From: ken scott <kscott9@triad.rr.com>
To: Dimitar Katerinski <train@bofh.bg>
Cc: netfilter@lists.netfilter.org
Subject: Re: Transparent proxy single machine question
Date: Sat, 26 Jun 2004 18:09:55 -0400 [thread overview]
Message-ID: <1088287795.4717.12.camel@Kenslinux> (raw)
In-Reply-To: <40DDEFEC.5000205@bofh.bg>
On Sat, 2004-06-26 at 17:51, Dimitar Katerinski wrote:
>
> Hello ken,
>
> Yes, on single machine it will work with no problems. You should specify
> an incoming interface for the above iptables rule though. Do it like this:
>
> iptables -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j
> REDIRECT --to-ports 8181
>
> where $LAN_IFACE is the interface connected to your internal network.
>
I only have a single network card/interface on this box (eth0 , I guess)
Does that matter in this proxy context?
> And the scheme is as follows:
> 1. A client sends request for specific page
> 2. The linux box sees its a request for destination port 80 and
> redirects it to port 8181 where DG is listening.
> 3. DG takes the request, do what it does (content filtering, etc.), and
> sends it to Squid.
> 4. Squid request the specific page, and gives it back to DG, which again
> do what it does.
> 5. DG then, if everything is ok, server the request page to the client.
>
>
> About your question:
> > ..when squid finally wants to send
> > out the actual
> > request to the internet, isn't that a port 80 request that the above
> > iptables rule will
> > redirect back to Dansguardian??
>
> No basicly it won't. Unless you dont have same rule in the OUTPUT chain
> of the nat table. the PREROUTING chain applies to packets which hit the
> box coming from somewhere outside, and not packets which origin from the
> machine itself.
Dimitar,
Your explanation here is great but it throws me a bit since the packet
requests coming from the browsers will all be internal requests (ie on
the same machine) so is a PREROUTING rule the right choice? In other
words I want to apply a routing rule to internal requests (except those
from squid).
I appreciate your detailed response and I have looked for a "life of a
packet" explanation such as you provided but have not found it as yet.
In your 5-step explanation, when are the iptables rules applied?
Thanks
Ken
next prev parent reply other threads:[~2004-06-26 22:09 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-26 21:24 Transparent proxy single machine question ken scott
2004-06-26 21:51 ` Dimitar Katerinski
2004-06-26 22:09 ` ken scott [this message]
2004-06-26 22:42 ` Dimitar Katerinski
2004-06-27 0:52 ` ken scott
2004-06-27 1:16 ` Dimitar Katerinski
-- strict thread matches above, loose matches on Subject: below --
2004-06-26 21:14 ken scott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1088287795.4717.12.camel@Kenslinux \
--to=kscott9@triad.rr.com \
--cc=netfilter@lists.netfilter.org \
--cc=train@bofh.bg \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.