by ste » Fri, 16 Feb 2001 20:24:28
i try to setup a transparent proxy . on my gate with 3 nics...
i wrote i rule like rdr "externealinterface" 192.168.50.0 port 80 ->
localhost port 3128
but nothing seams to happen...
anybody a idea ?!
is there somtinig wrong... or is ther no way to redirect to the same host to
another port?!
thanks in advance ..
da.stE
--
by emil » Sat, 17 Feb 2001 05:23:24
I did this once with linux on a bridge, it required kernel patching andQuote:> i try to setup a transparent proxy . on my gate with 3 nics...
http://perso.wanadoo.fr/magpie/EtherDivert.html
I'm also curious if this can be done under openbsd.
Kind regards,
Emile
by Christopher Bigg » Sat, 17 Feb 2001 11:03:31
> I did this once with linux on a bridge, it required kernel patching and
[snip]
> I'm also curious if this can be done under openbsd.
I had to hack the kernel a bit.
--
| Christopher J. Biggs -|- R & D Software Engineer -- Stallion Technologies |
\---------veni vidi nuclei deceiri --- I came, I saw, I dumped core----------/
by ste » Sat, 17 Feb 2001 18:11:55
maybe you got some moreinformations for me ?!Quote:> > > i try to setup a transparent proxy . on my gate with 3 nics...
> > I did this once with linux on a bridge, it required kernel patching and
> [snip]
> > I'm also curious if this can be done under openbsd.
> Yes.
> I had to hack the kernel a bit.
by Rob MacGrego » Sat, 17 Feb 2001 18:42:55
> i try to setup a transparent proxy . on my gate with 3 nics...
> i wrote i rule like rdr "externealinterface" 192.168.50.0 port 80 ->
> localhost port 3128
> but nothing seams to happen...
> anybody a idea ?!
> is there somtinig wrong... or is ther no way to redirect to the same host to
> another port?!
> thanks in advance ..
--
Rob MacGregor (MCSE) [PGP key ID 0x1F5239DD]
The light at the end of the tunnel is an oncoming dragon.
by mips » Sat, 17 Feb 2001 19:17:18
> > hi ....
> > i try to setup a transparent proxy . on my gate with 3 nics...
> > i wrote i rule like rdr "externealinterface" 192.168.50.0 port 80 ->
> > localhost port 3128
> > but nothing seams to happen...
> > anybody a idea ?!
> > is there somtinig wrong... or is ther no way to redirect to the same
> host to
> > another port?!
> > thanks in advance ..
> There is an example of how to do this on the IP Filter home page.
mips
by Rob MacGrego » Sat, 17 Feb 2001 22:39:55
> There is an excelent howto for ipfilter :
> http://www.obfuscation.org/ipf/
--
Rob MacGregor (MCSE) [PGP key ID 0x1F5239DD]
The light at the end of the tunnel is an oncoming dragon.
by Christopher Bigg » Sun, 18 Feb 2001 21:38:52
> maybe you got some moreinformations for me ?!
You need to keep in mind that:
1. Redirect rules happen during INPUT processing. You need
to put the redirect rule on your INTERNAL interface, not
the EXTERNAL one.
2. The server program to which connections are redirected must be
NAT-aware, as it needs to use special NAT ioctl operations to
retrieve the actual pre-redirect destination. I have a vague
memory that squid can do this, but I do not have a detailed
knowledge of squid, so check this.
3. It's late, and my eyes are so sore I can hardly focus. I
reserve the right to be wrong.
On each internal interface, you need a rule like
rdr en0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128
My kernel modifications consisted of improving the specificity of
rules of the general form used above, allowing redirect rules to match
on both incoming and outgoing interface. They are not necessary in
your simple case.
To all those people who suggested the FAQ or tutorials, last time I
looked (nearly a year ago), all the various sources of ipfilter doco
give exactly one example each of using NAT redirects and its always
the *same* example. If you want to use NAT redirects to do anything
else you're reduced to UTSL.
--cjb
--
------------------------------------------------------------------------
The IEEE has monitored this electronic mail message, and asserts that no
energy was created or destroyed during its construction or transmission.
------------------------------------------------------------------------
1. NAT / Transparent Proxying question
(hopes this is the right group)
I've got a mildly interesting problem:
[network diagram :)]
/^^^^^^^^\
{ internet }--[firewall]----[network, 192.168.1/24, with various boxes]
\vvvvvvvv/
The firewall has two interfaces, one external and one internal
[192.168.1.1]; it does NAT (among other things). ALL connections to
the outside world go through it.
What I would like to do is have a process running on it that
* accepts connections on port 80
* reads enough HTTP headers to get the Host: part
* uses that to decide which internal box to connect to, and forward the
connection
The difficult bit I would like to do is forward the connection in such
a way that the webserver on the internal network thinks that an
external host (namely, that which initiated the HTTP connection in the
first place) originated it. As I see it, this would require me to open
a connection to the webserver with a source IP which is not one of the
interfaces on the firewall box, and be able to pick up reply packets
(anything that goes through the firewall with a source IP inside
192.168.1/24 and a source port of 80 should be it).
How would I do this?
TIA
-don
--
Donald Gordon | wellington, new zealand | All opinions above are those of my
use ICQ? chat to samiam, UIN 87005630. hours of fun for the whole family.
3. IPCHAINS, NAT and transparent proxy? - special application.
5. HELP: Transparent HTTP proxy through NAT
6. Big Hard Disk, silly Problem, any ideas?
7. technical diff between transparent/non-transparent proxy servers
9. Transparent proxy not really transparent??
10. Transparent Firewall+NAT on Linux/iptables
12. transparent proxy on freebsd?
13. Transparent Proxying Squid-Cisco