Transparent Proxy

Transparent Proxy

[Cyril COUPEL]

[-- Attachment #1: Type: text/plain, Size: 605 bytes --]

Hi all,
First here is my network architecture:
3 Linux Box, B act has router (A and C can even be a group of PCs):

------     ------     ------
|  A  |----|  B  |----|  C  |
------     ------     ------

I need to REDIRECT (DNAT) the traffic from A to B, to a kind of PROXY,
and then forward it to C.

For it, I need to retreave on B the real server address requested by A
to open a new connection from B to C.

My Question is:
How to retreave  the conntrack informations for a connection, without
parsing the /proc/net/ipv4/ip_conntrack?

Thank in advance.
-- 
Cyril COUPEL <cyril@coupel.homelinux.org>

[-- Attachment #2: Type: text/html, Size: 1155 bytes --]

Transparent Proxy

[Kilson Arruda]

I have a Transparent Proxy like this

$IPTABLES -t nat -A PREROUTING -p tcp
--dport 80 ! -d $DIRECT_IP -m mac --mac-source $MAC -j REDIRECT --to-port
3128

Question: can I use more then one "! -d", or multiple IPs to don't REDIRECT
the port 80 for more then one IP?
If yes, how can I do this?

--
Kilson Arruda
Linux User # 228238


________________________________________________
www.onwave.com.br - Internet e Conectividade

transparent proxy

[Tomasz Macioszek]

Hello!
I have a Linux server acting as a gateway between internal network and
internet. The iptables rule set have been working  good for long time.
I have configured squid on this server. When I have set internal network
client to use directly proxy server it has worked properly. But when I have
set iptable to redirect all http traffic to squid  port (3128) it didn't
work (transparent proxy).
This is my iptable rule:
iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
I think that all options in my kernel are set properly.
I don't know why it doesn't work
I set tcpdump to listen on 3128 port and when client tried to connect to web
server on port 3128 showed only first IP  package of this connection and
connections failed.
Could you send me a solution for this problem?
Best regards
Tomek

Re: transparent proxy

[Jeroen Vriesman]

Hi,

you cannot send http traffic directly to a proxy port, these are two different protocols (you also configure your client to use proxy or direct connection).

So, you either configure a proxy, use nat for traffic to port 80 (without using the proxy), or configure squid to listen to another port in "http accelerator mode", the last option is what you seem to want.

Good luck,
Jeroen.



On Fri, 27 Feb 2004 09:48:39 +0100
"Tomasz Macioszek" <tomekm@cea.pl> wrote:

> Hello!
> I have a Linux server acting as a gateway between internal network and
> internet. The iptables rule set have been working  good for long time.
> I have configured squid on this server. When I have set internal network
> client to use directly proxy server it has worked properly. But when I have
> set iptable to redirect all http traffic to squid  port (3128) it didn't
> work (transparent proxy).
> This is my iptable rule:
> iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
> I think that all options in my kernel are set properly.
> I don't know why it doesn't work
> I set tcpdump to listen on 3128 port and when client tried to connect to web
> server on port 3128 showed only first IP  package of this connection and
> connections failed.
> Could you send me a solution for this problem?
> Best regards
> Tomek
> 
> 

Re: transparent proxy

[Antony Stone]

On Friday 27 February 2004 9:18 am, Jeroen Vriesman wrote:

> Hi,
>
> you cannot send http traffic directly to a proxy port,

Yes you can.

See the example netfilter rule given on the Squid FQ at 
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.4
and http://en.tldp.org/HOWTO/TransparentProxy-5.html

Antony.

-- 
Ramdisk is not an installation procedure.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: transparent proxy

[Jeroen Vriesman]

Ojee,

that means I'm living in the past, sorry.



On Fri, 27 Feb 2004 09:27:19 +0000
Antony Stone <Antony@Soft-Solutions.co.uk> wrote:

> On Friday 27 February 2004 9:18 am, Jeroen Vriesman wrote:
> 
> > Hi,
> >
> > you cannot send http traffic directly to a proxy port,
> 
> Yes you can.
> 
> See the example netfilter rule given on the Squid FQ at 
> http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.4
> and http://en.tldp.org/HOWTO/TransparentProxy-5.html
> 
> Antony.
> 
> -- 
> Ramdisk is not an installation procedure.
> 
>                                                      Please reply to the list;
>                                                            please don't CC me.
> 
> 

