Re: Transparent proxy single machine question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ken scott wrote:
On Sat, 2004-06-26 at 17:51, Dimitar Katerinski wrote:


Hello ken,

Yes, on single machine it will work with no problems. You should specify an incoming interface for the above iptables rule though. Do it like this:

iptables -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j REDIRECT --to-ports 8181

where $LAN_IFACE is the interface connected to your internal network.


I only have a single network card/interface on this box (eth0 , I guess)
Does that matter in this proxy context?



And the scheme is as follows:
1. A client sends request for specific page
2. The linux box sees its a request for destination port 80 and redirects it to port 8181 where DG is listening.
3. DG takes the request, do what it does (content filtering, etc.), and sends it to Squid.
4. Squid request the specific page, and gives it back to DG, which again do what it does.
5. DG then, if everything is ok, server the request page to the client.



About your question: > ..when squid finally wants to send > out the actual > request to the internet, isn't that a port 80 request that the above > iptables rule will > redirect back to Dansguardian??

No basicly it won't. Unless you dont have same rule in the OUTPUT chain of the nat table. the PREROUTING chain applies to packets which hit the box coming from somewhere outside, and not packets which origin from the machine itself.

Dimitar,
Your explanation here is great but it throws me a bit since the packet
requests coming from the browsers will all be internal requests (ie on
the same machine) so is a PREROUTING rule the right choice? In other
words I want to apply a routing rule to internal requests (except those
from squid).
I appreciate your detailed response and I have looked for a "life of a
packet" explanation such as you provided but have not found it as yet. In your 5-step explanation, when are the iptables rules applied?
Thanks
Ken



Hello Ken,

Ah just know I understand that this is a workstation with some users, and squid and DG running ot this machine. Okay, I did some tests and came up with a solution ;-)
You can't redirect packets that origin from the machine itself, to some other local port (as far as i know). Maybe you can play with CONFIG_IP_NF_NAT_LOCAL option in the kernel, but as I understand it, it lets you to use destination NAT on connections originating from local processes on the nat box itself, but that is now we are looking for. So
here is what you can do:


1. Leave the proxy setting as is in the browser properties (127.0.0.1:8181)
2. Allow outgoing requests to port 80 only for the UID that squid is running under.
iptables -A OUTPUT -m owner ! --uid squid -p tcp --dport 80 -j DROP
This rule can be more flexible, but I live this to you, I hope you get the idea.
3. And finally test, whether you can make requests as user with and without proxy set in the browser.



I hope this helps you. Maybe someone will come up with different idea, but this seems to work for me (tm) ;-)



Regards, Dimitar

--
"The only thing necessary for the triumph of evil is for good men to do nothing."
--Edmund Burke.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux