Web-Proxy
Posted: Thu Mar 03, 2005 4:13 pm
I have only a very basic understanding of the complexities of routing/bridging but have managed to codge together a working bridging firewall for our public ip'd lan (connected to the www via BT ADSL router). However, I'd also like to use the transparent web-proxy but have not managed to make it work. As an experiment, I'm trying to start by getting 'normal' web-proxy working whereby the client adds the ip address and port of the proxy server in MSIE settings but I can't even get this to work.
Can one of you clever chaps point out where I'm going wrong and also how I move to transparent w-p? Here is my IP config... (please feel free to point out any holes):
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
/ ip socks
set enabled=yes port=1080 connection-idle-timeout=2m max-connections=200
/ ip socks access
add action=allow disabled=no
/ ip arp
/ ip upnp
set enabled=yes
/ ip dns
set primary-dns=x.x.x.68 secondary-dns=x.x.x.71 allow-remote-requests=yes cache-size="2048 kB" \
cache-max-ttl=7d
/ ip firewall
set input name="input" policy=accept comment=""
set forward name="forward" policy=accept comment=""
set output name="output" policy=accept comment=""
add name="synflood" policy=none comment=""
/ ip firewall rule forward
add action=jump jump-target=synflood comment="Attack Defense" disabled=no
add dst-address=:135-139 protocol=udp action=drop comment="RPC UDP" disabled=no
add dst-address=:135-139 protocol=tcp action=drop comment="RPC TCP" disabled=no
add dst-address=:445 protocol=tcp action=drop comment="SMB" disabled=no
add connection-state=invalid action=drop log=yes comment="Invalid" disabled=no
add connection-state=established action=accept comment="Established" disabled=no
add connection-state=related action=accept comment="Related" disabled=no
add protocol=udp action=accept log=yes comment="UDP" disabled=yes
add protocol=icmp action=accept comment="ICMP" disabled=no
add src-address=x.x.x.64/26 dst-address=:53 protocol=udp action=accept log=yes comment="DNS Out" disabled=no
add dst-address=x.x.x.64/27:53 protocol=udp action=accept log=yes comment="DNS In \(.65 - .94\)" disabled=no
add src-address=x.x.x.64/29 dst-address=:25 protocol=tcp action=accept log=yes comment="SMTP Out \(.65 - \
.70\)" disabled=no
add dst-address=x.x.x.64/29:25 protocol=tcp action=accept log=yes comment="SMTP In \(.65 - .70\)" \
disabled=no
add src-address=x.x.x.64/26 dst-address=:80 protocol=tcp action=accept log=yes comment="HTTP Out" \
disabled=no
add dst-address=x.x.x.64/27:80 protocol=tcp action=accept log=yes comment="HTTP In \(.65 - .94\)" \
disabled=no
add src-address=x.x.x.64/26 dst-address=:443 protocol=tcp action=accept log=yes comment="HTTPS Out" \
disabled=no
add dst-address=x.x.x.64/27:443 protocol=tcp action=accept log=yes comment="HTTPS In" disabled=no
add dst-address=:110 protocol=tcp action=accept log=yes comment="POP3" disabled=no
add protocol=rdp action=accept log=yes comment="RDP" disabled=no
add dst-address=:3389 protocol=tcp action=accept log=yes comment="RDP TCP" disabled=no
add dst-address=:4899 protocol=tcp action=accept log=yes comment="RAdmin" disabled=no
add dst-address=:20-21 protocol=tcp action=accept log=yes comment="FTP TCP" disabled=no
add dst-address=:20-21 protocol=udp action=accept log=yes comment="FTP UDP" disabled=no
add dst-address=:37 protocol=tcp action=accept log=yes comment="Time TCP" disabled=no
add dst-address=:37 protocol=udp action=accept log=yes comment="Time UDP" disabled=no
add dst-address=:123 protocol=tcp action=accept log=yes comment="NTP TCP" disabled=no
add dst-address=:123 protocol=udp action=accept log=yes comment="NTP UDP" disabled=no
add dst-address=80.176.196.80/28 action=accept log=yes comment="Trusted Out" disabled=no
add src-address=80.176.196.80/28 action=accept log=yes comment="Trusted In" disabled=no
add dst-address=:4646 protocol=tcp action=accept comment="eMule" disabled=no
add dst-address=:4661-4662 protocol=tcp action=accept comment="eMule" disabled=no
add dst-address=:4665 protocol=udp action=accept comment="eMule" disabled=no
add dst-address=:4672 protocol=udp action=accept comment="eMule" disabled=no
add dst-address=:4711 protocol=tcp action=accept comment="eMule Web Server" disabled=no
add src-address=x.x.x.105/32 action=accept comment="Daemon" disabled=no
add action=drop log=yes comment="Drop" disabled=no
/ ip firewall rule input
add connection-state=invalid action=drop log=yes comment="Drop invalid connection packets" disabled=no
add connection-state=established action=accept comment="Allow established connections" disabled=no
add connection-state=related action=accept comment="Allow related connections" disabled=no
add protocol=udp action=accept log=yes comment="Allow UDP connections" disabled=no
add protocol=icmp action=accept comment="Allow ICMP messages" disabled=no
add src-address=x.x.x.64/26 action=accept log=yes comment="Allow access from 'trusted' networks" disabled=no
add src-address=80.176.196.80/28 action=accept log=yes comment="Allow access from 'trusted' networks" disabled=no
add action=drop log=yes comment="Drop" disabled=no
/ ip firewall rule output
add action=accept comment="" disabled=no
/ ip firewall rule synflood
add protocol=tcp tcp-options=syn-only limit-count=25 limit-burst=5 limit-time=1s action=return comment="" \
disabled=no
add protocol=tcp tcp-options=syn-only action=drop comment="" disabled=no
add protocol=icmp tcp-options=syn-only connection-state=new limit-count=25 limit-burst=5 limit-time=1s \
action=return comment="" disabled=yes
add protocol=icmp action=drop comment="" disabled=yes
add protocol=udp connection-state=new limit-count=25 limit-burst=5 limit-time=1s action=return comment="" \
disabled=yes
add protocol=udp action=drop comment="" disabled=yes
/ ip firewall service-port
set ftp ports=21 disabled=no
set pptp disabled=no
set gre disabled=no
set h323 disabled=yes
set mms disabled=no
set irc ports=6667 disabled=no
set quake3 disabled=no
set tftp ports=69 disabled=no
/ ip firewall dst-nat
add in-interface=int dst-address=:80 protocol=tcp action=redirect to-dst-port=3128 comment="" disabled=yes
add dst-address=:53 protocol=udp action=redirect comment="" disabled=yes
add in-interface=int dst-address=!x.x.x.79/32:80 protocol=tcp action=redirect to-dst-port=8080 comment="" \
disabled=yes
add in-interface=int dst-address=!x.x.x.78/32:80 protocol=tcp action=redirect to-dst-port=8080 comment="" \
disabled=yes
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m tcp-established-timeout=1h \
tcp-fin-wait-timeout=2m tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s tcp-time-wait-timeout=2m \
tcp-close-timeout=10s udp-timeout=30s udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
/ ip address
add address=x.x.x.78/26 network=x.x.x.64 broadcast=x.x.x.127 interface=bridge comment="" \
disabled=no
/ ip accounting
set enabled=yes threshold=1024
/ ip accounting web-access
set accessible-via-web=yes address=x.x.x.64/26
/ ip policy-routing
/ ip policy-routing rule
add src-address=0.0.0.0/0 dst-address=0.0.0.0/0 flow="" interface=all action=lookup table=main comment="" \
disabled=no
/ ip policy-routing table main
/ ip neighbor discovery
set int discover=yes
set ext discover=yes
set mng discover=yes
set bridge discover=yes
/ ip route
/ ip dhcp-client
set enabled=no host-name="" client-id="" add-default-route=yes use-peer-dns=yes
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 \
disabled=no
/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=8080 hostname="" transparent-proxy=yes parent-proxy=0.0.0.0:0 \
cache-administrator="webmaster@appliedcool.co.uk" max-object-size="4096 kB" cache-drive=system \
max-cache-size=1000
/ ip web-proxy access
add src-address=x.x.x.64/26 action=allow comment="" disabled=no
/ ip web-proxy cache
add src-address=x.x.x.64/26 action=allow comment="" disabled=no
/ ip web-proxy direct
add src-address=x.x.x.64/26 action=allow comment="" disabled=no
[admin@firewall] ip>
The error message in IE reads...:
ERROR
The requested URL could not be retrieved
--------------------------------------------------------------------------------
While trying to retrieve the URL: http://www.mikrotik.com/
The following error was encountered:
Connection Failed
The system returned:
(101) Network is unreachableThe remote host or network may be down. Please try the request again.
Thank you in advance.
Ged.
Can one of you clever chaps point out where I'm going wrong and also how I move to transparent w-p? Here is my IP config... (please feel free to point out any holes):
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
/ ip socks
set enabled=yes port=1080 connection-idle-timeout=2m max-connections=200
/ ip socks access
add action=allow disabled=no
/ ip arp
/ ip upnp
set enabled=yes
/ ip dns
set primary-dns=x.x.x.68 secondary-dns=x.x.x.71 allow-remote-requests=yes cache-size="2048 kB" \
cache-max-ttl=7d
/ ip firewall
set input name="input" policy=accept comment=""
set forward name="forward" policy=accept comment=""
set output name="output" policy=accept comment=""
add name="synflood" policy=none comment=""
/ ip firewall rule forward
add action=jump jump-target=synflood comment="Attack Defense" disabled=no
add dst-address=:135-139 protocol=udp action=drop comment="RPC UDP" disabled=no
add dst-address=:135-139 protocol=tcp action=drop comment="RPC TCP" disabled=no
add dst-address=:445 protocol=tcp action=drop comment="SMB" disabled=no
add connection-state=invalid action=drop log=yes comment="Invalid" disabled=no
add connection-state=established action=accept comment="Established" disabled=no
add connection-state=related action=accept comment="Related" disabled=no
add protocol=udp action=accept log=yes comment="UDP" disabled=yes
add protocol=icmp action=accept comment="ICMP" disabled=no
add src-address=x.x.x.64/26 dst-address=:53 protocol=udp action=accept log=yes comment="DNS Out" disabled=no
add dst-address=x.x.x.64/27:53 protocol=udp action=accept log=yes comment="DNS In \(.65 - .94\)" disabled=no
add src-address=x.x.x.64/29 dst-address=:25 protocol=tcp action=accept log=yes comment="SMTP Out \(.65 - \
.70\)" disabled=no
add dst-address=x.x.x.64/29:25 protocol=tcp action=accept log=yes comment="SMTP In \(.65 - .70\)" \
disabled=no
add src-address=x.x.x.64/26 dst-address=:80 protocol=tcp action=accept log=yes comment="HTTP Out" \
disabled=no
add dst-address=x.x.x.64/27:80 protocol=tcp action=accept log=yes comment="HTTP In \(.65 - .94\)" \
disabled=no
add src-address=x.x.x.64/26 dst-address=:443 protocol=tcp action=accept log=yes comment="HTTPS Out" \
disabled=no
add dst-address=x.x.x.64/27:443 protocol=tcp action=accept log=yes comment="HTTPS In" disabled=no
add dst-address=:110 protocol=tcp action=accept log=yes comment="POP3" disabled=no
add protocol=rdp action=accept log=yes comment="RDP" disabled=no
add dst-address=:3389 protocol=tcp action=accept log=yes comment="RDP TCP" disabled=no
add dst-address=:4899 protocol=tcp action=accept log=yes comment="RAdmin" disabled=no
add dst-address=:20-21 protocol=tcp action=accept log=yes comment="FTP TCP" disabled=no
add dst-address=:20-21 protocol=udp action=accept log=yes comment="FTP UDP" disabled=no
add dst-address=:37 protocol=tcp action=accept log=yes comment="Time TCP" disabled=no
add dst-address=:37 protocol=udp action=accept log=yes comment="Time UDP" disabled=no
add dst-address=:123 protocol=tcp action=accept log=yes comment="NTP TCP" disabled=no
add dst-address=:123 protocol=udp action=accept log=yes comment="NTP UDP" disabled=no
add dst-address=80.176.196.80/28 action=accept log=yes comment="Trusted Out" disabled=no
add src-address=80.176.196.80/28 action=accept log=yes comment="Trusted In" disabled=no
add dst-address=:4646 protocol=tcp action=accept comment="eMule" disabled=no
add dst-address=:4661-4662 protocol=tcp action=accept comment="eMule" disabled=no
add dst-address=:4665 protocol=udp action=accept comment="eMule" disabled=no
add dst-address=:4672 protocol=udp action=accept comment="eMule" disabled=no
add dst-address=:4711 protocol=tcp action=accept comment="eMule Web Server" disabled=no
add src-address=x.x.x.105/32 action=accept comment="Daemon" disabled=no
add action=drop log=yes comment="Drop" disabled=no
/ ip firewall rule input
add connection-state=invalid action=drop log=yes comment="Drop invalid connection packets" disabled=no
add connection-state=established action=accept comment="Allow established connections" disabled=no
add connection-state=related action=accept comment="Allow related connections" disabled=no
add protocol=udp action=accept log=yes comment="Allow UDP connections" disabled=no
add protocol=icmp action=accept comment="Allow ICMP messages" disabled=no
add src-address=x.x.x.64/26 action=accept log=yes comment="Allow access from 'trusted' networks" disabled=no
add src-address=80.176.196.80/28 action=accept log=yes comment="Allow access from 'trusted' networks" disabled=no
add action=drop log=yes comment="Drop" disabled=no
/ ip firewall rule output
add action=accept comment="" disabled=no
/ ip firewall rule synflood
add protocol=tcp tcp-options=syn-only limit-count=25 limit-burst=5 limit-time=1s action=return comment="" \
disabled=no
add protocol=tcp tcp-options=syn-only action=drop comment="" disabled=no
add protocol=icmp tcp-options=syn-only connection-state=new limit-count=25 limit-burst=5 limit-time=1s \
action=return comment="" disabled=yes
add protocol=icmp action=drop comment="" disabled=yes
add protocol=udp connection-state=new limit-count=25 limit-burst=5 limit-time=1s action=return comment="" \
disabled=yes
add protocol=udp action=drop comment="" disabled=yes
/ ip firewall service-port
set ftp ports=21 disabled=no
set pptp disabled=no
set gre disabled=no
set h323 disabled=yes
set mms disabled=no
set irc ports=6667 disabled=no
set quake3 disabled=no
set tftp ports=69 disabled=no
/ ip firewall dst-nat
add in-interface=int dst-address=:80 protocol=tcp action=redirect to-dst-port=3128 comment="" disabled=yes
add dst-address=:53 protocol=udp action=redirect comment="" disabled=yes
add in-interface=int dst-address=!x.x.x.79/32:80 protocol=tcp action=redirect to-dst-port=8080 comment="" \
disabled=yes
add in-interface=int dst-address=!x.x.x.78/32:80 protocol=tcp action=redirect to-dst-port=8080 comment="" \
disabled=yes
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m tcp-established-timeout=1h \
tcp-fin-wait-timeout=2m tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s tcp-time-wait-timeout=2m \
tcp-close-timeout=10s udp-timeout=30s udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
/ ip address
add address=x.x.x.78/26 network=x.x.x.64 broadcast=x.x.x.127 interface=bridge comment="" \
disabled=no
/ ip accounting
set enabled=yes threshold=1024
/ ip accounting web-access
set accessible-via-web=yes address=x.x.x.64/26
/ ip policy-routing
/ ip policy-routing rule
add src-address=0.0.0.0/0 dst-address=0.0.0.0/0 flow="" interface=all action=lookup table=main comment="" \
disabled=no
/ ip policy-routing table main
/ ip neighbor discovery
set int discover=yes
set ext discover=yes
set mng discover=yes
set bridge discover=yes
/ ip route
/ ip dhcp-client
set enabled=no host-name="" client-id="" add-default-route=yes use-peer-dns=yes
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 \
disabled=no
/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=8080 hostname="" transparent-proxy=yes parent-proxy=0.0.0.0:0 \
cache-administrator="webmaster@appliedcool.co.uk" max-object-size="4096 kB" cache-drive=system \
max-cache-size=1000
/ ip web-proxy access
add src-address=x.x.x.64/26 action=allow comment="" disabled=no
/ ip web-proxy cache
add src-address=x.x.x.64/26 action=allow comment="" disabled=no
/ ip web-proxy direct
add src-address=x.x.x.64/26 action=allow comment="" disabled=no
[admin@firewall] ip>
The error message in IE reads...:
ERROR
The requested URL could not be retrieved
--------------------------------------------------------------------------------
While trying to retrieve the URL: http://www.mikrotik.com/
The following error was encountered:
Connection Failed
The system returned:
(101) Network is unreachableThe remote host or network may be down. Please try the request again.
Thank you in advance.
Ged.