Re: Should "Transparent web-caching" work with ppp0/pptp? (It doesn't...)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Aleksey Tsalolikhin a écrit :
Hi.  I am trying to get outbounds packets destined for TCP port 80 tunneled
through a pptp VPN (out the ppp0 interface).

I've tried following the example at
http://lartc.org/howto/lartc.cookbook.squid.html
but from the remote web site's viewpoint, the request comes from the
eth0 address
of my server, instead of through the VPN.

Diagram of what I am trying to accomplish:

[my server] ---pptp--> [VPN server] --> website

Where is the squid proxy ?

Should this work with an ppp0 interface?

Sure. The interface type makes no difference.

[root@vulture ~]# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
MARK       tcp  --  anywhere             anywhere            tcp
dpt:http MARK set 0x2

If your server does not act as a router for other hosts, this has no effect. Outgoing packets generated by the local host are handled in the OUTPUT chain.

[root@vulture ~]# ip rule ls
0:      from all lookup 255
32765:  from all fwmark 0x2 lookup www.out
32766:  from all lookup main
32767:  from all lookup default
[root@vulture ~]# ip route list table www.out
default via 192.168.2.125 dev ppp0
[root@vulture ~]# ip route
192.168.2.125 dev ppp0  proto kernel  scope link  src 192.168.2.133
69.15.192.18 via 38.98.245.201 dev eth0  src 38.98.245.202
38.98.245.200/29 dev eth0  proto kernel  scope link  src 38.98.245.202
169.254.0.0/16 dev eth0  scope link
default via 38.98.245.201 dev eth0
[root@vulture ~]#

Looks fine.

I've tried using PREROUTING instead of OUTPUT, for the mark rule, and
then if I try to connect to port 80 (telnet www.google.com 80), it
just hangs...

Isn't it the other way around (OUTPUT instead of PREROUTING) ?
Have you checked that source validation aka reverse-path filtering is disabled for ppp0 (/proc/sys/net/ipv4/conf/ppp0/rp_filter=0) or all interfaces (/proc/sys/net/ipv4/conf/all/rp_filter=0) ?

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux