Different kind transparent proxy

All of lore.kernel.org
 help / color / mirror / Atom feed

* Different kind transparent proxy
@ 2008-10-09 11:01 Brent Clark
  2008-10-09 11:04 ` Brent Clark
  2008-10-10 18:04 ` Grant Taylor
  0 siblings, 2 replies; 3+ messages in thread
From: Brent Clark @ 2008-10-09 11:01 UTC (permalink / raw)
  To: 'Mail List - Netfilter'

Hi

I have a basic home setup, the router / gate and the proxy server sit on 
different machines (Dont want squid on the FW).

I have a client that I want to access the web, but via squid.

The proxy and the client, both are on the same LAN etc.

Here are my rules.

For PREROUTING nat I have
186 10692 DNAT       tcp  --  eth1   *      !192.168.111.9        
0.0.0.0/0           multiport dports 80,443 to:192.168.111.9:3128

In my FORWARD filter I have

362 20472 LANWEB     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0           tcp dpt:3128

For my LANWEB chain I have

Chain LANWEB (1 references)
target     prot opt source               destination        
LOG        tcp  --  0.0.0.0/0            192.168.111.9       LOG flags 0 
level 4 prefix `ECCOWALL I'
ACCEPT     tcp  --  0.0.0.0/0            192.168.111.9      
LOG        tcp  --  0.0.0.0/0            192.168.111.9       LOG flags 0 
level 4 prefix `ECCOWALL O'

For some reason I cant get this working.
I have a look at the squid logs and theres nothing.

Using tcpdump on the gateway I am seeing,
tcpdump -n -i eth1 port 3128
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
12:54:55.611493 IP 192.168.111.31.40550 > 192.168.111.9.3128: S 
233035686:233035686(0) win 5840 <mss 1460,sackOK,timestamp 3618633 
0,nop,wscale 6>
12:54:55.611653 IP 192.168.111.9.3128 > 192.168.111.31.40550: S 
1234458253:1234458253(0) ack 233035687 win 5792 <mss 
1460,sackOK,timestamp 737699015 3618633,nop,wscale 2>

And on squid

root@eccowall:~# tcpdump -n port 3128
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:56:42.322401 IP 192.168.111.31.42990 > 192.168.111.9.3128: S 
1202540725:1202540725(0) win 5840 <mss 1460,sackOK,timestamp 3645306 
0,nop,wscale 6>
12:56:42.322693 IP 192.168.111.9.3128 > 192.168.111.31.42990: S 
2913335189:2913335189(0) ack 1202540726 win 5792 <mss 
1460,sackOK,timestamp 737725700 3645306,nop,wscale 2>
12:56:42.322435 IP 192.168.111.31.42990 > 192.168.111.9.3128: R 
1202540726:1202540726(0) win 0

But i cant understand cause the browser is not displaying anything.

If anyone could help, it would be appreciated.

TIA

Regards
Brent Clark



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Different kind transparent proxy
  2008-10-09 11:01 Different kind transparent proxy Brent Clark
@ 2008-10-09 11:04 ` Brent Clark
  2008-10-10 18:04 ` Grant Taylor
  1 sibling, 0 replies; 3+ messages in thread
From: Brent Clark @ 2008-10-09 11:04 UTC (permalink / raw)
  To: 'Mail List - Netfilter'

Brent Clark wrote:
> Hi
>
> I have a basic home setup, the router / gate and the proxy server sit 
> on different machines (Dont want squid on the FW).
>
> I have a client that I want to access the web, but via squid.
>
Sorry I forgot to mention, if I set my proxy on the web broswer to that 
of the proxy, I can view sites.

So from the proxy's point of view, alls good.

Seems to be the traffic going eth1 and then back out eth1 to squid (and 
or vice versa).

Brent

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Different kind transparent proxy
  2008-10-09 11:01 Different kind transparent proxy Brent Clark
  2008-10-09 11:04 ` Brent Clark
@ 2008-10-10 18:04 ` Grant Taylor
  1 sibling, 0 replies; 3+ messages in thread
From: Grant Taylor @ 2008-10-10 18:04 UTC (permalink / raw)
  To: Mail List - Netfilter

On 10/09/08 06:01, Brent Clark wrote:
> I have a basic home setup, the router / gate and the proxy server sit on 
> different machines (Dont want squid on the FW).

