Re: Transparent proxy setup with apache on the nat gateway

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Nicolas Mailhot a écrit :

Le lundi 05 juin 2006 à 10:40 +0200, Sietse van Zanen a écrit :


I think the error is in your first two rules for the PREROUTING chain
in the NAT table:


#-A PREROUTING -p tcp -m multiport --dports
http,https,squid,svn,http-alt,webcache -j REDIRECT --to-port 8081
#-A PREROUTING -p tcp -m multiport --dports
http,https,squid,svn,http-alt,webcache -j DNAT --to 192.168.1.1:8081


All WEB traffic will only hit the first rule and never the second.  So
the destination IP address doen't get changed. A packet for 1.2.3.4 on
port 80 will be redirected to 1.2.3.4 port 8081.
This is not true. REDIRECT replaces the destination address with the address of the input interface. So when the input interface has address 192.168.1.1 both rules would produce the same result. 


I think you should try something like this.
Have apache proxy listen on localhost (127.0.0.1) port 8081
Iptables -t NAT -A PREROUTING -p tcp -i eth0(internal nic) -m multiport
--dports http,https,squid,svn,http-alt,webcache -j REDIRECT --to 127.0.0.1:8081
No, this won't work. The IP stack refuses packets with a loopback destination address received on a non loopback interface. 


If I use REDIRECT the to is interpreted like --to-port and I see the LAN
system hammer the gateway 127 port :(


Looks like iptables command parsing could be improved. ;-)


If I use
-A PREROUTING -i eth1 -p tcp -m multiport --dports
http,https,squid,svn,http-alt,webcache -j REDIRECT --to-port 8081

the requests are redirected to port 8081 of the lan interface IP
(192.168.1.1, I can live with that) but the result is abysmal :
apache logs 
"GET / HTTP/1.1" requests instead of
"GET http://www.slashdot.org/ HTTP/1.1" requests

so all sites are served as if the browser asked for the local root
(empty) and the browser only receives blank pages
The question is : are you sure that Apache can act as a _transparent_ proxy, like Squid ? 

*Disclaimer : I don't know Apache much*
From a quick search it does not seem that mod_proxy can do transparent proxying. There is a mod_tproxy that is designed to do it, but it does not seem to be part of the standard Apache distribution. 
HTH.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux