HTTP Proxy Transparent Proxy with Web Antivirus setup

Home Page Forums Network Management ZeroShell HTTP Proxy Transparent Proxy with Web Antivirus setup

This topic contains 15 replies, has 0 voices, and was last updated by  esvabas 8 years, 3 months ago.

Viewing 15 posts - 1 through 15 (of 17 total)
  • Author
    Posts
  • #42189

    esvabas
    Member

    Hi,

    Installed zeroshield 1.0 beta12
    Have 3 network cards.
    1 network card just for management.
    2 network cards to work as transparent in-path proxy.
    Under Network setup, I have setup new bridge and brigded those 2 network cards together.
    Put my laptop on inside and the other network card goes to outside switch.

    Works fine, passes traffic fine, once I turn on HTTP Capturing Rules, it stops working. Unable to browse outside, but I can ping outside and able to browse via other ports, like https and RDP, telnet etc works fine.

    Any suggestions or detailed documentation how to set it up?

    #49572

    Marcelo
    Member

    Have you ever changed the default policy of your OUTPUT chain to something different from ACCEPT and/or have restrictive rules there?

    This is an important thing to check as, without the proxy, your requests go though the ZS box, thus will be filtered by the FORWARD chain firewall rules. In the other hand, when you have the transparent proxy on, the requests will be received by the proxy at Zeroshell and then will be re-issued from there (as if the requests are originated on the ZS box). The bottom line is that these new re-issued requests will be subject to the rules in the OUTPUT chain, not the FORWARD chain.

    Hope it helps

    #49573

    esvabas
    Member

    Hi,

    I have not configured anything under Firewall rules, left default.

    Basically all the setup I did was:

    1. Bridged 2 network cards together.
    2. Went into HTTP Proxy and Added HTTP Capturing Rule for BRIDGED interface.

    Everything is working fine if I dont add HTTP Capturing rule.

    The rule is very simple:
    Chain Proxy (1 references)
    pkts bytes target prot opt in out source destination
    5 260 REDIRECT tcp — BRIDGE00 * 0.0.0.0/0 0.0.0.0/0 redir ports 8080

    #49574

    Marcelo
    Member

    Are you able to ping any of the URLs that you are trying to access from the Zeroshell shell prompt?

    Could you post here some screenshots:
    – Proxy capturing rules
    – Firewall INPUT and OUTPUT chains (even knowing you didn’t change anythin)

    #49575

    esvabas
    Member

    #49576

    esvabas
    Member

    @marcelo wrote:

    Are you able to ping any of the URLs that you are trying to access from the Zeroshell shell prompt?

    Could you post here some screenshots:
    – Proxy capturing rules
    – Firewall INPUT and OUTPUT chains (even knowing you didn’t change anythin)

    Yes I am able to PING etc., I can even RDP to other machines, HTTPS works, FTP works, but HTTP does not.

    #49577

    Marcelo
    Member

    Hmmmm. Interesting, this is indeed very weird.

    I see though that you have items in your blacklist. Could you plz try clearing it (leave it with zero items), just for start, and confirm if the problem persists?
    Since you’re currently in a troubleshoot phase of your proxy configuration, I’d recomend that you only add items to the blacklist once you confirm you have a working configuration, just to make sure nothing else may be interfering with your investigation.

    I understand the router is forwarding the packets corectly (like accessing https, etc), pinging from the ZS box (not one of the machines it serves) was just to confirm you had no problems with the OUTPUT chain, not the FORWARD one.

    Let me know how it does after cleaning the blacklist.

    #49578

    esvabas
    Member

    removed and disabled whitelisting and blacklisting.

    Very weird, seems to be easy config,

    maybe issue with the version that I am running?

    Thanks

    #49579

    Marcelo
    Member

    I don’t think this is related to the version you’re using, I use the transparent proxy on beta12 (same version as you) with no problems.

    What do you have in the proxy logs?

    Try enabling logging of every transaction (not just URLs with virus) and after one or two requests, post the logs here (remember to edit sensitive information like IPs and the like, if you care, before posting).

