those clients whom you want to give full access, open all ports for them and you are done.

I think you have seen NCSA authentication solution given by me already for your authentication purpose. Lastly about messengers, check forum .. we have already discussed same thoroughly. Just use a little search.

For gui to maintain iptables.. give a try to "firestarter" . If its not solving your problem then I will try to give you solution over here.
I hope you understand the concept I have provided.

[aktiwari4u]

thanks ricky
u know my biggest problem is that i have installed it on suse 10 and most of the suggestion given in the forum are for earlier virsions.
while in suse 10 they have made some major changes and for my bad luck thay have also changed the firewallsetting now they have SuseFirewall2 and its configuration file are not same as of the iptables so so cant make the required  changes to so that i can forward all my requests from internal network to my proxys ip and port .
pls provide the solution which can work on suse10.

[Ricky]

I think gauravbajaj has done it on SuSe 10, you may ask him for further guidance.

[gauravbajaj]

Hi

Ya u can do this by using SUSEFirewall2,its default file  are in /etc/sysconfig/SuSefirewall2

Just search for line

FW_REDIRECT

Change the line into like this

FW_REDIRECT  192.168.8.0/24,0/0,tcp,80,3128

it means all web requests of the network 192.168.8.0/24 will be forwarded to 3128 , that is proxy port


I think this will help you...



Gaurav Bajaj

[aktiwari4u]

Thanks a lot gaurav bhi.
i will just try this also
i have good hands on windows and now want to switchover to linux.
so i still prefer GUI thats why i tried it by yast .
but its not working
i am using masqurading.
and i added the rule that
any request from 192.168.0.0/24 for any network 0/0 for port 80 should be redirected to 192.168.0.1:8080 which is my squid proxy.
all is working fine when i boot the mechine and starts it .
now my problem is if now i stop my proxy user should not be able to access internet.
as technically any request for port 80 is directed on port 8080 which is squid proxy port and is down , so browsing should be stoped .......
but in my case result is not same as above users can still browse even my proxy is not running this is where i am stucked now.
and if i am not masqurading and just ip forwarding in that case users are not able to browse at all.even the squid is  running.
any way i tried  to modify my firewall rules as told by you in file manually.but invain.
basic problem is in suse10 firewall options has new parameters while all the document is avalable with old parameter which are not similer i tried to do it according its new rule parameter but its not working.
will you suggest me to go on suse 9 or older versions to make up ihis compatibility issue.

i am totally stuck in this situation. pls help me

[gauravbajaj]

Hi..
First of all check wheather the Transparent proxy is successfully setup???

It may be possible that ..ur clients are not authenticate by ur squid ..., may be acc to u , u have successfully setted up..but may be  ur configration is not up to line..U know one thing in Linux...

May be it shows that
status of squid is running ok
But u know if there is some pb in squid then also it shows that squid is running ok

So acc to me ..UR CLIENT ARE NOT USING SQUID PROXY

U can  check this also go to
/var/log/squid
and open file access.log ...If it shows logs of squid then its ok ..if not then
 It means u haven't successfully made ur TRANSPARENT PROXY

Just open some website from clients machine like google.com and check log files wheather it shows entry of ur client  with google.com there.
SO acc to me TRANSPARENT PROXY IS NOT SUCCESSFULLY SETUP


I have already said u the sol in above post...

U said that u followed the many sites for making TRANSPARENT PROXY
In many sites that are write like this

FW_TCP_REDIRECT 192.168.8.0/24,0/0,80,3128

but actually the line is like this

FW_REDIRECT 192.168.8.0/24,0/0,tcp,80,3128
 
which i already said u
So try these both..and definitly ur Squid will run

If u will still get a pb then contact me further

Cheers
gaurav bajaj

[aktiwari4u]

thanks gaurav bhi

Here is the problem as u asked "is Transparent proxy is successfully setup??? "

as i told u to setup this we need some modifications on firewall
and there i am not able to made those modifications. if i so pls tell me or if u have then just provide me the exect changings which is to be made in Susefirewall2.
squid configuration part to make it transperent has been done i have defined all that parameters .
but i am still not able to modify my firewall settings or u can say that i am still not able to set my iptables to make the desired changes.

i have already tried your second suggestion for ip_forward but thrugh that i clients are not able to browse .
pls help me or suggest me to degrate to suse9
any way i am hopefull that that will not be needed as we will  overcome this problem
thanks

[gauravbajaj]

hi
ok
Have u done the settings which i told to you  in /etc/sysconfig/Susefirewall2 file ?

Gaurav Bajaj

[aktiwari4u]

yes sir i have done all that .
but client request are not fatched .

[sothy]

Dear sir

    i have some experien about the configure transparent proxy on SUSE 9.1 but about your problem i hade done one time about that when i stop squid client still can surfing internet i use the command for stop SUSEfirewall :
#/etc/init.d/final stop
#/etc/init.d/init stop
#/etc/init.d/setup stop
 
After you type three command client can't surfing internet by it self untill you run squid & transparent proxy again .


Regard

Sothy