attempting to transparently proxy with this script to no avail

attempting to transparently proxy with this script to no avail

[joe z]

hello all,
im attempting to run a transparent proxy with the iptables script below... 
to no avail. this box sits inline between the firewall and internal switch 
and everything works except the transparent proxy part. the box routes 
traffic properly and when i point the browser at the proxy on 8080, all 
good. proxy goes dansguardian -> squid -> privoxy. additionally i have snort 
inline running as well and that works. the box is fc2 and squid is installed 
via yum. 11.10 is internal and 11.8 faces the firewall. so far i have tried 
multiple combinations; when i comment out all rules except INPUT, OUTPUT, 
and FORWARD ACCEPT, all good; when i comment out the nat table lines and 
uncomment the mangle table and use the queue and snort, all good; when i 
comment out the mangle table and queue and uncomment the nat redirect 
(leaving commented the -j DROP) everything works, just not the proxy... in 
other words http passes through the box but it doesn't get sent to/through  
the proxy(i confirmed this with tcpdump) and, most interestingly, when i 
comment the redirect and uncomment the -j DROP, it doesn't drop http or 
anything for that matter(?). below is the script and the relevant squid.conf 
entries. any thoughts? am i missing something(obvious?) here?

/sbin/depmod -a
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REDIRECT
#/sbin/modprobe ip_queue
iptables -F
iptables -t mangle -F
iptables -t nat -F
iptables -X

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
#iptables -t mangle -P PREROUTING ACCEPT
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DROP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
--to-port 8080
#iptables  -t mangle -A PREROUTING -j QUEUE



ifdown eth1
ifdown eth0
ifup eth0
ifup eth1
ifconfig eth1 192.168.11.8 netmask 255.255.255.0
ifconfig eth0 192.168.11.10 netmask 255.255.255.0
ifconfig eth0 promisc
ifconfig eth1 promisc
ifconfig eth1 arp
ifconfig eth0 arp

route add 192.168.11.2 dev eth1
route add default gw 192.168.11.2

#and squid.conf=

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_single_host off
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Re: attempting to transparently proxy with this script to no avail

[Jörg Harmuth]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi,

some ideas. May be, they are wrong.

First, you shouldn't filter in the nat table, and so not in
PREROUTING. PREROUTING sees only the very first packet of a
connection. The rest is done in the state-machine. Subsequent packets
of a connection don't traverse PREROUTING. Thus you should stick to
the usual approach: filter in the filter table and use the nat table
for NAT.

Proxy. Seems that your squid box has two nics and that the nics are
the *same* network (xxx.xxx.11.0/24 ?). Right ? If so, you have
definitely a routing problem and an unclean network setup. You should
solve this first. Give the firewall side e.g. the network
xxx.xxx.12.0/24 and point the default gateway to the firewall. May be,
this solves your problem already. If not, it would be great if could
supply the new network layout (may be a little ascii art ?) and some
captured packets to see where the traffic goes.

HTH

Jörg


joe z schrieb:

| hello all, im attempting to run a transparent proxy with the
| iptables script below... to no avail. this box sits inline between
| the firewall and internal switch and everything works except the
| transparent proxy part. the box routes traffic properly and when i
| point the browser at the proxy on 8080, all good. proxy goes
| dansguardian -> squid -> privoxy. additionally i have snort inline
| running as well and that works. the box is fc2 and squid is
| installed via yum. 11.10 is internal and 11.8 faces the firewall.
| so far i have tried multiple combinations; when i comment out all
| rules except INPUT, OUTPUT, and FORWARD ACCEPT, all good; when i
| comment out the nat table lines and uncomment the mangle table and
| use the queue and snort, all good; when i comment out the mangle
| table and queue and uncomment the nat redirect (leaving commented
| the -j DROP) everything works, just not the proxy... in other words
| http passes through the box but it doesn't get sent to/through  the
| proxy(i confirmed this with tcpdump) and, most interestingly, when
| i comment the redirect and uncomment the -j DROP, it doesn't drop
| http or anything for that matter(?). below is the script and the
| relevant squid.conf entries. any thoughts? am i missing
| something(obvious?) here?
|
| /sbin/depmod -a /sbin/modprobe ipt_LOG /sbin/modprobe ipt_REDIRECT
| #/sbin/modprobe ip_queue iptables -F iptables -t mangle -F iptables
| -t nat -F iptables -X
|
| echo "1" > /proc/sys/net/ipv4/ip_forward
|
| iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P
| FORWARD ACCEPT iptables -t nat -P PREROUTING ACCEPT #iptables -t
| mangle -P PREROUTING ACCEPT #iptables -t nat -A PREROUTING -i eth0
| -p tcp --dport 80 -j DROP iptables -t nat -A PREROUTING -i eth0 -p
| tcp --dport 80 -j REDIRECT --to-port 8080 #iptables  -t mangle -A
| PREROUTING -j QUEUE
|
|
|
| ifdown eth1 ifdown eth0 ifup eth0 ifup eth1 ifconfig eth1
| 192.168.11.8 netmask 255.255.255.0 ifconfig eth0 192.168.11.10
| netmask 255.255.255.0 ifconfig eth0 promisc ifconfig eth1 promisc
| ifconfig eth1 arp ifconfig eth0 arp
|
| route add 192.168.11.2 dev eth1 route add default gw 192.168.11.2
|
| #and squid.conf=
|
| httpd_accel_host virtual httpd_accel_port 80
| httpd_accel_single_host off httpd_accel_with_proxy on
| httpd_accel_uses_host_header on
|
| _________________________________________________________________
| Express yourself instantly with MSN Messenger! Download today -
| it's FREE!
| http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
|


- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach

Tel.: (+49) 22 26  87 18 12
Fax:  (+49) 22 26 87 18 19
mail: harmuth@mnemon.de
Web:  http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.

This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFCLXHIt9fkjiZ7IE8RAmZoAKCr1mCyLroNanRrqzHCmG3VTd/e8gCgxQrp
eJwfJ4wf0XlGMtzJvXI0Dxk=
=XbAM
-----END PGP SIGNATURE-----

attempting to transparently proxy with this script to no avail

[joe z]

this script runs everything fine just the redirect doesn't. the proxy works 
fine when browser pointed at it.

/sbin/depmod -a
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REDIRECT

iptables -F
iptables -t mangle -F
iptables -t nat -F
iptables -X

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT --to-port 
8080

ifdown eth1
ifdown eth0
ifup eth0
ifup eth1
ifconfig eth1 192.168.11.8 netmask 255.255.255.0
ifconfig eth0 192.168.11.10 netmask 255.255.255.0
ifconfig eth0 promisc
ifconfig eth1 promisc
ifconfig eth1 arp
ifconfig eth0 arp

route add 192.168.11.2 dev eth1
route add default gw 192.168.11.2

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Re: attempting to transparently proxy with this script to no avail

[Jason Opperisano]

On Tue, 2005-03-01 at 17:03, joe z wrote:
> this script runs everything fine just the redirect doesn't. the proxy works 
> fine when browser pointed at it.
> 
> /sbin/depmod -a
> /sbin/modprobe ipt_LOG
> /sbin/modprobe ipt_REDIRECT
> 
> iptables -F
> iptables -t mangle -F
> iptables -t nat -F
> iptables -X
> 
> echo "1" > /proc/sys/net/ipv4/ip_forward
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -t mangle -P PREROUTING ACCEPT
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT --to-port 
> 8080

first--when you look at the output of:

  iptables -t nat -vnxL

do you see the packet count incrementing on that rule--if so, good.

second--the proxy *is* running on port 8080, right?  k--moving on...

third--the proxy *is* configured for transparent operation, right?  for
example, if the proxy in question is squid:

  http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s4

as an aside--it would be better form to specify only packets arriving on
the inside interface in your REDIRECT rule; i.e, "-i $INSIDE_IF"

> ifdown eth1
> ifdown eth0
> ifup eth0
> ifup eth1
> ifconfig eth1 192.168.11.8 netmask 255.255.255.0
> ifconfig eth0 192.168.11.10 netmask 255.255.255.0

um...  err...  never mind...  wait--i'll bite...this machine *is*
forcibly in the path between all web browsers and the Internet, right?

<--snip-->

-j

--
"Ooh, they used nylon rope this time. It feels smooth against my skin,
 almost sensuous."
	--The Simpsons