On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT)

On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT)

[John G. Norman]

Hi. I've been reading through the FAQ and some of the recent list
history, and haven't found much guidance on the problem below.

I am trying to do a transparent proxy from port 80 to port 8080. I've
had no problem doing this on a recent release of SuSE (iptables
1.2.9), but something's not working on Fedora 3.

The version of iptables on this release of Fedora is 1.2.11

/proc/sys/net/ipv4/ip_forward shows: 1

(any other settings in /proc/sys/net/ipv4 that could affect this?)

I've tried it two ways, which I think should be equivalent (the
system's IP is 192.168.10.101):

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 8080

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.16
8.10.101:8080

Port 8080 is definitely open, and I can browse to that port with no
problems. For 80, I get connection refused.

My filter table is wide open; nothing in mangle, and I show below
what's in nat to show that the setting is at least there. Also below I
show the nat table when I use -j REDIRECT.

Any ideas? I'm completely stumped. 

John




[root@preview preview]# /sbin/iptables -nvL
Chain INPUT (policy ACCEPT 944 packets, 351K bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 653 packets, 143K bytes)
 pkts bytes target     prot opt in     out     source               destination

[root@preview preview]#

[root@preview preview]# /sbin/iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
[root@preview preview]# /sbin/iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp dpt:http to:192
.168.10.101:8080

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination




====================================================



And here's the nat table when I use -j REDIRECT (looks good . . .):

[root@preview preview]# !352
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-p
ort 8080
[root@preview preview]# /sbin/iptables -t nat -LUT
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir
ports 8080

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@preview preview]#

Re: On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT)

[Jason Opperisano]

On Mon, May 02, 2005 at 02:42:55PM -0400, John G. Norman wrote:
> Hi. I've been reading through the FAQ and some of the recent list
> history, and haven't found much guidance on the problem below.
> 
> I am trying to do a transparent proxy from port 80 to port 8080. I've
> had no problem doing this on a recent release of SuSE (iptables
> 1.2.9), but something's not working on Fedora 3.
> 
> The version of iptables on this release of Fedora is 1.2.11
> 
> /proc/sys/net/ipv4/ip_forward shows: 1
> 
> (any other settings in /proc/sys/net/ipv4 that could affect this?)
> 
> I've tried it two ways, which I think should be equivalent (the
> system's IP is 192.168.10.101):
> 
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
> REDIRECT --to-port 8080
> 
> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.16
> 8.10.101:8080
> 
> Port 8080 is definitely open, and I can browse to that port with no
> problems. For 80, I get connection refused.
> 
> My filter table is wide open; nothing in mangle, and I show below
> what's in nat to show that the setting is at least there. Also below I
> show the nat table when I use -j REDIRECT.
> 
> Any ideas? I'm completely stumped. 
> 
> John

what's the output of:  netstat -lnt

-j

--
"Brian: You got anything on that remote lower than Mute?"
        --Family Guy

Re: On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT)

[John G. Norman]

Thanks, Jason. Here's netstat.

[root@preview mysql-standard-4.1.11-pc-linux-gnu-i686]# netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             Stat
e
tcp        0      0 0.0.0.0:32768               0.0.0.0:*                   LIST
EN
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LIST
EN
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LIST
EN
tcp        0      0 127.0.0.1:5335              0.0.0.0:*                   LIST
EN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LIST
EN
tcp        0      0 ::ffff:127.0.0.1:8005       :::*                        LIST
EN
tcp        0      0 :::8080                     :::*                        LIST
EN
tcp        0      0 :::22                       :::*                        LIST
EN