*nod*

> I have a client that I want to access the web, but via squid.
> 
> The proxy and the client, both are on the same LAN etc.

The proxy and the client on the same LAN is a clue.

> Here are my rules.
> 
> For PREROUTING nat I have
> 186 10692 DNAT       tcp  --  eth1   *      !192.168.111.9        
> 0.0.0.0/0           multiport dports 80,443 to:192.168.111.9:3128
> 
> In my FORWARD filter I have
> 
> 362 20472 LANWEB     tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:3128

You are missing a critical rule.  (I'll get to it after an explanation 
of what is happening.)

> For my LANWEB chain I have
> 
> Chain LANWEB (1 references)
> target     prot opt source               destination        LOG        
> tcp  --  0.0.0.0/0            192.168.111.9       LOG flags 0 level 4 
> prefix `ECCOWALL I'
> ACCEPT     tcp  --  0.0.0.0/0            192.168.111.9      LOG        
> tcp  --  0.0.0.0/0            192.168.111.9       LOG flags 0 level 4 
> prefix `ECCOWALL O'
> 
> For some reason I cant get this working.
> I have a look at the squid logs and theres nothing.

There won't be.

> Using tcpdump on the gateway I am seeing,
> tcpdump -n -i eth1 port 3128
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
> 12:54:55.611493 IP 192.168.111.31.40550 > 192.168.111.9.3128: S 
> 233035686:233035686(0) win 5840 <mss 1460,sackOK,timestamp 3618633 
> 0,nop,wscale 6>
> 12:54:55.611653 IP 192.168.111.9.3128 > 192.168.111.31.40550: S 
> 1234458253:1234458253(0) ack 233035687 win 5792 <mss 
> 1460,sackOK,timestamp 737699015 3618633,nop,wscale 2>

I'm surprised that you are seeing the second packet here.  Are you using 
a hub rather than a switch?  (Not that it really matters.)

> And on squid
> 
> root@eccowall:~# tcpdump -n port 3128
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 12:56:42.322401 IP 192.168.111.31.42990 > 192.168.111.9.3128: S 
> 1202540725:1202540725(0) win 5840 <mss 1460,sackOK,timestamp 3645306 
> 0,nop,wscale 6>
> 12:56:42.322693 IP 192.168.111.9.3128 > 192.168.111.31.42990: S 
> 2913335189:2913335189(0) ack 1202540726 win 5792 <mss 
> 1460,sackOK,timestamp 737725700 3645306,nop,wscale 2>
> 12:56:42.322435 IP 192.168.111.31.42990 > 192.168.111.9.3128: R 
> 1202540726:1202540726(0) win 0

This is what I would expect.

> But i cant understand cause the browser is not displaying anything.

In short, this is what is happening on your network.

1)  Client sends a request to the web server via the firewall.
        <Client MAC>, <Firewall MAC>, <Client IP>, <Web Server IP>
2)  Firewall redirects the packet to the proxy.
        <Firewall MAC>, <Proxy MAC>, <Client IP>, <Proxy IP>
3)  Proxy fulfills the request and replies.
        <Proxy MAC>, <Client MAC>, <Proxy IP>, <Client IP>
4)  Client gets a reply from the proxy that it did not ask for and says 
"Go Away!", better known as a "RST".
        <Client MAC>, <Proxy MAC>, <Client IP>, <Prosy IP>

What you need to do is SNAT the traffic that is being redirected to the 
proxy server.  That way the proxy server will reply to the firewall 
which will then un-redirect the traffic back to the real client.

You are suffering from what I call the "TCP Triangle".

> If anyone could help, it would be appreciated.

*nod*

Try SNATing traffic from the firewall to the proxy server.  (I might add 
only SNAT traffic that originates from your local LAN.)



Grant. . . .

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2008-10-10 18:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-10-09 11:01 Different kind transparent proxy Brent Clark
2008-10-09 11:04 ` Brent Clark
2008-10-10 18:04 ` Grant Taylor

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.