Transparent proxy using squid, redirect all ssl/https ... ?

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Transparent proxy using squid, redirect all ssl/https ... ?
@ 2006-05-22  2:17 Elijah Alcantara
  2006-05-22 11:30 ` Unknown, martijn
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Elijah Alcantara @ 2006-05-22  2:17 UTC (permalink / raw)
  To: netfilter

Hi,

It seems that implementing transparent squid proxy will cause https &
ssl to not work well on browsers ... and it would be troublesome to
manually setup proxy settings to all browsers within our network.

So I'd like to be able to redirect all other requests like
https/ssl(port 443) or email client's ports to directly access the
internet instead of going through our proxy server.

Here's a little diagram of our network:
http://static.flickr.com/49/149174815_48fa51f1a3_o.png

What I did so far is:
1. Block out all connection request from our router settings except
for our proxy server (adminserver ) only, this will force our users to
use the proxy settings for their other applications.
2. Set all client's pc's to use the new gateway 'adminserver' (our
squid server).
3. Setup transparent proxy for squid. For http requests.

Everything else is working fine so far, except that opening up
ssl-enabled sites (mail.yahoo.com) creates a timeout error and email
clients seems to not work even with proxy settings enabled.

What I need is some sort of iptable rule to grab all port 443
connections and make it connect directly to the internet ... I used
webmin to formulate a rule but that didn't work ... so I thought of
asking for help here, anyone?

Here are my current rules:
-A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp -i eth0 --dport 443 -j DNAT
--to-destination 192.168.100.3

The first one works, it's for transparent proxy, the other one.. I
have no idea why it's not working =(

Regards,
Elijah A.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Transparent proxy using squid, redirect all ssl/https ... ?
  2006-05-22  2:17 Transparent proxy using squid, redirect all ssl/https ... ? Elijah Alcantara
@ 2006-05-22 11:30 ` Unknown, martijn
       [not found] ` <8963106281166041607@unknownmsgid>
  2006-05-22 13:57 ` Boryan Yotov
  2 siblings, 0 replies; 6+ messages in thread
From: Unknown, martijn @ 2006-05-22 11:30 UTC (permalink / raw)
  To: Elijah Alcantara; +Cc: netfilter

<citaat van="Elijah Alcantara">
> Here are my current rules:
> -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -p tcp -m tcp -i eth0 --dport 443 -j DNAT
> --to-destination 192.168.100.3
>
> The first one works, it's for transparent proxy, the other one.. I
> have no idea why it's not working =(
>

See http://lists.debian.org/debian-user/2004/05/msg01434.html

HTH,
M4



^ permalink raw reply	[flat|nested] 6+ messages in thread

[parent not found: <8963106281166041607@unknownmsgid>]

* Re: Transparent proxy using squid, redirect all ssl/https ... ?
       [not found] ` <8963106281166041607@unknownmsgid>
@ 2006-05-22 11:52   ` Elijah Alcantara
  2006-05-22 18:26     ` Martijn Lievaart
  0 siblings, 1 reply; 6+ messages in thread
From: Elijah Alcantara @ 2006-05-22 11:52 UTC (permalink / raw)
  To: netfilter

> See http://lists.debian.org/debian-user/2004/05/msg01434.html
>
> HTH,
> M4

Checked out the link. Actualy I'm not really planning to cache secure
connections like ssl, I only wanted to be able to redirect that
request to go directly to the internet (bypass squid).

I currently have an iptable rule for that but it's currently not
working right...

Elijah A.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Transparent proxy using squid, redirect all ssl/https ... ?
  2006-05-22 11:52   ` Elijah Alcantara
@ 2006-05-22 18:26     ` Martijn Lievaart
  2006-05-23  2:48       ` Elijah Alcantara
  0 siblings, 1 reply; 6+ messages in thread
From: Martijn Lievaart @ 2006-05-22 18:26 UTC (permalink / raw)
  To: Elijah Alcantara; +Cc: netfilter

Elijah Alcantara wrote:

>> See http://lists.debian.org/debian-user/2004/05/msg01434.html
>>
>> HTH,
>> M4
>
>
> Checked out the link. Actualy I'm not really planning to cache secure
> connections like ssl, I only wanted to be able to redirect that
> request to go directly to the internet (bypass squid).
>
> I currently have an iptable rule for that but it's currently not
> working right...


Ah, I see. How about

-A POSTROUTING -p tcp --dport 443 -j SNAT --to 192.168.100.2

Don't forget to turn on forwarding as well and create appropriate 
forwarding rules.

Personally I would set this firewall between your clients and the 
Internet, in that case you don't need SNAT tricks, just basic FORWARDING 
rules.

M4


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Transparent proxy using squid, redirect all ssl/https ... ?
  2006-05-22 18:26     ` Martijn Lievaart
@ 2006-05-23  2:48       ` Elijah Alcantara
  0 siblings, 0 replies; 6+ messages in thread
From: Elijah Alcantara @ 2006-05-23  2:48 UTC (permalink / raw)
  To: netfilter

> Ah, I see. How about
>
> -A POSTROUTING -p tcp --dport 443 -j SNAT --to  192.168.100.2
>
> Don't forget to turn on forwarding as well and create appropriate
> forwarding rules.
>

Yesss! that one worked. I should'nt have pointed it to 192.168.100.3,
oops. This takes care of the https/ssl requests, I guess all that's
left are the ports used by our email clients.

Thanks!
Elijah A.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Transparent proxy using squid, redirect all ssl/https ... ?
  2006-05-22  2:17 Transparent proxy using squid, redirect all ssl/https ... ? Elijah Alcantara
  2006-05-22 11:30 ` Unknown, martijn
       [not found] ` <8963106281166041607@unknownmsgid>
@ 2006-05-22 13:57 ` Boryan Yotov
  2 siblings, 0 replies; 6+ messages in thread
From: Boryan Yotov @ 2006-05-22 13:57 UTC (permalink / raw)
  To: Elijah Alcantara; +Cc: netfilter

Elijah Alcantara wrote:
> Hi,
> 
> It seems that implementing transparent squid proxy will cause https &
> ssl to not work well on browsers ... and it would be troublesome to
> manually setup proxy settings to all browsers within our network.
> 
> So I'd like to be able to redirect all other requests like
> https/ssl(port 443) or email client's ports to directly access the
> internet instead of going through our proxy server.

All other requests will go directly, if "adminserver" is properly 
configured to act as a gateway. Only request which are explicitly 
redirected to the local proxy port, will be delivered to the proxy 
itself. That is the meaning of the rule you mention below:

-A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 3128

It redirects all incoming (or passing through) requests with destinaton 
tcp port 80 to destination tcp port 3128 on the machine this rule is 
valid for.

> 
> Here's a little diagram of our network:
> http://static.flickr.com/49/149174815_48fa51f1a3_o.png
> 
> What I did so far is:
> 1. Block out all connection request from our router settings except
> for our proxy server (adminserver ) only, this will force our users to
> use the proxy settings for their other applications.
> 2. Set all client's pc's to use the new gateway 'adminserver' (our
> squid server).




> 3. Setup transparent proxy for squid. For http requests.
> 
> Everything else is working fine so far, except that opening up
> ssl-enabled sites (mail.yahoo.com) creates a timeout error and email
> clients seems to not work even with proxy settings enabled.
> 
> What I need is some sort of iptable rule to grab all port 443
> connections and make it connect directly to the internet ... I used
> webmin to formulate a rule but that didn't work ... so I thought of
> asking for help here, anyone?
> 
> Here are my current rules:
> -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -p tcp -m tcp -i eth0 --dport 443 -j DNAT
> --to-destination 192.168.100.3
> 
> The first one works, it's for transparent proxy, the other one.. I
> have no idea why it's not working =(

The DNAT rule is overwriting the destination source address of requests 
with destination tcp port 443. This means, if a host in this LAN is 
sending such a request to destination mail.yahoo.com, this rule replaces 
the destination with 192.168.100.3. And this is not what you want to do. 
You want to send the packet _to_ mail.yahoo.com _via_ 192.168.100.3, and 
not _to_ 192.168.100.3

If "adminserver" gateway's functionality is properly configured, then 
remove the DNAT rule above, and your LAN host's HTTPS requests will
be correctly forwarded.

Hope this helps.

> 
> 
> Regards,
> Elijah A.
> 
> 
> 



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2006-05-23  2:48 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-05-22  2:17 Transparent proxy using squid, redirect all ssl/https ... ? Elijah Alcantara
2006-05-22 11:30 ` Unknown, martijn
     [not found] ` <8963106281166041607@unknownmsgid>
2006-05-22 11:52   ` Elijah Alcantara
2006-05-22 18:26     ` Martijn Lievaart
2006-05-23  2:48       ` Elijah Alcantara
2006-05-22 13:57 ` Boryan Yotov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox