transparent proxying unsing nat !`?

transparent proxying unsing nat !`?

Post by ste » Fri, 16 Feb 2001 20:24:28



hi ....

i try to setup a transparent proxy . on my gate with 3 nics...
i wrote i rule like rdr "externealinterface" 192.168.50.0 port 80 ->
localhost port 3128
but nothing seams to happen...

anybody a idea ?!
is there somtinig wrong... or is ther no way to redirect to the same host to
another port?!

thanks in advance ..

da.stE

--

 
 
 

transparent proxying unsing nat !`?

Post by emil » Sat, 17 Feb 2001 05:23:24



Quote:> i try to setup a transparent proxy . on my gate with 3 nics...

I did this once with linux on a bridge, it required kernel patching and
seemed a bit experimental to me, but nevertheless it worked. I used this
link:

http://perso.wanadoo.fr/magpie/EtherDivert.html

I'm also curious if this can be done under openbsd.

Kind regards,

Emile

 
 
 

transparent proxying unsing nat !`?

Post by Christopher Bigg » Sat, 17 Feb 2001 11:03:31




> > i try to setup a transparent proxy . on my gate with 3 nics...

> I did this once with linux on a bridge, it required kernel patching and
[snip]
> I'm also curious if this can be done under openbsd.

Yes.  

I had to hack the kernel a bit.

--
| Christopher J. Biggs -|- R & D Software Engineer --  Stallion Technologies |

\---------veni vidi nuclei deceiri --- I came, I saw, I dumped core----------/

 
 
 

transparent proxying unsing nat !`?

Post by ste » Sat, 17 Feb 2001 18:11:55





thusly:




Quote:> > > i try to setup a transparent proxy . on my gate with 3 nics...

> > I did this once with linux on a bridge, it required kernel patching and
> [snip]
> > I'm also curious if this can be done under openbsd.

> Yes.

> I had to hack the kernel a bit.

maybe you got some moreinformations for me ?!
 
 
 

transparent proxying unsing nat !`?

Post by Rob MacGrego » Sat, 17 Feb 2001 18:42:55



> hi ....

> i try to setup a transparent proxy . on my gate with 3 nics...
> i wrote i rule like rdr "externealinterface" 192.168.50.0 port 80 ->
> localhost port 3128
> but nothing seams to happen...

> anybody a idea ?!
> is there somtinig wrong... or is ther no way to redirect to the same host to
> another port?!

> thanks in advance ..

There is an example of how to do this on the IP Filter home page.

--
  Rob MacGregor (MCSE) [PGP key ID 0x1F5239DD]
      The light at the end of the tunnel is an oncoming dragon.

 
 
 

transparent proxying unsing nat !`?

Post by mips » Sat, 17 Feb 2001 19:17:18


Le Fri, 16 Feb 2001 09:42:55 GMT


> > hi ....

> > i try to setup a transparent proxy . on my gate with 3 nics...
> > i wrote i rule like rdr "externealinterface" 192.168.50.0 port 80 ->
> > localhost port 3128
> > but nothing seams to happen...

> > anybody a idea ?!
> > is there somtinig wrong... or is ther no way to redirect to the same
> host to
> > another port?!

> > thanks in advance ..

> There is an example of how to do this on the IP Filter home page.

There is an excelent howto for ipfilter :
http://www.obfuscation.org/ipf/

mips

 
 
 

transparent proxying unsing nat !`?

Post by Rob MacGrego » Sat, 17 Feb 2001 22:39:55



> Le Fri, 16 Feb 2001 09:42:55 GMT

> > There is an example of how to do this on the IP Filter home page.

> There is an excelent howto for ipfilter :
> http://www.obfuscation.org/ipf/

Yeah, but the one line example from the IP Filter home page is easier to
find :-)

--
  Rob MacGregor (MCSE) [PGP key ID 0x1F5239DD]
      The light at the end of the tunnel is an oncoming dragon.

 
 
 

transparent proxying unsing nat !`?

Post by Christopher Bigg » Sun, 18 Feb 2001 21:38:52





> > > > i try to setup a transparent proxy . on my gate with 3 nics...

> maybe you got some moreinformations for me ?!

I assume from your mention of port 3128 you are using squid as a proxy
server, and that you want to intercept all outgoing web traffic
and redirect it to the proxy server.

You need to keep in mind that:

    1. Redirect rules happen during INPUT processing.  You need
       to put the redirect rule on your INTERNAL interface, not
       the EXTERNAL one.

    2. The server program to which connections are redirected must be
       NAT-aware, as it needs to use special NAT ioctl operations to
       retrieve the actual pre-redirect destination.  I have a vague
       memory that squid can do this, but I do not have a detailed
       knowledge of squid, so check this.

    3. It's late, and my eyes are so sore I can hardly focus.  I
       reserve the right to be wrong.

On each internal interface, you need a rule like

        rdr en0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128

My kernel modifications consisted of improving the specificity of
rules of the general form used above, allowing redirect rules to match
on both incoming and outgoing interface.  They are not necessary in
your simple case.

To all those people who suggested the FAQ or tutorials, last time I
looked (nearly a year ago), all the various sources of ipfilter doco
give exactly one example each of using NAT redirects and its always
the *same* example.  If you want to use NAT redirects to do anything
else you're reduced to UTSL.

--cjb

--
------------------------------------------------------------------------

The IEEE has monitored this electronic mail message, and asserts that no
energy was created or destroyed during its construction or transmission.
------------------------------------------------------------------------

 
 
 

1. NAT / Transparent Proxying question

(hopes this is the right group)

I've got a mildly interesting problem:

[network diagram :)]

 /^^^^^^^^\
{ internet }--[firewall]----[network, 192.168.1/24, with various boxes]
 \vvvvvvvv/

The firewall has two interfaces, one external and one internal
[192.168.1.1]; it does NAT (among other things).  ALL connections to
the outside world go through it.

What I would like to do is have a process running on it that

* accepts connections on port 80
* reads enough HTTP headers to get the Host: part
* uses that to decide which internal box to connect to, and forward the
connection

The difficult bit I would like to do is forward the connection in such
a way that the webserver on the internal network thinks that an
external host (namely, that which initiated the HTTP connection in the
first place) originated it.  As I see it, this would require me to open
a connection to the webserver with a source IP which is not one of the
interfaces on the firewall box, and be able to pick up reply packets
(anything that goes through the firewall with a source IP inside
192.168.1/24 and a source port of 80 should be it).

How would I do this?

TIA

-don

--
Donald Gordon | wellington, new zealand | All opinions above are those of my

use ICQ? chat to samiam, UIN 87005630. hours of fun for the whole family.

2. Routing problem with pppd

3. IPCHAINS, NAT and transparent proxy? - special application.

4. eht0 is OK, but....

5. HELP: Transparent HTTP proxy through NAT

6. Big Hard Disk, silly Problem, any ideas?

7. technical diff between transparent/non-transparent proxy servers

8. Linux Vs. FeeBSD

9. Transparent proxy not really transparent??

10. Transparent Firewall+NAT on Linux/iptables

11. Transparent proxy

12. transparent proxy on freebsd?

13. Transparent Proxying Squid-Cisco