Re: Problem with transparent proxing if catching traffic on vlan interface

Jason Opperisano <opie@xxxxxxxxxxx> · Thu, 12 May 2005 08:47:17 -0400

On Thu, May 12, 2005 at 02:52:38PM +0300, Martin Vassilev wrote:
> Hello , first of all sorry for poor english.
> 
> Have some trouble with transparent proxing	
> 
> Configuration is simple:
> 
> ------------                            ----------
> |CLIENT| ---- eth/vlans ---- | GATE|
> ------------                            ----------
> 					transparent proxy
> 
> 
> ------------------test1---------------------
> GATE:/#iptables  -t nat -I PREROUTING -p TCP -s `CLIENT`  \
> --destination-port 80 -i vlan8 -j REDIRECT --to-ports 3128 
> 
> CLIENT:/# telnet www.netfilter.org 80
> Trying 213.95.27.115...
> telnet: connect to address 213.95.27.115: Connection refused 
> (thats the problem ;))
> 
> GATE:/# tcpdump  -n -i vlan8 -f "net `CLIENT`"
> tcpdump: listening on vlan8
> 11:43:28.336226 `CLIENT`.38842 > 213.95.27.115.80: S 1057989664:1057989664(0) 
> win 5840 <mss 1412,sackOK,timestamp 1881955228 0,nop,wscale 2> (DF) [tos 
> 0x10]
> 
> GATE:/# iptables -t nat -n -L -v
> Chain PREROUTING (policy ACCEPT 32M packets, 1991M bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>     1    60 REDIRECT   tcp  --  vlan8  *       `CLIENT`      0.0.0.0/0          
> tcp dpt:80 redir ports 3128
> 
> nothing appear in squid´s access.log
> 
> 
> ----------------test2------------------------
> After some rerouting to reach the gate through eth0
> 
> GATE:/#iptables  -t nat -I PREROUTING -p TCP -s `CLIENT`  \
> --destination-port 80 -i eth0 -j REDIRECT --to-ports 3128 
> 
> and all works fine.
> ---------------------------------------------
> 
> Is there any differents for netfilter if catching traffic on eth or vlan 
> interface ?

does vlan8 have an IP address?  REDIRECT rewrites the packet's dst IP to
be the IP of the interface the packet was received on, i'd imagine it
would get confused if the interface didn't have an IP address.

alternatively, you may have some funky routing going on--i wouldn't be
surprised if you tcpdumped the other interfaces and saw the SYN/ACK from
the first example going out an interface other than vlan8--does:

  ip route get $CLIENT_IP

show that the packet is routed via dev vlan8?

just some things to consider.

-j

--
"Joe Swanson: You can't just come over here and annex my pool!
 Peter: Oh yeah? Well, according to paragraph 7, sentence 3, word 8 of
 the Geneva Convention..."the". So, tough luck, Swanson."
        --Family Guy