    #49580

    ppalias
    Member

    esvabas try this: Add also the source IP range on the proxy configuration, not just the interface BRIDGE00

    #49581

    esvabas
    Member

    what is funny that, when I enable HTTP Proxy on bridge, no http traffic passes from my laptop, but PROXY log shows at least connections me trying to access google.com or yahoo.com or windows update, here is the log

    19:34:08 192.168.60.108 HEAD 200 http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab? 292+0 OK
    19:34:30 192.168.60.108 GET 404 http://10.1.0.81/wpad.dat 179+282 OK
    19:35:01 192.168.60.108 HEAD 200 http://download.microsoft.com/v9/windowsupdate/redir/muv4wuredir.cab? 384+0 OK
    19:35:22 192.168.60.108 GET 404 http://10.1.0.81/wpad.dat 179+282 OK
    19:35:53 192.168.60.108 HEAD 200 http://download.microsoft.com/v9/windowsupdate/redir/muv4wuredir.cab? 384+0 OK
    19:37:53 192.168.60.108 GET 404 http://10.1.0.81/wpad.dat 179+282 OK
    19:38:23 192.168.60.108 HEAD 200 http://download.microsoft.com/v9/windowsupdate/redir/muv4wuredir.cab? 384+0 OK
    19:38:44 192.168.60.108 GET 404 http://10.1.0.81/wpad.dat 179+282 OK
    19:39:15 192.168.60.108 HEAD 200 http://download.microsoft.com/v9/windowsupdate/redir/muv4wuredir.cab? 384+0 OK
    19:39:36 192.168.60.108 GET 404 http://10.1.0.81/wpad.dat 179+282 OK
    19:40:07 192.168.60.108 HEAD 200 http://www.update.microsoft.com/v9/windowsupdate/redir/muv4wuredir.cab? 278+0 OK
    19:40:28 192.168.60.108 GET 404 http://10.1.0.81/wpad.dat 179+282 OK
    19:40:58 192.168.60.108 HEAD 200 http://www.update.microsoft.com/v9/windowsupdate/redir/muv4wuredir.cab? 278+0 OK
    19:41:18 192.168.60.108 GET 404 http://10.1.0.81/wpad.dat 179+282 OK
    19:41:47 192.168.60.108 HEAD 200 http://www.update.microsoft.com/v9/windowsupdate/redir/muv4wuredir.cab? 278+0 OK
    19:42:09 192.168.60.108 GET 404 http://10.1.0.81/wpad.dat 179+282 OK
    19:42:39 192.168.60.108 HEAD 200 http://www.update.microsoft.com/v9/windowsupdate/redir/muv4wuredir.cab? 278+0 OK
    19:43:06 192.168.60.108 GET 404 http://10.1.0.81/wpad.dat 179+282 OK
    19:43:37 192.168.60.108 GET 404 http://watson.microsoft.com/StageOne/Generic/WindowsUpdateFailure/7_3_7600_16385/80072ee2/D67661EB-2423-451D-BF5D-13199E37DF28/Scan/101/Unmanaged.htm? 237+1635 OK
    21:11:05 192.168.60.108 GET 200 http://images.google.com/imghp? 246+5142 OK
    21:11:32 192.168.60.108 GET 301 http://google.com/ 302+219 OK
    21:12:24 192.168.60.108 GET 404 http://10.1.0.81/wpad.dat 179+282 OK
    21:12:29 192.168.60.108 GET 302 http://go.microsoft.com/fwlink/? 310+135 OK
    21:12:37 192.168.60.108 GET 200 http://www.google.com/ 246+5721 OK
    21:12:38 192.168.60.108 GET 404 http://10.1.0.81/wpad.dat 179+282 OK
    21:22:08 192.168.60.108 GET 301 http://yahoo.com/ 185+141 OK

    #49582

    ppalias
    Member

    Most likely the request is captured correctly, but the reply is also captured cause the BRIDGE interface is bidirectional.

    #49583

    esvabas
    Member

    seem to be stuck, have tried various ways, and unable to make it work

    Once I turn on Capture traffic for interface or for source network traffic, unable to open any websites, but Logs shows traffic ok,

    11:01:48 192.168.60.117 GET 200 http://www.google.com/prdhp? 299+3447 OK
    11:02:00 192.168.60.117 GET 200 http://mobile.yahoo.com/mail 899+14225 OK
    11:02:06 192.168.60.117 GET 200 http://www.eicar.org/download/eicar.com 336+68 VIRUS ClamAV: Eicar-Test-Signature
    11:02:44 192.168.60.117 GET 304 http://www.eicar.org/anti_virus_test_file.htm 240+0 OK
    11:02:52 192.168.60.117 GET 200 http://overview.mail.yahoo.com/apps 394+7104 OK
    11:03:05 192.168.60.117 GET 304 http://www.eicar.org/anti_virus_test_file.htm 240+0 OK
    11:03:48 192.168.60.117 GET 200 http://www.lrytas.lt/ 349+124814 OK

    Log shows that I am accessing those sites.

    #49584

    pando
    Member

    Same problem to me, but pinging the name of sites don’t work, but it’s working ping to ips.

    #49585

    ppalias
    Member

    Sounds like a DNS problem. Make sure you have it configured and it is working. If in doubt use OpenDNS or GoogleDNS.

Viewing 15 posts - 1 through 15 (of 17 total)

You must be logged in to reply to this topic.