Differentiating direct, and redirected access?

Differentiating direct, and redirected access?

[J Kim]

Hello all,

I'm running a squid at port 3128 as a transparent proxy.

There are requests coming directly to 3128 port and 
those coming to 80 port and then redirected to 3128 by 
following rule:

-t nat -A PREROUTING -i eth0 -p tcp -m tcp \
   --dport 80 -j REDIRECT --to-ports 3128

What I want is block direct requests to 3128, allowing
redirected access (transparent proxy) only. How do I do it?

If I just set up a rule in filter chain like:

-t filter -A INPUT -i eth0 -p tcp -m tcp \\ 
   --dport 3128 -j DROP 

Those requests redirected from port 80 to 3128 are also
blocked by this rule. It seems that the redirected packets
come in to this chain once again with the new port number.

How can I differentiate these two different kinds of
request? Any clue will be greatly appreciated.

Jinsuk Kim



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

RE: Differentiating direct, and redirected access?

[Jason Opperisano]

> Hello all,
>
> I'm running a squid at port 3128 as a transparent proxy.
>
> There are requests coming directly to 3128 port and
> those coming to 80 port and then redirected to 3128 by
> following rule:
>
> -t nat -A PREROUTING -i eth0 -p tcp -m tcp \
>    --dport 80 -j REDIRECT --to-ports 3128
>
> What I want is block direct requests to 3128, allowing
> redirected access (transparent proxy) only. How do I do it?
>
> If I just set up a rule in filter chain like:
>
> -t filter -A INPUT -i eth0 -p tcp -m tcp \\
>    --dport 3128 -j DROP
>
> Those requests redirected from port 80 to 3128 are also
> blocked by this rule. It seems that the redirected packets
> come in to this chain once again with the new port number.
>
> How can I differentiate these two different kinds of
> request? Any clue will be greatly appreciated.
>
> Jinsuk Kim

mark the packets that will get redirected, and only accept them if they
have the mark:

  # mark packets with dst port 80
  iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 \
    -j MARK --set-mark 1

  # redirect port 80 to 3128
  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
    -j REDIRECT --to-ports 3128

  # accept packets to 3128 that have the mark
  iptables -A INPUT -i eth0 -p tcp --dport 3128 -m mark --mark 1 \
    -j ACCEPT

-j

RE: Differentiating direct, and redirected access?

[Jason Opperisano]

> -t nat -A PREROUTING -i eth0 -d ! $INT_ROUTER_IP -p tcp --dport 80 -j
> REDIRECT --to-ports 3128
> -A INPUT -i eth0 -d $INT_ROUTER_IP -p tcp --dport 3128 -J REJECT
>
> TCP SYN have external ip dst_ip.

the TCP SYN to port 80 has the dst IP of the web server on the internet.

the redirected packet to TCP port 3128 has the dst IP of the redirected
interface (eth0 in this case).

your suggested REJECT rule will reject all redirected traffic to port
3128, and is essentially the issue the OP had already run into, and was
asking for a work-around.

-j

Re: Differentiating direct, and redirected access?

[Aleksandar Milivojevic]

J Kim wrote:
> Hello all,
> 
> I'm running a squid at port 3128 as a transparent proxy.
> 
> There are requests coming directly to 3128 port and 
> those coming to 80 port and then redirected to 3128 by 
> following rule:
> 
> -t nat -A PREROUTING -i eth0 -p tcp -m tcp \
>    --dport 80 -j REDIRECT --to-ports 3128
> 
> What I want is block direct requests to 3128, allowing
> redirected access (transparent proxy) only. How do I do it?
> 
> If I just set up a rule in filter chain like:
> 
> -t filter -A INPUT -i eth0 -p tcp -m tcp \\ 
>    --dport 3128 -j DROP 
> 
> Those requests redirected from port 80 to 3128 are also
> blocked by this rule. It seems that the redirected packets
> come in to this chain once again with the new port number.

This is because PREROUTING chain is done before INPUT chain, so dst port 
of packets was already modified to 3128.  You need to drop packets in 
PREROUTING chain, before REDIRECT rule:

   -t nat -A PREROUTING ..... --dport 3128 -j DROP
   -t nat -A PREROUTING ..... --dport 80 -j REDIRECT ....