Re: transparent proxy

[John A. Sullivan III]

On Fri, 2004-02-27 at 03:48, Tomasz Macioszek wrote:
> Hello!
> I have a Linux server acting as a gateway between internal network and
> internet. The iptables rule set have been working  good for long time.
> I have configured squid on this server. When I have set internal network
> client to use directly proxy server it has worked properly. But when I have
> set iptable to redirect all http traffic to squid  port (3128) it didn't
> work (transparent proxy).
> This is my iptable rule:
> iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
> I think that all options in my kernel are set properly.
> I don't know why it doesn't work
> I set tcpdump to listen on 3128 port and when client tried to connect to web
> server on port 3128 showed only first IP  package of this connection and
> connections failed.
> Could you send me a solution for this problem?
> Best regards
> Tomek
It has been a while since I set up Squid but I would suggest looking in
a few areas.

Do you really want to redirect all traffic on port 80 or just the
traffic coming in from the internal interface?

Have you allowed traffic to pass on the loopback interface?

I do not recall if one needs to allow traffic to port 3128 on the INPUT
chain.
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: transparent proxy

[Daniel F. Chief Security Engineer -]

That rule should work fine, make sure you compiled squid with:

./configure --enable-linux-netfilter 

But for more usefull info :)
Here is a nice HOW-TO
http://en.tldp.org/HOWTO/TransparentProxy.html


On Friday 27 February 2004 02:48, Tomasz Macioszek wrote:
> Hello!
> I have a Linux server acting as a gateway between internal network and
> internet. The iptables rule set have been working  good for long time.
> I have configured squid on this server. When I have set internal network
> client to use directly proxy server it has worked properly. But when I have
> set iptable to redirect all http traffic to squid  port (3128) it didn't
> work (transparent proxy).
> This is my iptable rule:
> iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
> I think that all options in my kernel are set properly.
> I don't know why it doesn't work
> I set tcpdump to listen on 3128 port and when client tried to connect to
> web server on port 3128 showed only first IP  package of this connection
> and connections failed.
> Could you send me a solution for this problem?
> Best regards
> Tomek

-- 
_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_
Daniel Fairchild - Chief Security Officer | danielf@supportteam.net
The distance between nothing and infinity is always the same no matter how 
close you get to nothing.

RE: transparent proxy

[Guillermo Chui Lau]

On Fri, 27 Feb 2004 09:48:39 +0100
"Tomasz Macioszek" <tomekm@cea.pl> wrote:

> Hello!
> I have a Linux server acting as a gateway between internal network and
> internet. The iptables rule set have been working  good for long time.
> I have configured squid on this server. When I have set internal network
> client to use directly proxy server it has worked properly. But when I
have
> set iptable to redirect all http traffic to squid  port (3128) it didn't
> work (transparent proxy).
> This is my iptable rule:
> iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
> I think that all options in my kernel are set properly.
> I don't know why it doesn't work
> I set tcpdump to listen on 3128 port and when client tried to connect to
web
> server on port 3128 showed only first IP  package of this connection and
> connections failed.
> Could you send me a solution for this problem?
> Best regards
> Tomek
> 
> 

YOU NEED TO IMPLEMENT THIS RULE

iptables  -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 \
-j REDIRECT --to-port 3128

LINUX SERVER HACKS Rob Flickenger

also make squid run in levels 3 ,4 and 5

chkconfig --level 345 squid on

if this doesnt work see if the iptables is doing  nat you should have a rule
like this one

iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

also check if you are loading the modules

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

you can check the modules using lsmod

Guillermo Chui Lau
Support Enginner

RE: transparent proxy

[Fredrik Emil Jensen]

Hey 

I'm currently using squid and squidGuard for redirection. Setting up the
rules:

Iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -d 0/0 --dport 80
-j REDIRECT --to-ports 3128 

But does anyone know what to do if you want to use iptables to bypass
squid with single IP address?

I know that you can add the rule "iptables -t nat -A POSTROUTING -o eth0
-s 192.168.1.10/32 -d 0/0 -j SNAT --to "source_Wan_address" ". But this
rule will be added at the end of the rule list, and all traffic on port
80 will still be redirected through squid. Even when I use priority
"iptables -t nat -I POSTROUTING 1 etc" and I put higher priority on the
rule for the bypass IP, it is still being redirected through squid. I
have to remove the redirect rule before I can bypass squid. 

Does anyone know what I'm doing wrong?

