Forums

ksudel
ksudel
Offline
Resolved
0 votes
Good evening.
After upgrading to ClearOS release 7.7.2 (Final), transparent mode no longer works. Each URL is reachable without filtering. To activate the filtering it is necessary to pass any other non-transparent mode. The problem occurred on multiple machines after the upgrade and also on the same, after reinstalling ClearOS directly from scratch to 7.7. There is no way to make filtration work in transparent mode as before. I have tried several times to reinstall but nothing to do. Never had this problem previously in several years of use.
Is there a solution?
Thank you
Friday, January 03 2020, 11:49 PM
Share this post:
Responses (7)
  • Accepted Answer

    Saturday, January 04 2020, 08:57 AM - #Permalink
    Resolved
    0 votes
    I am not aware of any significant changed here as none of our marketplace apps were updated as part of the upgrade. I believe iptables was updated, however. With transparent mode enabled, please can you give the output to:
    iptables -nvL
    iptables -nvL -t nat
    Can I also point out that transparent mode is pretty ineffective these days as many sites have switched to https rather than http and the transparent proxy won't filter https.
    The reply is currently minimized Show
  • Accepted Answer

    ksudel
    ksudel
    Offline
    Saturday, January 04 2020, 09:17 AM - #Permalink
    Resolved
    0 votes
    Thank you very much for the answer.
    ...so "transparent proxy won't filter https"; excuse me but I didn't know this.

    The output

    [root@gateway ~]# iptables -nvL
    Chain INPUT (policy DROP 3 packets, 120 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
    0 0 DROP tcp -- * * !127.0.0.1 0.0.0.0/0 tcp dpt:3128
    14 1464 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
    8 2040 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
    0 0 DROP all -- enp4s0 * 127.0.0.0/8 0.0.0.0/0
    232 43103 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    54 6163 ACCEPT all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0
    44 5090 ACCEPT all -- enp3s0 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
    1 72 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
    4 144 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
    1 72 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
    0 0 ACCEPT udp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
    0 0 ACCEPT tcp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
    41 4024 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:22
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:10000
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:81
    34 4063 ACCEPT udp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
    2997 29M ACCEPT tcp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_SELF src,dst,dst
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_EGRESS dst
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
    0 0 DROP all -- enp3s0 enp2s0 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- enp2s0 enp3s0 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT tcp -- * enp2s0 0.0.0.0/0 172.30.0.41 tcp dpt:80
    0 0 ACCEPT tcp -- * enp3s0 0.0.0.0/0 172.30.0.41 tcp dpt:80
    0 0 ACCEPT tcp -- * enp2s0 0.0.0.0/0 172.30.0.40 tcp dpt:80
    0 0 ACCEPT tcp -- * enp3s0 0.0.0.0/0 172.30.0.40 tcp dpt:80
    0 0 ACCEPT tcp -- * enp2s0 0.0.0.0/0 172.30.0.43 tcp dpt:80
    0 0 ACCEPT tcp -- * enp3s0 0.0.0.0/0 172.30.0.43 tcp dpt:80
    0 0 ACCEPT tcp -- * enp2s0 0.0.0.0/0 172.30.0.42 tcp dpt:80
    0 0 ACCEPT tcp -- * enp3s0 0.0.0.0/0 172.30.0.42 tcp dpt:80
    219 87750 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    39 2162 ACCEPT all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp3s0 * 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_SELF src,dst,dst
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_EGRESS dst
    232 43103 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    50 5733 ACCEPT all -- * enp2s0 0.0.0.0/0 0.0.0.0/0
    44 5090 ACCEPT all -- * enp3s0 0.0.0.0/0 0.0.0.0/0
    4 144 ACCEPT icmp -- * enp4s0 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT udp -- * enp4s0 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
    0 0 ACCEPT tcp -- * enp4s0 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
    63 15106 ACCEPT tcp -- * enp4s0 138.41.20.20 0.0.0.0/0 tcp spt:22
    0 0 ACCEPT tcp -- * enp4s0 138.41.20.20 0.0.0.0/0 tcp spt:10000
    0 0 ACCEPT tcp -- * enp4s0 138.41.20.20 0.0.0.0/0 tcp spt:81
    3054 210K ACCEPT all -- * enp4s0 0.0.0.0/0 0.0.0.0/0

    Chain DROP-lan (0 references)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

    [root@gateway ~]# iptables -nvL -t nat
    Chain PREROUTING (policy ACCEPT 94 packets, 10878 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- * * 172.60.0.241 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.60.0.240 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.60.0.133 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.60.0.121 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.60.0.160 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.60.0.45 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.60.0.219 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.30.0.2 0.0.0.0/0
    3 190 ACCEPT all -- * * 172.30.0.33 0.0.0.0/0
    31 3026 ACCEPT all -- * * 172.30.1.100 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.30.0.9 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.30.1.107 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.60.0.108 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.60.0.58 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.30.0.230 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.60.0.151 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.30.0.124 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.30.0.144 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.30.1.175 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.30.0.126 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.30.1.124 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.30.0.125 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.60.0.152 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.30.0.71 0.0.0.0/0
    0 0 DNAT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:11002 to:172.30.0.41:80
    0 0 DNAT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:11001 to:172.30.0.40:80
    0 0 DNAT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:11004 to:172.30.0.43:80
    0 0 DNAT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:11003 to:172.30.0.42:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.30.0.1 tcp dpt:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.60.0.1 tcp dpt:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:80
    0 0 REDIRECT tcp -- enp2s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
    0 0 REDIRECT tcp -- enp3s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080

    Chain INPUT (policy ACCEPT 61 packets, 4717 bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 148 packets, 10128 bytes)
    pkts bytes target prot opt in out source destination

    Chain POSTROUTING (policy ACCEPT 41 packets, 3390 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    0 0 SNAT tcp -- * * 172.30.0.0/23 172.30.0.41 tcp dpt:80 to:172.30.0.1
    0 0 SNAT tcp -- * * 172.60.0.0/24 172.30.0.41 tcp dpt:80 to:172.60.0.1
    0 0 SNAT tcp -- * * 172.30.0.0/23 172.30.0.40 tcp dpt:80 to:172.30.0.1
    0 0 SNAT tcp -- * * 172.60.0.0/24 172.30.0.40 tcp dpt:80 to:172.60.0.1
    0 0 SNAT tcp -- * * 172.30.0.0/23 172.30.0.43 tcp dpt:80 to:172.30.0.1
    0 0 SNAT tcp -- * * 172.60.0.0/24 172.30.0.43 tcp dpt:80 to:172.60.0.1
    0 0 SNAT tcp -- * * 172.30.0.0/23 172.30.0.42 tcp dpt:80 to:172.30.0.1
    0 0 SNAT tcp -- * * 172.60.0.0/24 172.30.0.42 tcp dpt:80 to:172.60.0.1
    141 8712 MASQUERADE all -- * enp4s0 0.0.0.0/0 0.0.0.0/0
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 04 2020, 10:10 AM - #Permalink
    Resolved
    0 votes
    In the PREROUTING chain, all the top ACCEPT rules will bypass the proxy. Is that intended?

    Do you know where these rules have come from:
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.30.0.1           tcp dpt:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.60.0.1 tcp dpt:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:80
    Are they also proxy bypass rules? I am not so sure.
    The reply is currently minimized Show
  • Accepted Answer

    ksudel
    ksudel
    Offline
    Saturday, January 04 2020, 10:51 AM - #Permalink
    Resolved
    0 votes
    In the PREROUTING chain, all the top ACCEPT rules will bypass the proxy. Is that intended?
    Yes it's intended.

    About this I don't know.
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.30.0.1 tcp dpt:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.60.0.1 tcp dpt:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:80

    Some situation in the other server. That table are present too.

    I've disabled all firewall rules to show a more clean output for iptables, This is a server installed from scratch with latest iso available.

    This the output


    [root@gateway ~]# iptables -nvL
    Chain INPUT (policy DROP 4 packets, 561 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
    1 76 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
    0 0 DROP tcp -- * * !127.0.0.1 0.0.0.0/0 tcp dpt:3128
    20 1040 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
    0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
    0 0 DROP all -- enp4s0 * 127.0.0.0/8 0.0.0.0/0
    18 1717 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    6 787 ACCEPT all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp3s0 * 0.0.0.0/0 0.0.0.0/0
    1 29 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
    0 0 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
    1 32 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
    0 0 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
    0 0 ACCEPT udp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
    0 0 ACCEPT tcp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
    197 22183 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:22
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:10000
    38 10341 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:81
    7 984 ACCEPT udp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
    0 0 ACCEPT tcp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_SELF src,dst,dst
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_EGRESS dst
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
    0 0 DROP all -- enp3s0 enp2s0 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- enp2s0 enp3s0 0.0.0.0/0 0.0.0.0/0
    17 920 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    1 106 ACCEPT all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp3s0 * 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_SELF src,dst,dst
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_EGRESS dst
    38 2757 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * enp2s0 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * enp3s0 0.0.0.0/0 0.0.0.0/0
    2 61 ACCEPT icmp -- * enp4s0 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT udp -- * enp4s0 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
    0 0 ACCEPT tcp -- * enp4s0 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
    185 39366 ACCEPT tcp -- * enp4s0 138.41.20.20 0.0.0.0/0 tcp spt:22
    0 0 ACCEPT tcp -- * enp4s0 138.41.20.20 0.0.0.0/0 tcp spt:10000
    37 9020 ACCEPT tcp -- * enp4s0 138.41.20.20 0.0.0.0/0 tcp spt:81
    8 594 ACCEPT all -- * enp4s0 0.0.0.0/0 0.0.0.0/0

    Chain DROP-lan (0 references)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0


    [root@gateway ~]# iptables -nvL -t nat
    Chain PREROUTING (policy ACCEPT 53 packets, 6593 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.30.0.1 tcp dpt:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.60.0.1 tcp dpt:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 138.41.20.20 tcp dpt:80
    3 156 REDIRECT tcp -- enp2s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
    0 0 REDIRECT tcp -- enp3s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080

    Chain INPUT (policy ACCEPT 31 packets, 2742 bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 33 packets, 2125 bytes)
    pkts bytes target prot opt in out source destination

    Chain POSTROUTING (policy ACCEPT 11 packets, 743 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    26 1698 MASQUERADE all -- * enp4s0 0.0.0.0/0 0.0.0.0/0
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 04 2020, 12:03 PM - #Permalink
    Resolved
    0 votes
    OK I understand those rules now. I think they are effectively proxy bypass rules for the server and are automatic.

    What is not being filtered? Is it http sites or https sites?

    As an outside shot, What is the first line of /etc/resolv.conf? If it is "; generated by /usr/sbin/dhclient-script", please edit your DNS servers in IP Settings and save them again.
    The reply is currently minimized Show
  • Accepted Answer

    ksudel
    ksudel
    Offline
    Saturday, January 04 2020, 02:05 PM - #Permalink
    Resolved
    0 votes
    Thanks Nick.
    As you said, I think the problem is related to the fact that all the sites are adopting https. http url (now there are very few), they are blocked correctly. At this point there is no solution ? Should I therefore adopt "non transparent - no user authentication" by setting the proxy on each PC ?
    Thanks for your time.

    Here the file

    resolv.conf
    # Please do not edit this file.
    # See http://www.clearcenter.com/support/documentation/clearos_guides/dns_and_resolver
    domain fmbr.lan
    nameserver 127.0.0.1

    resolv-peerdns.conf
    ; generated by /usr/sbin/dhclient-script
    search localdomain
    nameserver 8.8.8.8
    nameserver 8.8.4.4
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 04 2020, 02:19 PM - #Permalink
    Resolved
    0 votes
    Your resolv.conf file is fine. There is a bug in one (two, really) of the upgrade scripts which hit hit a lot of people but it has little effect. I've only seen a problem of it interfering with Gateway Management. I'll push a workaround on Tuesday for existing installations, but it won't help anyone upgrading after my fix is pushed.

    If the problem is https then you have a choice. You can use non-transparent mode. This means updating every workstation or you may get away with using Web Proxy Auto Discovery (WPAD). There is a HowTo in the Resources for creating the set up in ClearOS, but I don't know how to write the WPAD file itself. This may avoid updating every PC.

    Alternatively you can switch to Gateway Management, and preferably a paid version. GM has the advantage of being much lighter on resources and provides very powerful filtration.
    The reply is currently minimized Show
Your Reply