Discussion:
IPFilter and transparent proxy redirection confusion
(too old to reply)
Urban Boquist
2007-07-11 15:33:18 UTC
Permalink
Hi all, I would greatly appreciate some help with my ipfilter rules...

I have been running Squid as a transparent proxy on my NetBSD firewall
machine for a really long time with zero problems. I only needed:

rdr fxp1 0/0 port 80 -> 127.0.0.1 port 3128 tcp

Now I'm trying to move Squid to a different machine, but get totally confused:

| fxp0 = a.b.c.d/32
____|_____
| |
| GW |--- lo0
|________|
| fxp1 = 192.168.1.1
| ______________
|--------------------------| |
| ex0 = 192.168.1.5 | Squid:3128 |
| |____________|
|
clients: 192.168.1.0/24

First attempt to just redirect on GW like before:

rdr fxp1 0/0 port 80 -> 192.168.1.5 port 3128 tcp

seems to work somewhat initially, I see a SYN being redirected at GW
to 192.168.1.5, and a SYN-ACK sent back to the original client, but
then it responds with a RST. I assume it gets confused because the
reply comes from a different ip?

So do I need to rewrite source address too at the GW?

And then it seems that I need some exception for the Squid machine
itself, to avoid its port 80 requests being redirected to itself?

Any hint would be appreciated, I can find millions of pages with
Google that explains how to do this when Squid is running on
127.0.0.1, but none that explains when it is not... :-(

Best regards,

-- Urban

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Matthias Scheler
2007-07-12 12:29:49 UTC
Permalink
Post by Urban Boquist
rdr fxp1 0/0 port 80 -> 192.168.1.5 port 3128 tcp
seems to work somewhat initially, I see a SYN being redirected at GW
to 192.168.1.5, and a SYN-ACK sent back to the original client, but
then it responds with a RST. I assume it gets confused because the
reply comes from a different ip?
That's correct. The SYN-ACK is send to the client directly and
therefore not corrected via NAT by the gateway.
Post by Urban Boquist
So do I need to rewrite source address too at the GW?
Yes, but I'm not sure whether IPFilter supports with your current
network setup.
Post by Urban Boquist
And then it seems that I need some exception for the Squid machine
itself, to avoid its port 80 requests being redirected to itself?
That's another problem.
Post by Urban Boquist
Any hint would be appreciated, I can find millions of pages with
Google that explains how to do this when Squid is running on
127.0.0.1, but none that explains when it is not... :-(
The best idea I can think of is to put another network card in the
gateway which is uses to talk to the proxy server.

Internet <--fxp0---> gateway <--fxp1--> clients
^
|
fxp2
|
v
proxy

This would make sure that all packets from the proxy to a client have
to go through NAT on the gateway. And the proxy server wouldn't be
affected by the redirect rule on "fxp1" anymore.

Kind regards
--
Matthias Scheler http://zhadum.org.uk/

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...