FAQ 3.13, but on the same box

FAQ 3.13, but on the same box

[Joshua N Pritikin]

[-- Attachment #1: Type: text/plain, Size: 322 bytes --]

I understand how to set up a transparent proxy.  However, it is
possible to run a transparent proxy and web browser on the same box?

What if I put the proxy on a loopback interface and REDIRECT port 80
to port 3128 the loopback?  Would that work?

-- 
A new cognitive theory of emotion, http://openheartlogic.org

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: FAQ 3.13, but on the same box

[Antony Stone]

On Sunday 18 July 2004 6:32 pm, Joshua N Pritikin wrote:

> I understand how to set up a transparent proxy.  However, it is
> possible to run a transparent proxy and web browser on the same box?

Yes.

> What if I put the proxy on a loopback interface and REDIRECT port 80
> to port 3128 the loopback?  Would that work?

Sounds good to me.

http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.4

Regards,

Antony.

-- 
The first fifty percent of an engineering project takes ninety percent of the 
time, and the remaining fifty percent takes another ninety percent of the 
time.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: FAQ 3.13, but on the same box

[Joshua N Pritikin]

[-- Attachment #1: Type: text/plain, Size: 957 bytes --]

On Sun, Jul 18, 2004 at 06:44:22PM +0100, Antony Stone wrote:
> On Sunday 18 July 2004 6:32 pm, Joshua N Pritikin wrote:
> > I understand how to set up a transparent proxy.  However, it is
> > possible to run a transparent proxy and web browser on the same box?
> 
> Yes.
> 
> > What if I put the proxy on a loopback interface and REDIRECT port 80
> > to port 3128 the loopback?  Would that work?
> 
> Sounds good to me.
> 
> http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.4

This FAQ doesn't address my question.  I also looked at "Transparent
Proxy with Linux and Squid mini-HOWTO" by Daniel Kiracofe.

So far, all docs assume that the squid-box and the browser box are
different machines.

Hrm, I think I need to add an OUTPUT rule that matches on the owner.
If --uid-owner=proxy then the packet should not REDIRECT back to port
3128.  Something like that?

-- 
A new cognitive theory of emotion, http://openheartlogic.org

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: FAQ 3.13, but on the same box

[Antony Stone]

On Monday 19 July 2004 3:00 am, Joshua N Pritikin wrote:

> On Sun, Jul 18, 2004 at 06:44:22PM +0100, Antony Stone wrote:
> >
> > http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.4
>
> This FAQ doesn't address my question.  I also looked at "Transparent
> Proxy with Linux and Squid mini-HOWTO" by Daniel Kiracofe.
>
> So far, all docs assume that the squid-box and the browser box are
> different machines.

No, the link I posted is specifically for Squid + Netfilter on the same 
machine - you can tell this by the fact it uses REDIRECT, not DNAT.

Regards,

Antony.

-- 
Ramdisk is not an installation procedure.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: FAQ 3.13, but on the same box

[Joshua N Pritikin]

[-- Attachment #1: Type: text/plain, Size: 905 bytes --]

On Mon, Jul 19, 2004 at 09:51:37AM +0100, Antony Stone wrote:
> On Monday 19 July 2004 3:00 am, Joshua N Pritikin wrote:
> > On Sun, Jul 18, 2004 at 06:44:22PM +0100, Antony Stone wrote:
> > > http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.4
> >
> > This FAQ doesn't address my question.  I also looked at "Transparent
> > Proxy with Linux and Squid mini-HOWTO" by Daniel Kiracofe.
> >
> > So far, all docs assume that the squid-box and the browser box are
> > different machines.
> 
> No, the link I posted is specifically for Squid + Netfilter on the same 
> machine - you can tell this by the fact it uses REDIRECT, not DNAT.

I tried that rule already.  It only works for other machines on my
network which are using the proxy as a gateway.

I am trying to do Squid + Netfilter + BROWSER on the same machine.

-- 
A new cognitive theory of emotion, http://openheartlogic.org

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: FAQ 3.13, but on the same box

[Antony Stone]

On Monday 19 July 2004 10:44 am, Joshua N Pritikin wrote:

> On Mon, Jul 19, 2004 at 09:51:37AM +0100, Antony Stone wrote:
> > On Monday 19 July 2004 3:00 am, Joshua N Pritikin wrote:
> > > On Sun, Jul 18, 2004 at 06:44:22PM +0100, Antony Stone wrote:
> > > > http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.4
> > >
> > > This FAQ doesn't address my question.  I also looked at "Transparent
> > > Proxy with Linux and Squid mini-HOWTO" by Daniel Kiracofe.
> > >
> > > So far, all docs assume that the squid-box and the browser box are
> > > different machines.
> >
> > No, the link I posted is specifically for Squid + Netfilter on the same
> > machine - you can tell this by the fact it uses REDIRECT, not DNAT.
>
> I tried that rule already.  It only works for other machines on my
> network which are using the proxy as a gateway.
>
> I am trying to do Squid + Netfilter + BROWSER on the same machine.

Oh, right - I hadn't appreciated that part before.   I thought you just meant 
transparent proxying to a proxy on the gateway instead of to a proxy 
somewhere else.

In that case you either need to DNAT your OUTPUT packets, as per your previous 
posting, or else just tell the local browser to use the local proxy (which I 
suspect is much the simplest solution in terms of understanding when 
something odd happens in the future).

Regards,

Antony.

-- 
Success is a lousy teacher.  It seduces smart people into thinking they can't 
lose.

 - William H Gates III

                                                     Please reply to the list;
                                                           please don't CC me.

Re: FAQ 3.13, but on the same box

[Joshua N Pritikin]

[-- Attachment #1: Type: text/plain, Size: 1071 bytes --]

On Mon, Jul 19, 2004 at 10:56:54AM +0100, Antony Stone wrote:
> On Monday 19 July 2004 10:44 am, Joshua N Pritikin wrote:
> > I am trying to do Squid + Netfilter + BROWSER on the same machine.
> 
> Oh, right - I hadn't appreciated that part before.   I thought you just meant 
> transparent proxying to a proxy on the gateway instead of to a proxy 
> somewhere else.
> 
> In that case you either need to DNAT your OUTPUT packets, as per your previous 
> posting,

This solution seems to work (below).  I wonder if this should be added
to the various FAQs?  ;-)

#!/bin/sh

iptables -t nat -F  # clear table

# normal transparent proxy
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 8080

# handle connections on the same box (192.168.0.2 is a loopback instance)
gid=`id -g proxy`
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner $gid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:8080

-- 
A new cognitive theory of emotion, http://openheartlogic.org

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: FAQ 3.13, but on the same box

[Antony Stone]

On Tuesday 20 July 2004 2:42 pm, Joshua N Pritikin wrote:

> This solution seems to work (below).  I wonder if this should be added
> to the various FAQs?  ;-)

That's a good idea.   The reason it's not in the FAQs already is probably 
because there was no owner match in netfilter when the FAQs were written...

Regards,

Antony.

-- 
Your work is both good and original.  Unfortunately the parts that are good 
aren't original, and the parts that are original aren't good.

 - Samuel Johnson

                                                     Please reply to the list;
                                                           please don't CC me.