On 5/2/05, Jason Opperisano <opie@817west.com> wrote:
> On Mon, May 02, 2005 at 02:42:55PM -0400, John G. Norman wrote:
> > Hi. I've been reading through the FAQ and some of the recent list
> > history, and haven't found much guidance on the problem below.
> >
> > I am trying to do a transparent proxy from port 80 to port 8080. I've
> > had no problem doing this on a recent release of SuSE (iptables
> > 1.2.9), but something's not working on Fedora 3.
> >
> > The version of iptables on this release of Fedora is 1.2.11
> >
> > /proc/sys/net/ipv4/ip_forward shows: 1
> >
> > (any other settings in /proc/sys/net/ipv4 that could affect this?)
> >
> > I've tried it two ways, which I think should be equivalent (the
> > system's IP is 192.168.10.101):
> >
> > /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
> > REDIRECT --to-port 8080
> >
> > /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.16
> > 8.10.101:8080
> >
> > Port 8080 is definitely open, and I can browse to that port with no
> > problems. For 80, I get connection refused.
> >
> > My filter table is wide open; nothing in mangle, and I show below
> > what's in nat to show that the setting is at least there. Also below I
> > show the nat table when I use -j REDIRECT.
> >
> > Any ideas? I'm completely stumped.
> >
> > John
> 
> what's the output of:  netstat -lnt
> 
> -j
> 
> --
> "Brian: You got anything on that remote lower than Mute?"
>         --Family Guy
> 
>

Re: On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT)

[Taylor, Grant]

> /proc/sys/net/ipv4/ip_forward shows: 1

...

> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination

I'm not trying to doubt you but either you took the info from iptables before any traffic has passed through the forward chain or there is a problem that is preventing traffic from traversing the forward chain.  You did say that you set ip_forward to 1 which should allow traffic to be forwarded.  Do an iptables -L -n -v to see if any traffic passing through your forward chain.



Grant. . . .

Re: On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT)

[John G. Norman]

Thanks again for the feedback.

You're right; here's some more detail. To make this even easier, I
have turned off what was on port 8080, and have started Apache on port
80, and now I'll attempt to redirect from port 8080 to port 80
(reverse of what I was trying earlier). First I'll flush the tables,
then I'll add my rule, then I'll do a request (I'll use wget, but it's
the same with a browser, etc.) on port 80, and then on port 8080; and
then I'll show the traffic through the chains.

0 packets through the rule on the "nat" table. I just don't get it.

Here's a transcript:

[root@preview ~]# /sbin/iptables -t filter -F
[root@preview ~]# /sbin/iptables -t mangle -F
[root@preview ~]# /sbin/iptables -t nat -F
[root@preview ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@preview ~]# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80
80 -j REDIRECT --to-port 80
[root@preview ~]# wget http://localhost >/dev/null
--16:56:06--  http://localhost/
           => `index.html'
Resolving localhost... 127.0.0.1
Connecting to localhost[127.0.0.1]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 35 [text/html]

100%[====================================>] 35            --.--K/s

16:56:06 (341.80 KB/s) - `index.html' saved [35/35]

[root@preview ~]# wget http://localhost:8080 >/dev/null
--16:56:10--  http://localhost:8080/
           => `index.html.1'
Resolving localhost... 127.0.0.1
Connecting to localhost[127.0.0.1]:8080... failed: Connection refused.
[root@preview ~]# /sbin/iptables -L -n -v
Chain INPUT (policy ACCEPT 48367 packets, 43M bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 28546 packets, 2657K bytes)
 pkts bytes target     prot opt in     out     source               destination

[root@preview ~]# /sbin/iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 35 packets, 3732 bytes)
 pkts bytes target     prot opt in     out     source               destination

    0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:8080 redir ports 80

Chain POSTROUTING (policy ACCEPT 367 packets, 16375 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 367 packets, 16375 bytes)
 pkts bytes target     prot opt in     out     source               destination

[root@preview ~]#



On 5/2/05, Taylor, Grant <gtaylor@riverviewtech.net> wrote:
> > /proc/sys/net/ipv4/ip_forward shows: 1
> 
> ...
> 
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source               destination
> 
> I'm not trying to doubt you but either you took the info from iptables before any traffic has passed through the forward chain or there is a problem that is preventing traffic from traversing the forward chain.  You did say that you set ip_forward to 1 which should allow traffic to be forwarded.  Do an iptables -L -n -v to see if any traffic passing through your forward chain.
> 
> 
> Grant. . . .
> 
>

Re: On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT)

[Jason Opperisano]

On Mon, May 02, 2005 at 03:04:20PM -0400, John G. Norman wrote:
> tcp        0      0 :::8080                     :::*                        LIST

k--so the cheap -n- easy stab was that nothing was listening on TCP port
8080.

here's how i would go about checking this...first--use the REDIRECT
method, as it's the "normal" way to do transparent proxying.  next:

even though your firewall is wide-open, create a rule like:

  iptables -A INPUT -i $INSIDE_IF -p tcp --dport 8080 -j ACCEPT

with the REDIRECT rule and the ACCEPT rule in place, generate some HTTP
traffic from a client behind the firewall.

using "iptables -t nat -vnxL" is the REDIRECT rule getting hits?

if not--HTTP traffic is never making it to this gateway.

using "iptables -vnxL" is the ACCEPT rule getting hits?

if not--there's something wrong with your REDIRECT rule (most likely the
inbound interface).  if it is--packets should be making it to the squid
proxy--is squid setup for transparent proxying?

HTH...

-j

--
"Brian: Whose leg do I have to hump to get a dry martini around here?"
        --Family Guy

Re: On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT)

[Jason Opperisano]

On Mon, May 02, 2005 at 04:55:00PM -0400, John G. Norman wrote:
> Here's a transcript:
> 
> [root@preview ~]# /sbin/iptables -t filter -F
> [root@preview ~]# /sbin/iptables -t mangle -F
> [root@preview ~]# /sbin/iptables -t nat -F
> [root@preview ~]# cat /proc/sys/net/ipv4/ip_forward
> 1
> [root@preview ~]# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80
> 80 -j REDIRECT --to-port 80
> [root@preview ~]# wget http://localhost >/dev/null

your problem is your testing methodology.  do not try and test
transparent proxying from the proxy machine itself--it's not a valid
test of what you really want; which is transparent proxying of client
requests made from machines behind the proxy.

start testing from behind the firewall/proxy and see if you still have
problems.

-j

--
"Stewie: It rubs the lotion on its skin or else it gets the hose again."
        --Family Guy

Re: On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT)

[Ramoni]

And the prerouting chain at the nat table is not valid for locally generated 
packets.
The output chain is for that.

But in all cases, I think Jason is right.

On Monday 02 May 2005 18:01, Jason Opperisano wrote:
> On Mon, May 02, 2005 at 04:55:00PM -0400, John G. Norman wrote:
> > Here's a transcript:
> >
> > [root@preview ~]# /sbin/iptables -t filter -F
> > [root@preview ~]# /sbin/iptables -t mangle -F
> > [root@preview ~]# /sbin/iptables -t nat -F
> > [root@preview ~]# cat /proc/sys/net/ipv4/ip_forward
> > 1
> > [root@preview ~]# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp
> > --dport 80 80 -j REDIRECT --to-port 80
> > [root@preview ~]# wget http://localhost >/dev/null
>
> your problem is your testing methodology.  do not try and test
> transparent proxying from the proxy machine itself--it's not a valid
> test of what you really want; which is transparent proxying of client
> requests made from machines behind the proxy.
>
> start testing from behind the firewall/proxy and see if you still have
> problems.
>
> -j
>
> --
> "Stewie: It rubs the lotion on its skin or else it gets the hose again."
>         --Family Guy

-- 
André "Ramoni" (Cabelo)
Redes / Linux
Nada de Windows
Databras Informatica       
Tel: (21) 2518-2363
Fax: (21) 2263-6830              

Re: On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT)

[John G. Norman]

Jason,

THAT'S IT. Thank you. I was making my requests from the box itself.

I will reply in a sec to Ramoni's msg.

John

On 5/2/05, Jason Opperisano <opie@817west.com> wrote:
> On Mon, May 02, 2005 at 04:55:00PM -0400, John G. Norman wrote:
> > Here's a transcript:
> >
> > [root@preview ~]# /sbin/iptables -t filter -F
> > [root@preview ~]# /sbin/iptables -t mangle -F
> > [root@preview ~]# /sbin/iptables -t nat -F
> > [root@preview ~]# cat /proc/sys/net/ipv4/ip_forward
> > 1
> > [root@preview ~]# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80
> > 80 -j REDIRECT --to-port 80
> > [root@preview ~]# wget http://localhost >/dev/null
> 
> your problem is your testing methodology.  do not try and test
> transparent proxying from the proxy machine itself--it's not a valid
> test of what you really want; which is transparent proxying of client
> requests made from machines behind the proxy.
> 
> start testing from behind the firewall/proxy and see if you still have
> problems.
> 
> -j
> 
> --
> "Stewie: It rubs the lotion on its skin or else it gets the hose again."
>         --Family Guy
> 
>

Re: On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT)

[John G. Norman]

Ramoni,

Thank you (and Jason) very, very much. I didn't know that the
prerouting chain for the nat table is not valid for locally generated
packets.

Just to get this into the thread: Why is the output chain the right
place for locally generated packets?

I.e., if I did want a request to port 80 from the local machine to get
redirected to port 8080, what would I do?

John

On 5/2/05, Ramoni <ramoni@databras.com.br> wrote:
> And the prerouting chain at the nat table is not valid for locally generated
> packets.
> The output chain is for that.
> 
> But in all cases, I think Jason is right.
> 
> On Monday 02 May 2005 18:01, Jason Opperisano wrote:
> > On Mon, May 02, 2005 at 04:55:00PM -0400, John G. Norman wrote:
> > > Here's a transcript:
> > >
> > > [root@preview ~]# /sbin/iptables -t filter -F
> > > [root@preview ~]# /sbin/iptables -t mangle -F
> > > [root@preview ~]# /sbin/iptables -t nat -F
> > > [root@preview ~]# cat /proc/sys/net/ipv4/ip_forward
> > > 1
> > > [root@preview ~]# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp
> > > --dport 80 80 -j REDIRECT --to-port 80
> > > [root@preview ~]# wget http://localhost >/dev/null
> >
> > your problem is your testing methodology.  do not try and test
> > transparent proxying from the proxy machine itself--it's not a valid
> > test of what you really want; which is transparent proxying of client
> > requests made from machines behind the proxy.
> >
> > start testing from behind the firewall/proxy and see if you still have
> > problems.
> >
> > -j
> >
> > --
> > "Stewie: It rubs the lotion on its skin or else it gets the hose again."
> >         --Family Guy
> 
> --
> André "Ramoni" (Cabelo)
> Redes / Linux
> Nada de Windows
> Databras Informatica
> Tel: (21) 2518-2363
> Fax: (21) 2263-6830
> 
>

Re: On vanilla Fedora 3, can't do a transparent proxy (-j REDIRECT)

[Taylor, Grant]

Thank you Ramoni, you beat me to the punch.  The PREROUTING chain is for packets inbound and forwarding through the host (I believe), not packets that are generated on the box and will be going out to the world.  For packets generated on the box and going out to the world the OUTPUT chain is what you want to add your rules to.

IMHO there is nothing wrong with testing from the box that is doing the (trans)proxying it's self, you just have to be aware that it will follow different rules than the rest of the network.  The same applies for IPSec VPNs via (Free|Open)SWAN.  I personally always start testing from the firewall it's self via pings, but I include the "-I" parameter to tell ping what IP to use thus emulating traffic that will be coming in from the LAN vs just going out via the WAN.  IMHO this is better in the long run to know how to do as you can do some preliminary testing via SSH connections with out having to have any access to a client system.  Thus you should know how to do the testing from the firewall it's self.



Grant. . . .

iptables ip forwarding...

[elg3ne]

hi guys i have 2 ISP and an existing firewall which forward 1 IP block to
another internet gateway... for example those ip's 192.168.4.* will be
forwarded to 2nd ISP & there rest block will be on the 1st ISP... i was able
to forward 1 IP block but my problem is that I want to forward another block
ex. 192.168.4.* and 192.168.1.5.* and 192.168.6.*.. how can I do that... I
will paste my existing firewall here & please feel free to edit ..thanks

Note: I highlighted the ISP forwarding with "#" sign.

#!/bin/bash
LOCALLINK="eth0"
GLOBALLINK="eth1"
ROUTER="yes"
NAT="X.X.X.X"
INTERFACES="lo eth0 eth1"
SERVICES="22 53 80"

if [ "$1" = "start" ]
then
        echo "Starting firewall..."
        iptables --flush
        iptables --table nat --flush
        iptables --delete-chain
        iptables --table nat --delete-chain
        iptables -P INPUT DROP
        iptables -A INPUT -i ! ${GLOBALLINK} -j ACCEPT
        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        #enable public access to certain services
        for x in ${SERVICES}
        do
            iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j
ACCEPT
        done
      iptables -A INPUT -p tcp -i ${GLOBALLINK} -j REJECT --reject-with
tcp-reset
       iptables -A INPUT -p udp -i ${GLOBALLINK} -j REJECT --reject-with
icmp-port-unreachable

        #explicitly disable ECN
        if [ -e /proc/sys/net/ipv4/tcp_ecn ]
        then
                echo 0 > /proc/sys/net/ipv4/tcp_ecn
        fi

        #disable spoofing on all interfaces
        for x in ${INTERFACES}
        do
                echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
        done
        iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -p tcp --dport 53 -j ACCEPT
        iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -p udp --dport 53 -j ACCEPT

        if [ "$ROUTER" = "yes" ]
        then
                #we're a router of some kind, enable IP forwarding
                echo 1 > /proc/sys/net/ipv4/ip_forward
                if [ "$NAT" = "dynamic" ]
                then
                        #dynamic IP address, use masquerading
                        echo "Enabling masquerading (dynamic ip)..."
                        iptables --table nat --append POSTROUTING -p
tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
                        iptables --table nat --append
POSTROUTING --out-interface ${GLOBALLINK} -j MASQUERADE
                        iptables --append FORWARD --in-interface
${LOCALLINK} -j ACCEPT


                elif [ "$NAT" != "" ]
                then
                        #static IP, use SNAT
                        echo "Enabling SNAT (static ip)..."
                        iptables --table nat --append POSTROUTING -p
tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
                        iptables --table nat --append
POSTROUTING --out-interface ${GLOBALLINK} -j SNAT --to-source ${NAT}
                        iptables --append FORWARD --in-interface
${LOCALLINK} -j ACCEPT

############################################################
# forwarding to other ISP begins here
# dual ISP use with 2 proxy/gateway server
# if you want to use only 1 ISP comment all lines upto the "forwarding end
here"
#IP_OF_CLIENT=192.168.6.0/24
IP_OF_CLIENT=192.168.9.12
IP_ISP2=192.168.1.13
IP_ISP1=192.168.1.1

## Rewriting destination address for PUBLIC IP hosted at our server
iptables -t nat -A PREROUTING -s $IP_OF_CLIENT -p tcp -d 203.87.141.12 -j
DNAT --to 203.87.141.12
iptables -t nat -A PREROUTING -s $IP_OF_CLIENT -p tcp -d 203.87.141.2 -j
DNAT --to 203.87.141.2
iptables -t nat -A PREROUTING -s $IP_OF_CLIENT -p tcp -d 203.87.141.3 -j
DNAT --to 203.87.141.3
## Rewriting destination address
iptables -t nat -A PREROUTING -s $IP_OF_CLIENT -j DNAT --to $IP_ISP2

## Allow forwarding of connections
iptables -A FORWARD -s $IP_OF_CLIENT -d $IP_ISP2 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d $IP_OF_CLIENT -s $IP_ISP2 -m state --state
ESTABLISHED,RELATED -j ACCEPT

## Maybe you need SNATing. If so:
iptables -t nat -A POSTROUTING -s $IP_OF_CLIENT -d $IP_ISP2 -j
SNAT --to-source $IP_ISP1

# forwarding of connection end here
############################################################

                        # for transparent proxy..
                        iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
80 -j REDIRECT --to-port 8088
                fi
        fi

elif [ "$1" = "stop" ]
then
        echo "Stopping firewall..."
        iptables -F INPUT
        iptables -F FORWARD
        iptables -P INPUT ACCEPT
        #turn off NAT/masquerading, if any
        iptables -t nat -F POSTROUTING
fi