transparent proxy with captive page - ipt_recent?

transparent proxy with captive page - ipt_recent?

[Martin Whinnery]

Hi,

Here's what I'm trying to do:

I've got a gateway box, running squid on port 8080, and apache on port 82.

I've got transparent proxying working fine, using a redirect rule in the 
prerouting table.

What I'd like to do is, the first time a web connection from IP 'n' 
comes in, they get a page from apache, telling users a proxy address 
they may want to set, in which case they'll get https proxying etc.

But if they don't bother, I'd like further web requests redirected to 
the proxy for transparent proxying, until a certain amount of idleness 
has gone by, when we revert to the local page again.


So everyone gets proxy instructions when they start browsing, and the 
lazy ones get transparent proxying.

I thought I could do this with ipt_recent, but it's not happening.

Here's me rules:

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -m recent --rcheck 
--seconds 30 -j REDIRECT --to-ports 8080
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -m recent --set -j 
REDIRECT --to-ports 82

So I thought the first rule wouldn't match first time around. Then the 
second rule would provide the proxy instructions page, and make the 
/proc/sys/net/ipt_recent/DEFAULT entry. This works fine.

But the first rule should match on the next request. And it doesn't seem 
to. And I don't understand.

Any thoughts?

Mart

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: transparent proxy with captive page - ipt_recent?

[Martijn Lievaart]

Martin Whinnery wrote:
> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -m recent 
> --rcheck --seconds 30 -j REDIRECT --to-ports 8080
> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -m recent --set 
> -j REDIRECT --to-ports 82
>
> So I thought the first rule wouldn't match first time around. Then the 
> second rule would provide the proxy instructions page, and make the 
> /proc/sys/net/ipt_recent/DEFAULT entry. This works fine.
>
> But the first rule should match on the next request. And it doesn't 
> seem to. And I don't understand.
>

I think you need to replace rcheck with update.


HTH,
M4

Re: transparent proxy with captive page - ipt_recent?

[Martin Whinnery]

Martijn Lievaart wrote:
> Martin Whinnery wrote:
>> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -m recent 
>> --rcheck --seconds 30 -j REDIRECT --to-ports 8080
>> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -m recent --set 
>> -j REDIRECT --to-ports 82
>>
>> So I thought the first rule wouldn't match first time around. Then the 
>> second rule would provide the proxy instructions page, and make the 
>> /proc/sys/net/ipt_recent/DEFAULT entry. This works fine.
>>
>> But the first rule should match on the next request. And it doesn't 
>> seem to. And I don't understand.
>>
> 
> I think you need to replace rcheck with update.
> 
> 
> HTH,
> M4
> 
> 

Thanks Martijn,

I think it's working now. I've found that conntrack keeps the first 
connection in TIME_WAIT for 120 seconds, and that if I try before that, 
rule1 misses. This will do me, so long as I keep my --seconds greater 
than this.

Thanks again

Mart

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.