Using Slackware 9.1 with Kernel 2.6.2, iptables version 1.2.9 and squid
2.5

Regards, 
Fredrik

-----Original Message-----
From: Daniel F. Chief Security Engineer -
[mailto:danielf@supportteam.net] 
Sent: 27. februar 2004 18:01
To: Tomasz Macioszek; Netfilter
Subject: Re: transparent proxy

That rule should work fine, make sure you compiled squid with:

./configure --enable-linux-netfilter 

But for more usefull info :)
Here is a nice HOW-TO
http://en.tldp.org/HOWTO/TransparentProxy.html


On Friday 27 February 2004 02:48, Tomasz Macioszek wrote:
> Hello!
> I have a Linux server acting as a gateway between internal network and
> internet. The iptables rule set have been working  good for long time.
> I have configured squid on this server. When I have set internal
network
> client to use directly proxy server it has worked properly. But when I
have
> set iptable to redirect all http traffic to squid  port (3128) it
didn't
> work (transparent proxy).
> This is my iptable rule:
> iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port
3128
> I think that all options in my kernel are set properly.
> I don't know why it doesn't work
> I set tcpdump to listen on 3128 port and when client tried to connect
to
> web server on port 3128 showed only first IP  package of this
connection
> and connections failed.
> Could you send me a solution for this problem?
> Best regards
> Tomek

-- 
_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:
-.,_
Daniel Fairchild - Chief Security Officer | danielf@supportteam.net
The distance between nothing and infinity is always the same no matter
how 
close you get to nothing.

Re: transparent proxy

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 1269 bytes --]

On Mon, Mar 15, 2004 at 10:19:35AM +0100, Fredrik Emil Jensen wrote:
> Hey 
> 
> I'm currently using squid and squidGuard for redirection. Setting up the
> rules:
> 
> Iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -d 0/0 --dport 80
> -j REDIRECT --to-ports 3128 
> 
> But does anyone know what to do if you want to use iptables to bypass
> squid with single IP address?
> 
> I know that you can add the rule "iptables -t nat -A POSTROUTING -o eth0
> -s 192.168.1.10/32 -d 0/0 -j SNAT --to "source_Wan_address" ". But this
> rule will be added at the end of the rule list, and all traffic on port
> 80 will still be redirected through squid. Even when I use priority
> "iptables -t nat -I POSTROUTING 1 etc" and I put higher priority on the
> rule for the bypass IP, it is still being redirected through squid. I
> have to remove the redirect rule before I can bypass squid. 

-A means to append to the end of the chain
-I means to insert at the top
or

-I INPUT 5 - mean to insert above line 5 of a chain.

Chains a processed from top to bottom 

hope that helps


> 
> Does anyone know what I'm doing wrong?
> 
> Using Slackware 9.1 with Kernel 2.6.2, iptables version 1.2.9 and squid
> 2.5
> 
> Regards, 
> Fredrik
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: transparent proxy

[Antony Stone]

On Monday 15 March 2004 9:19 am, Fredrik Emil Jensen wrote:

> Hey
>
> I'm currently using squid and squidGuard for redirection. Setting up the
> rules:
>
> Iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -d 0/0 --dport 80
> -j REDIRECT --to-ports 3128
>
> But does anyone know what to do if you want to use iptables to bypass
> squid with single IP address?

Yes, put a rule above that one in the PREROUTING chain which matches the 
source address you don't want to be REDIRECTed, and jump out of the chain:

iptables -I PREROUTING -t nat -p tcp -s 192.168.1.10 --dport 80 -j ACCEPT

That will match a single address, 192.168.1.10, TCP port 80, and make sure the 
following REDIRECT rule is not activted.   Note the "-I" to insert the rule 
at the top of the list, instead of the more common "-A" which appends to the 
end of the list.

Regards,

Antony.

-- 
The difference between theory and practice is that in theory there is no 
difference, whereas in practice there is.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: transparent proxy

[Fredrik Emil Jensen]

Thank you Antony, finally it's working for me.  I have another question
for the list; is it possible to use iptables to redirect any request on
port 80 to a specific web address? 

I know you can use the rule, iptables -t nat -A PREROUTING -p tcp -s
192.168.1.0/24 -d 0/0 --dport 80 -j DNAT --to ip.address.xx.xx:80

But my problem occurs when you have many different subnets and you want
subnet1 to be redirected to http://test.domain.com/site1, subnet2 to be
redirected to http://test.domain.com/site2 etc.

Does anyone have any suggestions on how to do this with iptables, is it
possible? Or do I still need to use squid and squidGuard!

Regards, 
Fredrik

-----Original Message-----
From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk] 
Sent: 16. mars 2004 09:44
To: Netfilter
Subject: Re: transparent proxy

On Monday 15 March 2004 9:19 am, Fredrik Emil Jensen wrote:

> Hey
>
> I'm currently using squid and squidGuard for redirection. Setting up
the
> rules:
>
> Iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -d 0/0 --dport
80
> -j REDIRECT --to-ports 3128
>
> But does anyone know what to do if you want to use iptables to bypass
> squid with single IP address?

Yes, put a rule above that one in the PREROUTING chain which matches the

source address you don't want to be REDIRECTed, and jump out of the
chain:

iptables -I PREROUTING -t nat -p tcp -s 192.168.1.10 --dport 80 -j
ACCEPT

That will match a single address, 192.168.1.10, TCP port 80, and make
sure the 
following REDIRECT rule is not activted.   Note the "-I" to insert the
rule 
at the top of the list, instead of the more common "-A" which appends to
the 
end of the list.

Regards,

Antony.

Re: transparent proxy

[David Cannings]

On Wednesday 17 March 2004 12:33, Fredrik Emil Jensen wrote:
> Thank you Antony, finally it's working for me.  I have another question
> for the list; is it possible to use iptables to redirect any request on
> port 80 to a specific web address?
>
> I know you can use the rule, iptables -t nat -A PREROUTING -p tcp -s
> 192.168.1.0/24 -d 0/0 --dport 80 -j DNAT --to ip.address.xx.xx:80
>
> But my problem occurs when you have many different subnets and you want
> subnet1 to be redirected to http://test.domain.com/site1, subnet2 to be
> redirected to http://test.domain.com/site2 etc.
>
> Does anyone have any suggestions on how to do this with iptables, is it
> possible? Or do I still need to use squid and squidGuard!

That's application level, the request is inside the HTTP packet (which is 
inside the TCP packet, which is inside the IP packet, etc).  iptables 
cannot do this, you would have to use a proxy such as Apache or Squid.

David

transparent proxy

[Marco Schuth]

Hello,

Iam using iptables on my router, and have a dedicated proxy server with 
squid sarg and squidguard running.

all the clients send the request for a website to the default gw (router 
10.12.0.1) the router redirects (dnat)
the package to the proxy server ip:10.12.0.250
but in the logs i get the ip from the router.

so squid guard doesent work and the squid analytic didn´t work because it 
shows only the ip from the gw (router) with all requestet pages.

how can i change this, that i get in the logs the original ip of the clients 
?

-----------------------
maybe: snat with the original ip, but how? and make a second entry in the 
proxy to send all packets back to the proxy ?

no idea.

thanks 4 you help!!! 

Re: transparent proxy

[Amos Jeffries]

On Wed, 10 Mar 2010 00:44:14 +0100, "Marco Schuth" <marco@it-schuth.net>
wrote:
> Hello,
> 
> Iam using iptables on my router, and have a dedicated proxy server with 
> squid sarg and squidguard running.
> 
> all the clients send the request for a website to the default gw (router

> 10.12.0.1) the router redirects (dnat)
> the package to the proxy server ip:10.12.0.250
> but in the logs i get the ip from the router.

NAT destroys the IP addresses before they leave the machine doing NAT.
Please read the Squid FAQ examples of how to configure policy routing ...

Router:
 http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

Squid box:
  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

Amos
Squid Project

Re: transparent proxy

[Mart Frauenlob]

On 10.03.2010 01:23, netfilter-owner@vger.kernel.org wrote:
> On Wed, 10 Mar 2010 00:44:14 +0100, "Marco Schuth" <marco@it-schuth.net>
> wrote:
>> Hello,
>>
>> Iam using iptables on my router, and have a dedicated proxy server with 
>> squid sarg and squidguard running.
>>
>> all the clients send the request for a website to the default gw (router
> 
>> 10.12.0.1) the router redirects (dnat)
>> the package to the proxy server ip:10.12.0.250
>> but in the logs i get the ip from the router.
> 
> NAT destroys the IP addresses before they leave the machine doing NAT.
> Please read the Squid FAQ examples of how to configure policy routing ...
> 
> Router:
>  http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
> 
> Squid box:
>   http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
> 
> Amos
> Squid Project


Hello,

I'd like to ask, if in the above examples, the ACCEPT rules need to be
placed in the mangle table?
Is there a specific reason, couldn't it be done in the filter table?
As that would be the intended/preferred use for filtering?
If so, don't the examples teach people 'bad manners'?

