will port forwarding work here?

will port forwarding work here?

[Payal Rathod]

Hi,
I have 2 squid proxy on two different machines 192.168.0.10 and 
192.168.0.11 All my clients are configured to use 192.168.0.10:3128
Now I want a few specific clients to use 192.168.0.11:3128
Is it possible to write some kind of rule on 192.168.0.10 which will 
*properly* redirect traffic from 192.168.0.10:3128 to 
192.168.0.11:3128 for those clients.  A friend on chat suggested (he 
was not sure),

iptables -A PREROUTING -t nat -s 192.168.0.10 --dport 3128 \
 -j DNAT --to-destination 192.168.0.11

Is there anything else missing?

With warm regards,
-Payal

Re: will port forwarding work here?

[Jason Opperisano]

On Fri, Jan 14, 2005 at 10:35:08AM -0500, Payal Rathod wrote:
> Hi,
> I have 2 squid proxy on two different machines 192.168.0.10 and 
> 192.168.0.11 All my clients are configured to use 192.168.0.10:3128
> Now I want a few specific clients to use 192.168.0.11:3128
> Is it possible to write some kind of rule on 192.168.0.10 which will 
> *properly* redirect traffic from 192.168.0.10:3128 to 
> 192.168.0.11:3128 for those clients.  A friend on chat suggested (he 
> was not sure),
> 
> iptables -A PREROUTING -t nat -s 192.168.0.10 --dport 3128 \
>  -j DNAT --to-destination 192.168.0.11
> 
> Is there anything else missing?

yeah--the same thing that everyone misses when they try and DNAT onto
the same local network:

1) client (192.168.0.100) send TCP SYN to 192.168.0.10 port 3128
2) proxyA (192.168.0.10) DNATs the packet to 192.168.0.11
3) proxyB (192.168.0.11) receives SYN from 192.168.0.100 and replies
   directly with SYN/ACK
4) client (192.168.0.100) receives SYN/ACK from 192.168.0.11 and drops
   it, as client never sent a SYN to 192.168.0.11.

sound familiar?  it feels familiar to me as i type it once again.

options:

1) for the machines that need to proxy to 192.168.0.11, just set their
   proxy to be 192.168.0.11.  no--it's not h4x0r l33t, but it's really
   what you're trying to do, and the "right" way to do it.

2) duct tape it.  on 192.168.0.10:

   # DNAT requests from some clients to 192.168.0.11
   iptables -t nat -A PREROUTING -p tcp -s $SOME_CLIENT --dport 3128 \
     -j DNAT --to-destination 192.168.0.11

   # make requests from some client look like they came from me to avoid
   # asymmetric routing of the DNAT-ed connection
   iptables -t nat -A POSTROUTING -p tcp -s $SOME_CLIENT --dport 3128 \
     -d 192.168.0.11 -j SNAT --to-source 192.168.0.10

as always--i hate this solution for all the reasons everyone has brought
up every time time this has come up previously--it's horribly
inefficient, it destroys your audit trail, etc...

-j

--
"No jury in the world is going to convict a baby ... Maybe Texas."
        --The Simpsons

Re: will port forwarding work here?

[Samuel Jean]

On Fri, January 14, 2005 10:35 am, Payal Rathod said:
> Hi,

Hi!

> Is it possible to write some kind of rule on 192.168.0.10 which will
> *properly* redirect traffic from 192.168.0.10:3128 to
> 192.168.0.11:3128 for those clients.  A friend on chat suggested (he
> was not sure),
>
> iptables -A PREROUTING -t nat -s 192.168.0.10 --dport 3128 \
>  -j DNAT --to-destination 192.168.0.11
>
> Is there anything else missing?

Yes, see NATing on the same network from the Rusty's NAT howto.

Also, please note this will broke HTTP 1.0 which really hates NAT.

What I suggest is configuring both squid in HTTP accel mode (transparent)
and unconfigure your client's browser so they attempt to reach the
world wide web by themself.

Then, make your router silently redirecting packets to whatever the squid
you want.

Read http://www.tldp.org/HOWTO/TransparentProxy.html
Chapter 6 is what you need, I guess.

>
> With warm regards,
> -Payal
>

HTH,

Samuel

Re: will port forwarding work here?

[Payal Rathod]

On Fri, Jan 14, 2005 at 10:55:49AM -0500, Jason Opperisano wrote:
> yeah--the same thing that everyone misses when they try and DNAT 
> onto
> the same local network:
> 
> 1) client (192.168.0.100) send TCP SYN to 192.168.0.10 port 3128
> 2) proxyA (192.168.0.10) DNATs the packet to 192.168.0.11
> 3) proxyB (192.168.0.11) receives SYN from 192.168.0.100 and replies
>    directly with SYN/ACK
> 4) client (192.168.0.100) receives SYN/ACK from 192.168.0.11 and drops
>    it, as client never sent a SYN to 192.168.0.11.
> 
> sound familiar?  it feels familiar to me as i type it once again.

Will it help, if I move the second squid proxy to the DMZ in 
10.10.10.3 ?
With warm regards,
-Payal

Re: will port forwarding work here?

[Jason Opperisano]

On Fri, Jan 14, 2005 at 12:10:08PM -0500, Payal Rathod wrote:
> On Fri, Jan 14, 2005 at 10:55:49AM -0500, Jason Opperisano wrote:
> > yeah--the same thing that everyone misses when they try and DNAT 
> > onto
> > the same local network:
> > 
> > 1) client (192.168.0.100) send TCP SYN to 192.168.0.10 port 3128
> > 2) proxyA (192.168.0.10) DNATs the packet to 192.168.0.11
> > 3) proxyB (192.168.0.11) receives SYN from 192.168.0.100 and replies
> >    directly with SYN/ACK
> > 4) client (192.168.0.100) receives SYN/ACK from 192.168.0.11 and drops
> >    it, as client never sent a SYN to 192.168.0.11.
> > 
> > sound familiar?  it feels familiar to me as i type it once again.
> 
> Will it help, if I move the second squid proxy to the DMZ in 
> 10.10.10.3 ?

yes, because then the traffic routed through the firewall.  just out of
curiosity, is 192.168.0.10 your firewall?

-j

--
"I saw weird stuff in that place last night. Weird, strange, sick,
 twisted, eerie, godless, evil stuff. And I want in."
        --The Simpsons

Re: will port forwarding work here?

[Payal Rathod]

On Fri, Jan 14, 2005 at 12:18:00PM -0500, Jason Opperisano wrote:
> > Will it help, if I move the second squid proxy to the DMZ in 
> > 10.10.10.3 ?
> 
> yes, because then the traffic routed through the firewall.  just out of
> curiosity, is 192.168.0.10 your firewall?

Yes. Will that be a problem then?

With warm regards,
-Payal

Re: will port forwarding work here?

[Jason Opperisano]

On Fri, Jan 14, 2005 at 12:34:57PM -0500, Payal Rathod wrote:
> On Fri, Jan 14, 2005 at 12:18:00PM -0500, Jason Opperisano wrote:
> > > Will it help, if I move the second squid proxy to the DMZ in 
> > > 10.10.10.3 ?
> > 
> > yes, because then the traffic routed through the firewall.  just out of
> > curiosity, is 192.168.0.10 your firewall?
> 
> Yes. Will that be a problem then?

no--that makes it nice and clean.

-j

--
"I've figured out an alternative to giving up my beer. Basically,
 we become a family of traveling acrobats!"
        --The Simpsons

Re: will port forwarding work here?

[Jose Maria Lopez]

El vie, 14 de 01 de 2005 a las 16:35, Payal Rathod escribió:
> Hi,
> I have 2 squid proxy on two different machines 192.168.0.10 and 
> 192.168.0.11 All my clients are configured to use 192.168.0.10:3128
> Now I want a few specific clients to use 192.168.0.11:3128
> Is it possible to write some kind of rule on 192.168.0.10 which will 
> *properly* redirect traffic from 192.168.0.10:3128 to 
> 192.168.0.11:3128 for those clients.  A friend on chat suggested (he 
> was not sure),
> 
> iptables -A PREROUTING -t nat -s 192.168.0.10 --dport 3128 \
>  -j DNAT --to-destination 192.168.0.11
> 
> Is there anything else missing?
> 
> With warm regards,
> -Payal

The easiest way to do this without problems it's just using source
routing, with the iproute2 feature of the kernel. Just use some
"ip" commands to route the traffic to one or the other machine.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"