BTW, question for smarter than me, if there are rules in both nat and 
mangle PREROUTING chains, which are traversed first?  If mangle is done 
before nat, than one solution could also be:

   -t mangle -A PREROUTING .....  --dport 3128 -j MARK --set-mark 1
   -t nat -A PREROUTING ..... --dport 80 -j REDIRECT .....
   -t filter -A INPUT .... -m mark --mark 1 -j DROP

Suboptimal (more work), but should work if for whatever reason somebody 
wants to keep all filtering to filter table (if mangle table is done 
before nat table, of course).

It would be ideal (and most optimal) if the match was possible in filter 
table based on original value of dst port.  Kind of vaugly remember 
reading about such an extension, but I might be wrong (it might not exist).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Differentiating direct, and redirected access?

[Ложечник Александр]

>>Hello all,
>>
>>I'm running a squid at port 3128 as a transparent proxy.
>>
>>There are requests coming directly to 3128 port and
>>those coming to 80 port and then redirected to 3128 by
>>following rule:
>>
>>-t nat -A PREROUTING -i eth0 -p tcp -m tcp \
>>   --dport 80 -j REDIRECT --to-ports 3128
>>
>>What I want is block direct requests to 3128, allowing
>>redirected access (transparent proxy) only. How do I do it?
>>
>>If I just set up a rule in filter chain like:
>>
>>-t filter -A INPUT -i eth0 -p tcp -m tcp \\
>>   --dport 3128 -j DROP
>>
>>Those requests redirected from port 80 to 3128 are also
>>blocked by this rule. It seems that the redirected packets
>>come in to this chain once again with the new port number.
>>
>>How can I differentiate these two different kinds of
>>request? Any clue will be greatly appreciated.
>>
>>Jinsuk Kim
>>    
>>
-t nat -A PREROUTING -i eth0 -d ! $INT_ROUTER_IP -p tcp --dport 80 -j 
REDIRECT --to-ports 3128
-A INPUT -i eth0 -d $INT_ROUTER_IP -p tcp --dport 3128 -J REJECT

TCP SYN have external ip dst_ip.

-- 
wbr, Logechnik Alexandr

In God we trust, but something 
else must have X.509 certificate

Re: Differentiating direct, and redirected access?

[Jose Maria Lopez]

bl	 -El lun, 18 de 10 de 2004 a las 04:19, J Kim escribió:
> Hello all,
> 
> I'm running a squid at port 3128 as a transparent proxy.
> 
> There are requests coming directly to 3128 port and 
> those coming to 80 port and then redirected to 3128 by 
> following rule:
> 
> -t nat -A PREROUTING -i eth0 -p tcp -m tcp \
>    --dport 80 -j REDIRECT --to-ports 3128
> 
> What I want is block direct requests to 3128, allowing
> redirected access (transparent proxy) only. How do I do it?
> 
> If I just set up a rule in filter chain like:
> 
> -t filter -A INPUT -i eth0 -p tcp -m tcp \\ 
>    --dport 3128 -j DROP 
> 
> Those requests redirected from port 80 to 3128 are also
> blocked by this rule. It seems that the redirected packets
> come in to this chain once again with the new port number.
> 
> How can I differentiate these two different kinds of
> request? Any clue will be greatly appreciated.
> 
> Jinsuk Kim

Insert your DROP rule in the nat table, in the
PREROUTING chain before the rule that does the
redirect.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: Differentiating direct, and redirected access?

[Ложечник Александр]

Jason Opperisano wrote:

>>-t nat -A PREROUTING -i eth0 -d ! $INT_ROUTER_IP -p tcp --dport 80 -j
>>REDIRECT --to-ports 3128
>>-A INPUT -i eth0 -d $INT_ROUTER_IP -p tcp --dport 3128 -J REJECT
>>
>>TCP SYN have external ip dst_ip.
>>    
>>
>
>the TCP SYN to port 80 has the dst IP of the web server on the internet.
>
>the redirected packet to TCP port 3128 has the dst IP of the redirected
>interface (eth0 in this case).
>
>your suggested REJECT rule will reject all redirected traffic to port
>3128, and is essentially the issue the OP had already run into, and was
>asking for a work-around.
>
>-j
>
Hmm. Your right. So, fw-mark is great idea.

 
wbr, Logechnik Alexandr

In God we trust, but something 
else must have X.509 certificate

Re: Differentiating direct, and redirected access?

[J Kim]

Thank you very much Jason, Jose, Aleksandar, and
Ложечник for all the replies. I
chose the simplest suggestion (putting drop rule before redirect in nat
prerouting chain), and now it works perfect. You guys are great.

Jinsuk Kim


		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com