Best regards

Mart

Re: transparent proxy

[/dev/rob0]

On Sat, Mar 13, 2010 at 09:21:23AM +0100, Mart Frauenlob wrote:
> Amos Jeffries:
> > Please read the Squid FAQ examples of how to configure policy 
> > routing ...
> > 
> > Router:
> >  http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
> > 
> > Squid box:
> >  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
>
> I'd like to ask, if in the above examples, the ACCEPT rules need
> to be placed in the mangle table?
> Is there a specific reason, couldn't it be done in the filter
> table?
> As that would be the intended/preferred use for filtering?
> If so, don't the examples teach people 'bad manners'?

I think Mart is misunderstanding the effect of ACCEPT in mangle. It
does not override nor bypass the filter table. It merely means, "we
are done mangling this packet."

The MARK target is one of those sneaky non-terminating targets. A
mark is applied, and the packet continues in that particular chain.
Further -j MARK rules could be applied. The ACCEPT rule prevents
this.
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Re: transparent proxy

[Mart Frauenlob]

On 13.03.2010 11:05, netfilter-owner@vger.kernel.org wrote:
> On Sat, Mar 13, 2010 at 09:21:23AM +0100, Mart Frauenlob wrote:
>> Amos Jeffries:
>>> Please read the Squid FAQ examples of how to configure policy 
>>> routing ...
>>>
>>> Router:
>>>  http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>>>
>>> Squid box:
>>>  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
>>
>> I'd like to ask, if in the above examples, the ACCEPT rules need
>> to be placed in the mangle table?
>> Is there a specific reason, couldn't it be done in the filter
>> table?
>> As that would be the intended/preferred use for filtering?
>> If so, don't the examples teach people 'bad manners'?
> 
> I think Mart is misunderstanding the effect of ACCEPT in mangle. It
> does not override nor bypass the filter table. It merely means, "we
> are done mangling this packet."
> 

ACCEPT in mangle differs from ACCEPT in mangle?
Where is that documented?
So you have to ACCEPT it twice? In mangle and in filter table?

> The MARK target is one of those sneaky non-terminating targets. A
> mark is applied, and the packet continues in that particular chain.
> Further -j MARK rules could be applied. The ACCEPT rule prevents
> this.

Don't we use the RETURN target for that? But yes, that implies a
problem, if you RETURN from a user-defined chain.


Best regards

Mart

Re: transparent proxy

[Mart Frauenlob]

On 13.03.2010 13:10, netfilter-owner@vger.kernel.org wrote:

> ACCEPT in mangle differs from ACCEPT in mangle?
should be:
 ACCEPT in mangle differs from ACCEPT in filter?

Re: transparent proxy

[/dev/rob0]

On Sat, Mar 13, 2010 at 01:08:45PM +0100, Mart Frauenlob wrote:
> On 13.03.2010 11:05, netfilter-owner@vger.kernel.org wrote:

NB, your MUA is changing the attribution to the envelope sender.
Please don't blame the list owner for what I said! :) In a list
reply, the attribution should be the header From: address, not the
SMTP envelope sender address.

> > On Sat, Mar 13, 2010 at 09:21:23AM +0100, Mart Frauenlob wrote:
> >> Amos Jeffries:
> >>> Please read the Squid FAQ examples of how to configure policy 
> >>> routing ...
> >>>
> >>> Router:
> >>>  http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
> >>>
> >>> Squid box:
> >>>  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
> >>
> >> I'd like to ask, if in the above examples, the ACCEPT
> >> rules need to be placed in the mangle table?
> >> Is there a specific reason, couldn't it be done in the
> >> filter table?
> >> As that would be the intended/preferred use for filtering?
> >> If so, don't the examples teach people 'bad manners'?
> > 
> > I think Mart is misunderstanding the effect of ACCEPT in mangle.
> > It does not override nor bypass the filter table. It merely
> > means, "we are done mangling this packet."
> 
> ACCEPT in mangle differs from ACCEPT in filter?

