Redirect to same LAN and preserve source IP

Redirect to same LAN and preserve source IP

[Gavin Hamill]

Hi :)

This is a topic that's come up a couple of times recently and I wondered if 
there was some super-high-powered incantation I could use...

Presently, I'm running squid on the same machine that the LAN uses for 
Internet access, so I'm doing a simple 

$IPT -A PREROUTING -s 10.0.0.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 80 
-j REDIRECT --to-ports 3128

and this preserves the IP address of the LAN machine which made the request, 
which is what we want for the log files.

However, I need to change the 10.0.0.254 'defaut gateway' machine to a 
standalone router, and the squid installation will be then on a seperate 
machine. Is there any way I can 'grab' the outgoing requests on port 80, and 
shove them into port 3128 on another machine and preserve the correct source 
IP, rather than everything being marked with the IP of the gateway 
10.0.0.254 ?

Cheers,
Gavin.

Re: Redirect to same LAN and preserve source IP

[Antony Stone]

On Monday 12 July 2004 2:19 pm, Gavin Hamill wrote:

> Presently, I'm running squid on the same machine that the LAN uses for
> Internet access, so I'm doing a simple
>
> $IPT -A PREROUTING -s 10.0.0.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport
> 80 -j REDIRECT --to-ports 3128
>
> and this preserves the IP address of the LAN machine which made the
> request, which is what we want for the log files.
>
> However, I need to change the 10.0.0.254 'defaut gateway' machine to a
> standalone router, and the squid installation will be then on a seperate
> machine. Is there any way I can 'grab' the outgoing requests on port 80,
> and shove them into port 3128 on another machine and preserve the correct
> source IP, rather than everything being marked with the IP of the gateway
> 10.0.0.254 ?

Yes.   Just use DNAT, and make sure the Squid box is not on the same subnet as 
the clients (so that it has to send the replies back through the firewall).

It's the classic arrangement - put your clients on your internal LAN, put the 
Squid box on the perimeter network (DMZ), and have the firewall restricting 
traffic between internal / DMZ / external networks.

Regards,

Antony.

-- 
Wanted: telepath.   You know where to apply.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Redirect to same LAN and preserve source IP

[Gavin Hamill]

On Monday 12 July 2004 14:38, Antony Stone wrote:

> Yes.   Just use DNAT, and make sure the Squid box is not on the same subnet
> as the clients (so that it has to send the replies back through the
> firewall).

Ah OK, I was hoping to avoid that since the machine that runs Squid is also an 
NFS server and various other things... 

Thanks :)

Gavin.

Re: Redirect to same LAN and preserve source IP

[Antony Stone]

On Monday 12 July 2004 4:12 pm, Gavin Hamill wrote:

> On Monday 12 July 2004 14:38, Antony Stone wrote:
> > Yes.   Just use DNAT, and make sure the Squid box is not on the same
> > subnet as the clients (so that it has to send the replies back through
> > the firewall).
>
> Ah OK, I was hoping to avoid that since the machine that runs Squid is also
> an NFS server and various other things...

How about *configuring* the clients so they use the proxy "properly" instead 
of doing transparent redirection?   Then you can keep the Squid box on the 
same subnet as the clients, and still block people trying to do TCP port 80 
straight through the firewall (only one source IP is allowed - the Squid 
box).   You also get the benefit that they can do FTP over HTTP proxying too, 
which you can't do transparently...

Regards,

Antony.

-- 
The truth is rarely pure, and never simple.

 - Oscar Wilde

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Redirect to same LAN and preserve source IP

[Gavin Hamill]

On Monday 12 July 2004 16:31, Antony Stone wrote:

> How about *configuring* the clients so they use the proxy "properly"
> instead of doing transparent redirection?   Then you can keep the Squid box
> on the same subnet as the clients, and still block people trying to do TCP
> port 80 straight through the firewall (only one source IP is allowed - the
> Squid box).   

The reason has been the desire to not have to ferry around dozens of machines 
configuring proxy settings, really. I'll certainly give the seperate-subnet 
idea some thought :)

Cheers,
Gavin.

Re: Redirect to same LAN and preserve source IP

[Antony Stone]

On Tuesday 13 July 2004 9:50 am, Gavin Hamill wrote:

> On Monday 12 July 2004 16:31, Antony Stone wrote:
> > How about *configuring* the clients so they use the proxy "properly"
> > instead of doing transparent redirection?   Then you can keep the Squid
> > box on the same subnet as the clients, and still block people trying to
> > do TCP port 80 straight through the firewall (only one source IP is
> > allowed - the Squid box).
>
> The reason has been the desire to not have to ferry around dozens of
> machines configuring proxy settings, really. I'll certainly give the
> seperate-subnet idea some thought :)

Have you investigated proxy auto-configuration?   Take a look at the Squid 
documentation and you will learn how most browsers can be pointed at a .pac 
file (possibly by being redirected by your firewall to a trivial webserver 
running somewhere if they try to go direct - doesn't have to be the proxy 
itself), and this will configure the proxy settings without a techie having 
to go near the keyboard....

Regards,

Antony.

-- 
The idea that Bill Gates appeared like a knight in shining armour to lead all 
customers out of a mire of technological chaos neatly ignores the fact that 
it was he who, by peddling second-rate technology, led them into it in the 
first place.

 - Douglas Adams in The Guardian, 25th August 1995

                                                     Please reply to the list;
                                                           please don't CC me.

QUEUE both ipv4 and ipv6?

[Scott MacKay]

Curious, not having it set up yet, but does
ipv6tables's QUEUE and iptable's QUEUE both send
packets to a single userspace QUEUE program?  It looks
like ipv6 uses ipv4's ip_queue.h header, so I would
think so...

-Scott


		
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo 

Re: Redirect to same LAN and preserve source IP

[Saad Faruque]

http://en.tldp.org/HOWTO/TransparentProxy-6.html
did u go through it ? if not should help i think.

On Tue, 13 Jul 2004 10:00:46 +0100, Antony Stone
<antony@soft-solutions.co.uk> wrote:
> 
> 
> On Tuesday 13 July 2004 9:50 am, Gavin Hamill wrote:
> 
> > On Monday 12 July 2004 16:31, Antony Stone wrote:
> > > How about *configuring* the clients so they use the proxy "properly"
> > > instead of doing transparent redirection?   Then you can keep the Squid
> > > box on the same subnet as the clients, and still block people trying to
> > > do TCP port 80 straight through the firewall (only one source IP is
> > > allowed - the Squid box).
> >
> > The reason has been the desire to not have to ferry around dozens of
> > machines configuring proxy settings, really. I'll certainly give the
> > seperate-subnet idea some thought :)
> 
> Have you investigated proxy auto-configuration?   Take a look at the Squid
> documentation and you will learn how most browsers can be pointed at a .pac
> file (possibly by being redirected by your firewall to a trivial webserver
> running somewhere if they try to go direct - doesn't have to be the proxy
> itself), and this will configure the proxy settings without a techie having
> to go near the keyboard....
> 
> Regards,
> 
> Antony.
> 
> --
> The idea that Bill Gates appeared like a knight in shining armour to lead all
> customers out of a mire of technological chaos neatly ignores the fact that
> it was he who, by peddling second-rate technology, led them into it in the
> first place.
> 
>  - Douglas Adams in The Guardian, 25th August 1995
> 
> 
> 
>                                                      Please reply to the list;
>                                                            please don't CC me.
> 
>