This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos doesn't redirect http traffic to my squid proxy transparent

Good morning,

I am beginner with sophos.
I project to redirect (through sophos) HTTP requests of LAN Network  to the proxy server.

Topology=

External address===sophos====proxy server 172.17.1.14
----------------------------------||--------------------------
-----------------------------LAN  Network 172.17.8.0 --------

ip External address=41.x.y.z
Sophos version =9.310-11

Configurations=
Then I did this on sophos web GUI, hoping to redirect all the http requests to the proxy:
1)Network Protection >NAT >NAT
NAT:
Rule Type: DNAT

Matching Condition=
For traffic from :LAN Network
Using service : HTTP
Going to : EXTERNAL ADDRESS

Action=
Change the destination to =proxy-server
And the service to :=Port 3129

Automatic Firewall rule= checked

2)Network Protection >Firewall> Rules
Sources:LAN Network
Services:Any
Destinations=proxy-server

------------------------------------------------------------------------
View rules on sophos CLI
sophos_firewall:/home/login iptables -t nat -L -n -v
Chain USR_OUTPUT (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       172.17.8.0/25       41.x.y.z     tcp spts:1:65535 dpt:80 to:172.17.1.14:3129

Chain USR_PRE (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 DNAT       tcp  --  *      *       172.17.8.0/25        41.x.y.z       tcp spts:1:65535 dpt:80 to:172.17.1.14:3129

-----------------------------------------------------------------------------
Checking port 3129 on squid server
root@proxyserver-# netstat -tpln | grep 3129
tcp        0      0 172.17.1.14:3129        0.0.0.0:*               LISTEN

Sadly, no redirection happens. The LAN Network don't seem to be using the proxy..
Any advice is appreciated!
Thank you in advance.

Andronic

This thread was automatically locked due to age.

Parents

0 Jhons over 9 years ago

1-Type iptables -t mangle -L on command line.
I see :
Chain TPROXY_DIVERT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x40000
ACCEPT all -- anywhere anywhere

Chain TPROXY_DIVERT_HTTP (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere socket CONNMARK or 0x40000
TPROXY tcp -- anywhere anywhere TPROXY redirect 0.0.0.0:18080 mark 0x40000/0xffffffff

Chain TPROXY_HOOK (2 references)
target prot opt source destination
TPROXY_DIVERT all -- anywhere anywhere ctstate RELATED,ESTABLISHED connmark match 0x40000/0x40000
TPROXY_HOOK_HTTP tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:http ADDRTYPE match dst-type !LOCAL
TPROXY_HOOK_HTTP tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:https ADDRTYPE match dst-type !LOCAL

Chain TPROXY_HOOK_HTTP (2 references)
target prot opt source destination
TPROXY_DIVERT_HTTP all -- anywhere passthrough.fw-notify.net
RETURN all -- anywhere passthrough.fw-notify.net
RETURN tcp -- anywhere anywhere match-set uwRYL6vRsC/FQg+/mPuERg dst tcp spts:tcpmux:65535 multiport dports http,https ADDRTYPE match dst-type !LOCAL
TPROXY_DIVERT_HTTP tcp -- 172.17.9.60 anywhere tcp spts:tcpmux:65535 dpt:http
TPROXY_DIVERT_HTTP tcp -- anywhere anywhere match-set ItprVXltg1PgTKp4RX0uUw src tcp spts:tcpmux:65535 dpt:http
RETURN tcp -- 172.17.9.60 anywhere tcp spts:tcpmux:65535 dpt:https
RETURN tcp -- anywhere anywhere match-set ItprVXltg1PgTKp4RX0uUw src tcp spts:tcpmux:65535 dpt:https

2-Check Web protection>Web filtering>Global>Default Web Filter Profile>Operation mode

Web Filtering Status>>>>
Operation mode:
Standard Mode
[X]Transparent Mode
Full transparent

TPROXY :::This means "sophos already acts as transparent proxy" for your Allowed networks.

1)Network Protection >NAT >NAT
NAT:
Rule Type: DNAT

Matching Condition=
For traffic from :LAN Network
Using service : HTTP
Going to : EXTERNAL ADDRESS

Action=
Change the destination to =proxy-server
And the service to :=Port 3129

Automatic Firewall rule= checked

2)Network Protection >Firewall> Rules
Sources:LAN Network
Services:Any
Destinations=proxy-server

Your DNAT rules are in conflict with sophos's Web Filtering rules that affect your LAN Network.

- I suddenly found an old reply for a thread "Astaro redirect http to squid server"
https://ubb.sophos.com/gateway-products/network-protection-firewall-nat-qos-ips/7719-astaro-redirect-http-squid-server.html

[that won't work with DNAT because you change the destination Any to your SQUID server. What does Squid with an HTTP request directed to itself? There is no way without hacking the firewall - the buzzword is policy based routing....

Couldn't you just enter the ip of your squid server in the proxy settings of internet explorer? I know that if you have a lot of stations this could be a pain, but, it looks like the alternative isn't easy either.
[/I]
Unfortunately,in my view a best solution for it would not exist until now.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Jhons over 9 years ago

1-Type iptables -t mangle -L on command line.
I see :
Chain TPROXY_DIVERT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x40000
ACCEPT all -- anywhere anywhere

Chain TPROXY_DIVERT_HTTP (3 references)
target prot opt source destination
CONNMARK all -- anywhere anywhere socket CONNMARK or 0x40000
TPROXY tcp -- anywhere anywhere TPROXY redirect 0.0.0.0:18080 mark 0x40000/0xffffffff

Chain TPROXY_HOOK (2 references)
target prot opt source destination
TPROXY_DIVERT all -- anywhere anywhere ctstate RELATED,ESTABLISHED connmark match 0x40000/0x40000
TPROXY_HOOK_HTTP tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:http ADDRTYPE match dst-type !LOCAL
TPROXY_HOOK_HTTP tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpt:https ADDRTYPE match dst-type !LOCAL

Chain TPROXY_HOOK_HTTP (2 references)
target prot opt source destination
TPROXY_DIVERT_HTTP all -- anywhere passthrough.fw-notify.net
RETURN all -- anywhere passthrough.fw-notify.net
RETURN tcp -- anywhere anywhere match-set uwRYL6vRsC/FQg+/mPuERg dst tcp spts:tcpmux:65535 multiport dports http,https ADDRTYPE match dst-type !LOCAL
TPROXY_DIVERT_HTTP tcp -- 172.17.9.60 anywhere tcp spts:tcpmux:65535 dpt:http
TPROXY_DIVERT_HTTP tcp -- anywhere anywhere match-set ItprVXltg1PgTKp4RX0uUw src tcp spts:tcpmux:65535 dpt:http
RETURN tcp -- 172.17.9.60 anywhere tcp spts:tcpmux:65535 dpt:https
RETURN tcp -- anywhere anywhere match-set ItprVXltg1PgTKp4RX0uUw src tcp spts:tcpmux:65535 dpt:https

2-Check Web protection>Web filtering>Global>Default Web Filter Profile>Operation mode

Web Filtering Status>>>>
Operation mode:
Standard Mode
[X]Transparent Mode
Full transparent

TPROXY :::This means "sophos already acts as transparent proxy" for your Allowed networks.

1)Network Protection >NAT >NAT
NAT:
Rule Type: DNAT

Matching Condition=
For traffic from :LAN Network
Using service : HTTP
Going to : EXTERNAL ADDRESS

Action=
Change the destination to =proxy-server
And the service to :=Port 3129

Automatic Firewall rule= checked

2)Network Protection >Firewall> Rules
Sources:LAN Network
Services:Any
Destinations=proxy-server

Your DNAT rules are in conflict with sophos's Web Filtering rules that affect your LAN Network.

- I suddenly found an old reply for a thread "Astaro redirect http to squid server"
https://ubb.sophos.com/gateway-products/network-protection-firewall-nat-qos-ips/7719-astaro-redirect-http-squid-server.html

[that won't work with DNAT because you change the destination Any to your SQUID server. What does Squid with an HTTP request directed to itself? There is no way without hacking the firewall - the buzzword is policy based routing....

Couldn't you just enter the ip of your squid server in the proxy settings of internet explorer? I know that if you have a lot of stations this could be a pain, but, it looks like the alternative isn't easy either.
[/I]
Unfortunately,in my view a best solution for it would not exist until now.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data