Strictly speaking, no, ACCEPT is ACCEPT. Look at no more rules,
disregard the chain's policy, pass Go, collect $200.

> Where is that documented?
> So you have to ACCEPT it twice? In mangle and in filter table?

And raw, and nat ... the packet hits all relevant chains/tables. Any
of these could change a packet's fate. However, IIUC support for the
DROP target in nat and mangle has been removed.

> > The MARK target is one of those sneaky non-terminating targets.
> > A mark is applied, and the packet continues in that particular
> > chain. Further -j MARK rules could be applied. The ACCEPT rule
> > prevents this.
> 
> Don't we use the RETURN target for that? But yes, that implies a
> problem, if you RETURN from a user-defined chain.

RETURN in a built-in means "go to the policy." In a user chain it
means "go to the next rule in the calling chain". As you point out,
there could be issues with that as the example. ACCEPT works. The
only minor nitpick I can think of is that the example used -A,
whereas -I would have covered more cases of crazy mangle rulesets.

But, -I would fall into the "bad manners" category you were asking
about originally. :) If someone has crazy mangle rules, let's hope
they understand those rules, because if they don't, they'll have
other problems beyond getting their squid working. :)
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Re: transparent proxy

[Mart Frauenlob]

On 13.03.2010 17:41, rob0@gmx.co.uk wrote:
> On Sat, Mar 13, 2010 at 01:08:45PM +0100, Mart Frauenlob wrote:
>> On 13.03.2010 11:05, netfilter-owner@vger.kernel.org wrote:
> 
> NB, your MUA is changing the attribution to the envelope sender.
> Please don't blame the list owner for what I said! :) In a list
> reply, the attribution should be the header From: address, not the
> SMTP envelope sender address.
> 
hrm, yes I see that for a while. I use Mozilla Thunderbird on windowz
(stuck to it here). And it's the only Mailing list where I encounter
this problem. And it does not occur for all mails. I have no idea why.


>>> On Sat, Mar 13, 2010 at 09:21:23AM +0100, Mart Frauenlob wrote:
>>>> Amos Jeffries:
>>>>> Please read the Squid FAQ examples of how to configure policy 
>>>>> routing ...
>>>>>
>>>>> Router:
>>>>>  http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>>>>>
>>>>> Squid box:
>>>>>  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
>>>>
>>>> I'd like to ask, if in the above examples, the ACCEPT
>>>> rules need to be placed in the mangle table?
>>>> Is there a specific reason, couldn't it be done in the
>>>> filter table?
>>>> As that would be the intended/preferred use for filtering?
>>>> If so, don't the examples teach people 'bad manners'?
>>>
>>> I think Mart is misunderstanding the effect of ACCEPT in mangle.
>>> It does not override nor bypass the filter table. It merely
>>> means, "we are done mangling this packet."
>>
>> ACCEPT in mangle differs from ACCEPT in filter?
> 
> Strictly speaking, no, ACCEPT is ACCEPT. Look at no more rules,
> disregard the chain's policy, pass Go, collect $200.
> 
>> Where is that documented?
>> So you have to ACCEPT it twice? In mangle and in filter table?
> 
> And raw, and nat ... the packet hits all relevant chains/tables. Any
> of these could change a packet's fate. However, IIUC support for the
> DROP target in nat and mangle has been removed.
>


I see. Well thank you! 'Mart' really had some misunderstanding about the
ACCEPT effect.
Guess I've always thought about it as the 'opposite' of DROP.
The man page isn't very clear there.
'ACCEPT means to let the packet through.'
would need at least a 'the table' at the end of the sentence.

>>> The MARK target is one of those sneaky non-terminating targets.
>>> A mark is applied, and the packet continues in that particular
>>> chain. Further -j MARK rules could be applied. The ACCEPT rule
>>> prevents this.
>>
>> Don't we use the RETURN target for that? But yes, that implies a
>> problem, if you RETURN from a user-defined chain.
> 
> RETURN in a built-in means "go to the policy." In a user chain it
> means "go to the next rule in the calling chain". As you point out,
> there could be issues with that as the example. ACCEPT works. The
> only minor nitpick I can think of is that the example used -A,
> whereas -I would have covered more cases of crazy mangle rulesets.
> 
> But, -I would fall into the "bad manners" category you were asking
> about originally. :) If someone has crazy mangle rules, let's hope
> they understand those rules, because if they don't, they'll have
> other problems beyond getting their squid working. :)

Best regards

Mart