Re: Transparent Remote Proxy Server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2004-09-27 at 15:30, Aleksandar Milivojevic wrote:
> As Jason wrote, REDIRECT will also rewrite destination IP address. 
> Squid is using woodoo magic to find out what was the original 
> destination address before rewriting (that's why you need to also change 
> Squid configuration).  Squid can do that only if it runs on the same box 
> where the address was rewritten.  Even the woodoo magic has limitations ;-)
> 
> Daniel's document is using nat table for both filtering and NATing, 
> which is the approach I don't particulary like.  Plus the rules are very 
> open (made to demonstrate the concept, not to be used on a real firewall).
> 
> Anyhow, what you might try out is a bit of debugging to see what is 
> going on the wire.  Your tcpdump from wum shows that it got SYN packet, 
> and that it sent out SYN ACK.  I don't see third packet with ACK going 
> back to wum, so it might be that it got dropped somewhere.  My next step 
> would be to move to tor.  I'd guess if you run tcpdump on tor's 
> interface to internal network, you'd see only SYN packet, and not SYN 
> ACK.  And if you run it on interface wheer wum is connected that you 
> would see both SYN and SYN ACK.  If that is the case, than you might 
> have something else on tor that is causing it to drop return packets 
> from wum.  

keep in mind that a side-effect of the REDIRECT "magic" is that the SYN
does not go to; nor does the SYN-ACK come from, wum's IP address (as was
evident from the tcpdump snippet provided).

with the REDIRECT target, wum will pretend to be the destination web
server from the perspective of the client and tor.

all this being said--i couldn't tell from the OP why things weren't
working.

tcpdump anywhere and everywhere and you'll find the culprit.

-j

-- 
Jason Opperisano <opie@xxxxxxxxxxx>



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux