# Squid + poker rooms

## canabix67

Hi all,

Quick question, I've got my squid with authentication up and running.

But now I realize I wish to be able to play on my poker rooms behind my proxy...

How would you do that???

----------

## cach0rr0

walk to the table, buy your chips, ante up, and never bank on the river card. 


(but seriously, we need more information - how are we going to know how your poker rooms function without more information?)

----------

## d2_racing

Also, are you using a firewall with iptables or something else too.

----------

## canabix67

Yup, you're right...

That was a bit quick...

I've got Iptable configured as follows:

```

# Generated by iptables-save v1.4.3.2 on Sat Dec 12 21:48:27 2009

*nat

:PREROUTING ACCEPT [33441:6672290]

:POSTROUTING ACCEPT [7981:511645]

:OUTPUT ACCEPT [63393:4105802]

-A PREROUTING -i lan -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.0:443 

-A PREROUTING -i lan -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128 

-A POSTROUTING -o wan -j MASQUERADE 

COMMIT

# Completed on Sat Dec 12 21:48:28 2009

# Generated by iptables-save v1.4.3.2 on Sat Dec 12 21:48:28 2009

*mangle

:PREROUTING ACCEPT [1369607:1535200221]

:INPUT ACCEPT [1338610:1523055115]

:FORWARD ACCEPT [10843:6878270]

:OUTPUT ACCEPT [1065389:295099642]

:POSTROUTING ACCEPT [1075659:301947517]

COMMIT

# Completed on Sat Dec 12 21:48:28 2009

# Generated by iptables-save v1.4.3.2 on Sat Dec 12 21:48:28 2009

*filter

:INPUT DROP [0:0]

:FORWARD DROP [395:25389]

:OUTPUT ACCEPT [85692:7151245]

-A INPUT -i lo -j ACCEPT 

-A INPUT -i wan -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A INPUT -i lan -j ACCEPT 

-A INPUT -j LOG 

-A INPUT -j DROP 

-A FORWARD -i lan -j ACCEPT 

-A OUTPUT -o lo -j ACCEPT 

-A OUTPUT -o lan -j ACCEPT 

COMMIT

# Completed on Sat Dec 12 21:48:28 2009

```

ANd I've got squid working on authentication as follows:

```
redirect_program /usr/bin/squidGuard

auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/users

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

acl manager proto cache_object

acl localhost src 127.0.0.1/32

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

acl SSL_ports port 443

acl Safe_ports port 1863

acl Safe_ports port 80      # http

acl Safe_ports port 21      # ftp

acl Safe_ports port 443      # https

acl Safe_ports port 70      # gopher

acl Safe_ports port 210      # wais

acl Safe_ports port 1025-65535   # unregistered ports

acl Safe_ports port 280      # http-mgmt

acl Safe_ports port 488      # gss-http

acl Safe_ports port 591      # filemaker

acl Safe_ports port 777      # multiling http

acl Safe_ports port 901      # SWAT

acl purge method PURGE

acl CONNECT method CONNECT

acl localnet src 192.168.0.0/24

acl Users proxy_auth REQUIRED

acl myacl dstdomain *.pogo.com

always_direct allow myacl

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access allow !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnet Users

http_access allow localhost

http_access deny all

icp_access allow localnet

icp_access deny all

htcp_access allow localnet

htcp_access deny all

http_port 3128

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp:      1440   20%   10080

refresh_pattern ^gopher:   1440   0%   1440

refresh_pattern (cgi-bin|\?)   0   0%   0

refresh_pattern .      0   20%   4320

icp_port 3130

forwarded_for off

coredump_dir /var/cache/squid

visible_hostname rehmann-router

redirect_program /usr/bin/squidGuard

```

I've read here and there that Full tilt poker (the software I'm trying to use) is using port 443 however, I believe it's open...

I know I'm a noob, so sorry if that was a real stupid question...

----------

## d2_racing

What is that line :

```

-A PREROUTING -i lan -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128 

```

What service is running on port 3128 ?

----------

## canabix67

 *d2_racing wrote:*   

> What is that line :
> 
> ```
> 
> -A PREROUTING -i lan -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128 
> ...

 

Squid is running on 3128...

But I guess I can get this line out...

----------

## d2_racing

Maybe it's me, but do you have a file that contain your actual iptables rules ?

I would like to see all the input,output and forward rules that you created.

----------

## cach0rr0

usually when these things say they "need 443", that means nothing more than, you need to be able to browse to HTTPS sites

if browsing to other HTTPS sites works, so should this

so test with any ol' https site; if it works, poker should work. if you're lazy, openssl s_client -connect mail.google.com:443

EDIT: 

To be clear, all you'd need is on your output, a --dport 443 -j ACCEPT

----------

## Hu

 *d2_racing wrote:*   

> Maybe it's me, but do you have a file that contain your actual iptables rules ?

 

Perhaps /var/lib/iptables/rules-save, which should contain exactly the output he posted above?  Assuming that output is from a run of iptables-save after he finished working, then aside from rule match counters, we already have all the iptables information from that system.

DNATing https traffic to 192.168.0.0 looks unwise.  Do you actually have a system with that address?

----------

## canabix67

Well guys,

I guess I'll have to start it all over again...

I can't access SMTP or POP behind my wall...

So it's pretty Useless.

Well If you guys want to help me here is my conf:

WAN - modem router (192.168.1.1) - eth0(aka wan) (192.168.1.10) - Gentoo Box - eth1(aka lan) (192.168.0.100) - Windows computers

I've put 192.168.1.10 on the DMZ of the "modem router" so that I can use the Gentoo box as a firewall.

DNS / DHCP working fine on the lan side.

On the gentoo box is: firewall with iptables, squid, squidguard.

I wish to use the box as a full home server Samba + Clamav + freeNX and all sorts of things.

But first things first, I guess I'll have to start with a properly configured iptables + squid.

Well for now Squid is working on my lan when I configure browsers to use the proxy (192.168.0.100:3128) which is fine I want authentication.

But then, I want to make sure my firewall is efficient...

I can't seem to find an "easy" how to... Guess I'm stupid... :/

I found that script thing that went pretty good, but I realise my wall is pretty much a hole... :/

Can you guys help me out?

----------

## boerKrelis

```

-A PREROUTING -i lan -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.0:443 

```

Are you trying to transparently proxy HTTPS traffic? That's not going to work. SSL is designed to prevent a man-in-the-middle attack, which is what you are doing when you transparently proxy HTTPS. It won't work (unless you own the certs of all the proxied webservers).

Try without transparent proxying first. Just define your proxy in your environment or your browser.

And maybe you should try some firewall builder tools. Those tools can provide some guidance and insight if you're new(ish) to networking. Try shorewall, their docs are excellent.

----------

