Good evening.
After upgrading to ClearOS release 7.7.2 (Final), transparent mode no longer works. Each URL is reachable without filtering. To activate the filtering it is necessary to pass any other non-transparent mode. The problem occurred on multiple machines after the upgrade and also on the same, after reinstalling ClearOS directly from scratch to 7.7. There is no way to make filtration work in transparent mode as before. I have tried several times to reinstall but nothing to do. Never had this problem previously in several years of use.
Is there a solution?
Thank you
After upgrading to ClearOS release 7.7.2 (Final), transparent mode no longer works. Each URL is reachable without filtering. To activate the filtering it is necessary to pass any other non-transparent mode. The problem occurred on multiple machines after the upgrade and also on the same, after reinstalling ClearOS directly from scratch to 7.7. There is no way to make filtration work in transparent mode as before. I have tried several times to reinstall but nothing to do. Never had this problem previously in several years of use.
Is there a solution?
Thank you
Share this post:
Responses (7)
-
Accepted Answer
Your resolv.conf file is fine. There is a bug in one (two, really) of the upgrade scripts which hit hit a lot of people but it has little effect. I've only seen a problem of it interfering with Gateway Management. I'll push a workaround on Tuesday for existing installations, but it won't help anyone upgrading after my fix is pushed.
If the problem is https then you have a choice. You can use non-transparent mode. This means updating every workstation or you may get away with using Web Proxy Auto Discovery (WPAD). There is a HowTo in the Resources for creating the set up in ClearOS, but I don't know how to write the WPAD file itself. This may avoid updating every PC.
Alternatively you can switch to Gateway Management, and preferably a paid version. GM has the advantage of being much lighter on resources and provides very powerful filtration. -
Accepted Answer
Thanks Nick.
As you said, I think the problem is related to the fact that all the sites are adopting https. http url (now there are very few), they are blocked correctly. At this point there is no solution ? Should I therefore adopt "non transparent - no user authentication" by setting the proxy on each PC ?
Thanks for your time.
Here the file
resolv.conf
# Please do not edit this file.
# See http://www.clearcenter.com/support/documentation/clearos_guides/dns_and_resolver
domain fmbr.lan
nameserver 127.0.0.1
resolv-peerdns.conf
; generated by /usr/sbin/dhclient-script
search localdomain
nameserver 8.8.8.8
nameserver 8.8.4.4 -
Accepted Answer
OK I understand those rules now. I think they are effectively proxy bypass rules for the server and are automatic.
What is not being filtered? Is it http sites or https sites?
As an outside shot, What is the first line of /etc/resolv.conf? If it is "; generated by /usr/sbin/dhclient-script", please edit your DNS servers in IP Settings and save them again. -
Accepted Answer
In the PREROUTING chain, all the top ACCEPT rules will bypass the proxy. Is that intended?
Yes it's intended.
About this I don't know.
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.30.0.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.60.0.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:80
Some situation in the other server. That table are present too.
I've disabled all firewall rules to show a more clean output for iptables, This is a server installed from scratch with latest iso available.
This the output
[root@gateway ~]# iptables -nvL
Chain INPUT (policy DROP 4 packets, 561 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
1 76 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
0 0 DROP tcp -- * * !127.0.0.1 0.0.0.0/0 tcp dpt:3128
20 1040 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP all -- enp4s0 * 127.0.0.0/8 0.0.0.0/0
18 1717 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
6 787 ACCEPT all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- enp3s0 * 0.0.0.0/0 0.0.0.0/0
1 29 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
1 32 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT udp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
197 22183 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:10000
38 10341 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:81
7 984 ACCEPT udp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_SELF src,dst,dst
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_EGRESS dst
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
0 0 DROP all -- enp3s0 enp2s0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- enp2s0 enp3s0 0.0.0.0/0 0.0.0.0/0
17 920 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
1 106 ACCEPT all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- enp3s0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_SELF src,dst,dst
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_EGRESS dst
38 2757 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * enp2s0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * enp3s0 0.0.0.0/0 0.0.0.0/0
2 61 ACCEPT icmp -- * enp4s0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * enp4s0 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * enp4s0 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
185 39366 ACCEPT tcp -- * enp4s0 138.41.20.20 0.0.0.0/0 tcp spt:22
0 0 ACCEPT tcp -- * enp4s0 138.41.20.20 0.0.0.0/0 tcp spt:10000
37 9020 ACCEPT tcp -- * enp4s0 138.41.20.20 0.0.0.0/0 tcp spt:81
8 594 ACCEPT all -- * enp4s0 0.0.0.0/0 0.0.0.0/0
Chain DROP-lan (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[root@gateway ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 53 packets, 6593 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.30.0.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.60.0.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:80
3 156 REDIRECT tcp -- enp2s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- enp3s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
Chain INPUT (policy ACCEPT 31 packets, 2742 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 33 packets, 2125 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 11 packets, 743 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
26 1698 MASQUERADE all -- * enp4s0 0.0.0.0/0 0.0.0.0/0 -
Accepted Answer
In the PREROUTING chain, all the top ACCEPT rules will bypass the proxy. Is that intended?
Do you know where these rules have come from:
Are they also proxy bypass rules? I am not so sure.0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.30.0.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.60.0.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:80 -
Accepted Answer
Thank you very much for the answer.
...so "transparent proxy won't filter https"; excuse me but I didn't know this.
The output
[root@gateway ~]# iptables -nvL
Chain INPUT (policy DROP 3 packets, 120 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
0 0 DROP tcp -- * * !127.0.0.1 0.0.0.0/0 tcp dpt:3128
14 1464 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
8 2040 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP all -- enp4s0 * 127.0.0.0/8 0.0.0.0/0
232 43103 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
54 6163 ACCEPT all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0
44 5090 ACCEPT all -- enp3s0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
1 72 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
4 144 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
1 72 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT udp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
41 4024 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:81
34 4063 ACCEPT udp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
2997 29M ACCEPT tcp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_SELF src,dst,dst
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_EGRESS dst
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
0 0 DROP all -- enp3s0 enp2s0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- enp2s0 enp3s0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * enp2s0 0.0.0.0/0 172.30.0.41 tcp dpt:80
0 0 ACCEPT tcp -- * enp3s0 0.0.0.0/0 172.30.0.41 tcp dpt:80
0 0 ACCEPT tcp -- * enp2s0 0.0.0.0/0 172.30.0.40 tcp dpt:80
0 0 ACCEPT tcp -- * enp3s0 0.0.0.0/0 172.30.0.40 tcp dpt:80
0 0 ACCEPT tcp -- * enp2s0 0.0.0.0/0 172.30.0.43 tcp dpt:80
0 0 ACCEPT tcp -- * enp3s0 0.0.0.0/0 172.30.0.43 tcp dpt:80
0 0 ACCEPT tcp -- * enp2s0 0.0.0.0/0 172.30.0.42 tcp dpt:80
0 0 ACCEPT tcp -- * enp3s0 0.0.0.0/0 172.30.0.42 tcp dpt:80
219 87750 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
39 2162 ACCEPT all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- enp3s0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_SELF src,dst,dst
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_EGRESS dst
232 43103 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
50 5733 ACCEPT all -- * enp2s0 0.0.0.0/0 0.0.0.0/0
44 5090 ACCEPT all -- * enp3s0 0.0.0.0/0 0.0.0.0/0
4 144 ACCEPT icmp -- * enp4s0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * enp4s0 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * enp4s0 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
63 15106 ACCEPT tcp -- * enp4s0 138.41.20.20 0.0.0.0/0 tcp spt:22
0 0 ACCEPT tcp -- * enp4s0 138.41.20.20 0.0.0.0/0 tcp spt:10000
0 0 ACCEPT tcp -- * enp4s0 138.41.20.20 0.0.0.0/0 tcp spt:81
3054 210K ACCEPT all -- * enp4s0 0.0.0.0/0 0.0.0.0/0
Chain DROP-lan (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[root@gateway ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 94 packets, 10878 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 172.60.0.241 0.0.0.0/0
0 0 ACCEPT all -- * * 172.60.0.240 0.0.0.0/0
0 0 ACCEPT all -- * * 172.60.0.133 0.0.0.0/0
0 0 ACCEPT all -- * * 172.60.0.121 0.0.0.0/0
0 0 ACCEPT all -- * * 172.60.0.160 0.0.0.0/0
0 0 ACCEPT all -- * * 172.60.0.45 0.0.0.0/0
0 0 ACCEPT all -- * * 172.60.0.219 0.0.0.0/0
0 0 ACCEPT all -- * * 172.30.0.2 0.0.0.0/0
3 190 ACCEPT all -- * * 172.30.0.33 0.0.0.0/0
31 3026 ACCEPT all -- * * 172.30.1.100 0.0.0.0/0
0 0 ACCEPT all -- * * 172.30.0.9 0.0.0.0/0
0 0 ACCEPT all -- * * 172.30.1.107 0.0.0.0/0
0 0 ACCEPT all -- * * 172.60.0.108 0.0.0.0/0
0 0 ACCEPT all -- * * 172.60.0.58 0.0.0.0/0
0 0 ACCEPT all -- * * 172.30.0.230 0.0.0.0/0
0 0 ACCEPT all -- * * 172.60.0.151 0.0.0.0/0
0 0 ACCEPT all -- * * 172.30.0.124 0.0.0.0/0
0 0 ACCEPT all -- * * 172.30.0.144 0.0.0.0/0
0 0 ACCEPT all -- * * 172.30.1.175 0.0.0.0/0
0 0 ACCEPT all -- * * 172.30.0.126 0.0.0.0/0
0 0 ACCEPT all -- * * 172.30.1.124 0.0.0.0/0
0 0 ACCEPT all -- * * 172.30.0.125 0.0.0.0/0
0 0 ACCEPT all -- * * 172.60.0.152 0.0.0.0/0
0 0 ACCEPT all -- * * 172.30.0.71 0.0.0.0/0
0 0 DNAT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:11002 to:172.30.0.41:80
0 0 DNAT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:11001 to:172.30.0.40:80
0 0 DNAT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:11004 to:172.30.0.43:80
0 0 DNAT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:11003 to:172.30.0.42:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.30.0.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.60.0.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:80
0 0 REDIRECT tcp -- enp2s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- enp3s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
Chain INPUT (policy ACCEPT 61 packets, 4717 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 148 packets, 10128 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 41 packets, 3390 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 SNAT tcp -- * * 172.30.0.0/23 172.30.0.41 tcp dpt:80 to:172.30.0.1
0 0 SNAT tcp -- * * 172.60.0.0/24 172.30.0.41 tcp dpt:80 to:172.60.0.1
0 0 SNAT tcp -- * * 172.30.0.0/23 172.30.0.40 tcp dpt:80 to:172.30.0.1
0 0 SNAT tcp -- * * 172.60.0.0/24 172.30.0.40 tcp dpt:80 to:172.60.0.1
0 0 SNAT tcp -- * * 172.30.0.0/23 172.30.0.43 tcp dpt:80 to:172.30.0.1
0 0 SNAT tcp -- * * 172.60.0.0/24 172.30.0.43 tcp dpt:80 to:172.60.0.1
0 0 SNAT tcp -- * * 172.30.0.0/23 172.30.0.42 tcp dpt:80 to:172.30.0.1
0 0 SNAT tcp -- * * 172.60.0.0/24 172.30.0.42 tcp dpt:80 to:172.60.0.1
141 8712 MASQUERADE all -- * enp4s0 0.0.0.0/0 0.0.0.0/0
-
Accepted Answer
I am not aware of any significant changed here as none of our marketplace apps were updated as part of the upgrade. I believe iptables was updated, however. With transparent mode enabled, please can you give the output to:
Can I also point out that transparent mode is pretty ineffective these days as many sites have switched to https rather than http and the transparent proxy won't filter https.iptables -nvL
iptables -nvL -t nat
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »