From: Philip Craig <philipc@snapgear.com>
To: ptb@inv.it.uc3m.es
Cc: netfilter@vger.kernel.org
Subject: Re: [help] modern iptables rule for transproxy
Date: Wed, 16 Jan 2008 09:55:41 +1000 [thread overview]
Message-ID: <478D47FD.8070402@snapgear.com> (raw)
In-Reply-To: <200801151933.m0FJXYGD011494@betty.it.uc3m.es>
Peter T. Breuer wrote:
> "Gonzalo Arana" wrote:
>> On Jan 12, 2008 8:59 AM, Peter T. Breuer <ptb@inv.it.uc3m.es> wrote:
>>>>> ipchains -A input -p tcp -d 0.0.0.0/0 80 -j REDIRECT 8081
>
>>>> iptables -t nat -A PREROUTING -i $LOCAL_IFACE -p tcp -s ! $PROXY_BOX \
>>>> --dport 80 -j REDIRECT --to-ports 8081
>>> Yes, thanks. I've been trying variants on that for some time, with no
>>> success.
>
>>> Chain PREROUTING (policy ACCEPT)
>>> target prot opt source destination
>>> REDIRECT tcp -- !<proxyhost> anywhere tcp dpt:www redir ports 8081
>
>
>> Perhaps your are running 'telnet news.bbc.co.uk 80' on the same box as
>> tproxy is running.
>
> Yes, indeed, that's the whole idea, and the objective, and the problem.
> There's no "perhaps" in it! That's the problem description. How to get
> outgoing http requests to distant port 80s to be redirected to a proxy
> daemon sitting on port 8081 of the LOCAL machine instead.
Then you need the rule in the OUTPUT chain. PREROUTING only sees forwarded
packets. The problem with this though is that you need some way to stop
connections from the proxy being redirected too. Maybe you can use the
owner match to specify the uid of the proxy process. From a quick google,
there are some example rules for tor that do this:
http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy
(You want local redirection, not middlebox.)
Note that the ipchains rule you gave is only for forwarded traffic too.
I don't recall whether ipchains supported local redirection.
>> If that's the case, telnet's connection may be using
>> <proxyhost> as source IP address.
>
> What would be bad about that? And if it is bad, what would one do about
> it? I'm puzzled ...
Because the '-s ! $PROXY_BOX' means the rule will not match packets
that have proxyhost as the source IP address.
> What I don't do is get through to the tproxy daemon sitting on localhost
> 8081 when I telnet out to a distant host on its port 80. I don't know
> why. How does one debug iptables?!!!
Use 'iptables -t nat -L -n' and look at the packet counters to see which
rules are being matched. (And if the policy counters go up then no
rules were matched.)
next prev parent reply other threads:[~2008-01-15 23:55 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-15 19:33 [help] modern iptables rule for transproxy Peter T. Breuer
2008-01-15 23:55 ` Philip Craig [this message]
-- strict thread matches above, loose matches on Subject: below --
2008-01-18 18:07 Peter T. Breuer
2008-01-18 18:59 ` Antonio Augusto (Mancha)
2008-01-21 0:48 ` Philip Craig
2008-01-12 10:59 Peter T. Breuer
2008-01-12 14:38 ` Gonzalo Arana
2008-01-12 14:58 ` James Lay
2008-01-10 16:02 Peter T. Breuer
2008-01-11 3:30 ` Amos Jeffries
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=478D47FD.8070402@snapgear.com \
--to=philipc@snapgear.com \
--cc=netfilter@vger.kernel.org \
--cc=ptb@inv.it.uc3m.es \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox