How to redirect browsers with static proxy settings in iptables?

How to redirect browsers with static proxy settings in iptables?

[Todd Landfried]

I'm new to this firewall stuff, so any assistance would be greatly 
appreciated. I've RTFM as much as I can, but nothing seems to fit this 
situation exactly. Maybe I'm not asking the questions correctly in Google.

I have a Linux 7.3 (2.4.20-28) server with two NICs. One is eth0 and 
connects to the router. The other is eth1 and connects to the switch that 
connect the computers in the house. We have a couple of laptops that have to 
have static proxy settings in the browser for work, but it's a royal pain to 
have to go and unclick the "use proxy" settings all the time. I'm being 
pressured to find a solution--if you know what I mean.

Let's say the proxy settings are:

IP: 68.152.65.65
Port: 80

Let's say the internal network is 10.1.0.x. I've also installed squid 
(2.4.stable6) and I think I have that correct, but it's not working. I may 
be missing some component, but I'm not sure.

How do I create a rule that will route the browser traffic through the linux 
box without having to uncheck the silly checkbox everytime she comes home?

Any solution or guidance would be appreciated.

Thnks

Todd

_________________________________________________________________
Overwhelmed by debt? Find out how to ‘Dig Yourself Out of Debt’ from MSN 
Money. http://special.msn.com/money/0407debt.armx

Re: How to redirect browsers with static proxy settings in iptables?

[Mark Anacker]

How about:

iptables -t nat -A PREROUTING -i eth1 -p tcp -d 68.152.65.65 --dport 80 
-j REDIRECT --to-port 80

You might need to change the "--to-port 80" to "--to-port 8080" if you 
have Squid on that port.


Todd Landfried wrote:
> I'm new to this firewall stuff, so any assistance would be greatly 
> appreciated. I've RTFM as much as I can, but nothing seems to fit this 
> situation exactly. Maybe I'm not asking the questions correctly in Google.
> 
> I have a Linux 7.3 (2.4.20-28) server with two NICs. One is eth0 and 
> connects to the router. The other is eth1 and connects to the switch 
> that connect the computers in the house. We have a couple of laptops 
> that have to have static proxy settings in the browser for work, but 
> it's a royal pain to have to go and unclick the "use proxy" settings all 
> the time. I'm being pressured to find a solution--if you know what I mean.
> 
> Let's say the proxy settings are:
> 
> IP: 68.152.65.65
> Port: 80
> 
> Let's say the internal network is 10.1.0.x. I've also installed squid 
> (2.4.stable6) and I think I have that correct, but it's not working. I 
> may be missing some component, but I'm not sure.
> 
> How do I create a rule that will route the browser traffic through the 
> linux box without having to uncheck the silly checkbox everytime she 
> comes home?
> 
> Any solution or guidance would be appreciated.
> 
> Thnks
> 
> Todd
> 

-- 
Mark Anacker
Chameleon Technology, Inc.

Re: How to redirect browsers with static proxy settings in iptables?

[Todd Landfried]

How does one know if a given packet is destined for a proxy server or not? 
Is there something in the packet that I can look for that tells me this? I 
know there's the port, but HTTP traffic also uses port 80. The reason I ask 
is because the proxy address sometimes changes.

Thanks

Todd

>From: Askar Ali Khan <askarali@gmail.com>
>To: Todd Landfried <tlandfried@hotmail.com>
>Subject: Re: How to redirect browsers with static proxy settings in 
iptables?
>Date: Fri, 23 Jul 2004 14:58:47 +0500
>
>Hi Todd
>
>you only need these rules for transparent proxy
>
>## Enable forwarding
>echo 1 > /proc/sys/net/ipv4/ip_forward
>
>## Enable MASUERADE for router
>iptables --table nat --append POSTROUTING -s 192.168.0.0/24
>--out-interface eth0 -j MASQUERADE
>
>## Enable Transparent proxy using squid port
>iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
>--to-port 3128
>
>change port 3128 if you are running squid on some other ports such as 
8080
>
>Regards
>Askar
>On Thu, 22 Jul 2004 14:48:52 -0700, Todd Landfried
><tlandfried@hotmail.com> wrote:
> > I'm new to this firewall stuff, so any assistance would be greatly
> > appreciated. I've RTFM as much as I can, but nothing seems to fit 
this
> > situation exactly. Maybe I'm not asking the questions correctly in 
Google.
> >
> > I have a Linux 7.3 (2.4.20-28) server with two NICs. One is eth0 
and
> > connects to the router. The other is eth1 and connects to the 
switch that
> > connect the computers in the house. We have a couple of laptops 
that have to
> > have static proxy settings in the browser for work, but it's a 
royal pain to
> > have to go and unclick the "use proxy" settings all the 
time. I'm being
> > pressured to find a solution--if you know what I mean.
> >
> > Let's say the proxy settings are:
> >
> > IP: 68.152.65.65
> > Port: 80
> >
> > Let's say the internal network is 10.1.0.x. I've also installed 
squid
> > (2.4.stable6) and I think I have that correct, but it's not 
working. I may
> > be missing some component, but I'm not sure.
> >
> > How do I create a rule that will route the browser traffic through 
the linux
> > box without having to uncheck the silly checkbox everytime she 
comes home?
> >
> > Any solution or guidance would be appreciated.
> >
> > Thnks
> >
> > Todd
> >
> > _________________________________________________________________
> > Overwhelmed by debt? Find out how to 'Dig Yourself Out of Debt' 
from MSN
> > Money. http://special.msn.com/money/0407debt.armx
> >
> >

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

Re: How to redirect browsers with static proxy settings in iptables?

[Antony Stone]

On Sunday 25 July 2004 2:00 pm, Todd Landfried wrote:

> How does one know if a given packet is destined for a proxy server or not?

One doesn't.   That's why transparent proxying can work - proxies accept 
normal HTTP requests in exactly the same format as those sent direct to 
servers.

> Is there something in the packet that I can look for that tells me this?

No.   You can sometimes (but not always) tell from the reply that it came 
through a proxy, but you can't tell from the request.

> I know there's the port, but HTTP traffic also uses port 80.

Proxies commonly use port 8080 or 3128.

> The reason I ask is because the proxy address sometimes changes.

I don't understand (I think).   Are you trying to intercept HTTP requests from 
browsers (in which case you just intercept *all* TCP port 80/8080/3128 
traffic, no matter where it's addressed to), or are you saying that you can't 
keep track of where to redirect it to, because the proxy address moves around 
(in which case you're as stuck as someone running a browser would be, trying 
to direct requests to a moving proxy).

What exactly is the problem?

Regards,

Antony.

-- 
"I estimate there's a world market for about five computers."

 - Thomas J Watson, Chairman of IBM

                                                     Please reply to the list;
                                                           please don't CC me.

Re: How to redirect browsers with static proxy settings in iptables?

[Todd Landfried]

Thank you for the response.

The problem is the proxy setting may change as she moves from office to 
office. Therefore, I'd like to set it up so regardless of what HER 
settings are, they'll work here.

Todd


On Jul 25, 2004, at 6:24 AM, Antony Stone wrote:

> I don't understand (I think).   Are you trying to intercept HTTP 
> requests from
> browsers (in which case you just intercept *all* TCP port 80/8080/3128
> traffic, no matter where it's addressed to), or are you saying that 
> you can't
> keep track of where to redirect it to, because the proxy address moves 
> around
> (in which case you're as stuck as someone running a browser would be, 
> trying
> to direct requests to a moving proxy).
>
> What exactly is the problem?
>
> Regards,
>
> Antony.

Re: How to redirect browsers with static proxy settings in iptables?

[Antony Stone]

On Sunday 25 July 2004 6:35 pm, Todd Landfried wrote:

> Thank you for the response.
>
> The problem is the proxy setting may change as she moves from office to
> office. Therefore, I'd like to set it up so regardless of what HER
> settings are, they'll work here.

Then simply intercept all packets addressed to whichever port/s the proxies 
listen on, no matter what the destination address is, eg:

iptables -A PREROUTING -t nat -p tcp --dport 3128 -j DNAT --to a.b.c.d
iptables -A PREROUTING -t nat -p tcp --dport 8080 -j DNAT --to a.b.c.d

etc., where a.b.c.d is the proxy you want to redirect the user to.

Alternatively intercept the packets from the particular machine (I assume this 
mobile user either has a standard static address each time she's on your 
network, or else you use DHCP and can tie her MAC address to a known IP 
address).

Regards,

Antony.

> On Jul 25, 2004, at 6:24 AM, Antony Stone wrote:
> > I don't understand (I think).   Are you trying to intercept HTTP
> > requests from
> > browsers (in which case you just intercept *all* TCP port 80/8080/3128
> > traffic, no matter where it's addressed to), or are you saying that
> > you can't
> > keep track of where to redirect it to, because the proxy address moves
> > around
> > (in which case you're as stuck as someone running a browser would be,
> > trying
> > to direct requests to a moving proxy).
> >
> > What exactly is the problem?
> >
> > Regards,
> >
> > Antony.

-- 
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

                                                     Please reply to the list;
                                                           please don't CC me.