Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: IPNAT / Transparent proxy loops...
Special Forums Cybersecurity IPNAT / Transparent proxy loops... Post 30309 by indo1144 on Sunday 20th of October 2002 11:43:02 AM
Old 10-20-2002
IPNAT / Transparent proxy loops...
Hi!

My situation:

I have an OpenBSD firewall/proxy (192.168.0.1), running IPF/IPNAT w/ Squid as transparent proxy. This machine is configured to be gateway to the network.

This works great, all the clients WWW-requests on the internal network are rerouted to the proxyport by this IPNAT-rule:

rdr fxp0 0.0.0.0/0 port 80 -> 192.168.0.1 port 3128

However, I would like to use another machine as a transparent proxy and have run into some problems... The new machine runs Solaris 8 i386 (192.168.0.2) and I have succesfully compiled and configured Squid. I use the same config I used with the "firewall-squid-version".
After changing the IPNAT-rule to:

rdr fxp0 0.0.0.0/0 port 80 -> 192.168.0.2 port 3128

It won't work... I can see a message: Website found, waiting for reply, but figure this is only because DNS-lookup of the website was succesfull. DNS-lookups are punched through the firewall and happen independently from the squid-proxy.

What I figure happened is this:

- A client wants to connect to the internet.
- Request travels to 192.168.0.1 port 80
- Request is redirected to squid on 192.168.0.2 port 3128
- Squid on 192.168.0.2 wants to connect to the internet.
- Squid on 192.168.0.2 connects to 192.168.0.1 port 80
- Squid-request is redirected to squid on 192.168.0.2 port 3128 instead of to internet (because of IPNAT-rule stated above)
- And it continues to loop...

How can I change my IPNAT-rules so that all clients are redirected to 192.168.0.2 port 3128 _AND_ 192.168.0.2 itself is allowed direct access to the internet?
 

9 More Discussions You Might Find Interesting

1. IP Networking

Destination NAT using ipnat in Solaris 8

Hello People, Please can someone help me with destination IP address NAT and Port transalation using ipnat in Solaris 8. Scenario: Box A(192.168.100.1/24) and Box B (192.168.100.50/24) are connected phyically and logically(vlan) on the same network switch. Box A hosts an... (0 Replies)
Discussion started by: mandarawachat
0 Replies

2. IP Networking

SQUID Transparent Proxy Server

hi guys! We are setting up Squid Server. we want the server to be transparent. But I don't know how will i be able to set the network up. is it possible to set the squid server in the same LAN with the Squid Client and still functions as a transparent server? if so, can anybody help me do it? ... (1 Reply)
Discussion started by: init6_
1 Replies

3. IP Networking

Software/tool to route an IP packet to proxy server and capture the Proxy reply as an

Hi, I am involved in a project on Debian. One of my requirement is to route an IP packet in my application to a proxy server and receive the reply from the proxy server as an IP packet. My application handles data at the IP frame level. My application creates an IP packet(with all the necessary... (0 Replies)
Discussion started by: Rajesh_BK
0 Replies

4. Shell Programming and Scripting

Need help with a shell script:Config Transparent Proxy using Shell

I want to config Transparent Proxy using Shell Script. I have more questions<exercise of me :D>: + Check that the squid is installed or not install and version is installed +Allows users to choose to run a transparent proxy or not +Perform configuration and turn on service in accordance... (0 Replies)
Discussion started by: kaka287
0 Replies

5. Linux

Freebsd IPNAT

I need to figure out how to exclude RDP from mapping, i am mapping as follows map le0 10.1.0.0/24 -> 10.1.0.10/32 however i need to exclude rdp so i can still rdp to machines on the 10.1.0.0/24 network.. Can somebody please advise how i could do this ? (0 Replies)
Discussion started by: boxalld
0 Replies

6. UNIX for Advanced & Expert Users

ipf/ipnat NAT/port forward issues

I've been going crazy trying to get this working. Here's the situation: we have a Solaris 10 box that connects an internal network to an external network. We're using ipf/ipnat on it. We've added a couple of new boxes to the internal network (192.168.1.100, .101) and want to be able to get to port... (1 Reply)
Discussion started by: spakov
1 Replies

7. IP Networking

Transparent Proxy with URL Rewriting

All traffic on the LAN is routed through a single machine and filtered using iptables. I'd like to redirect this traffic to a transparent proxy running on the same machine that will rewrite the URL if it matches a specified regex, in which case the user will be redirected to a local server. In... (0 Replies)
Discussion started by: crottyan
0 Replies

8. IP Networking

Connecting via proxy chain to Upstream proxy

I need to configure a proxy on my local machine to use an upstream proxy (installed on another machine). The upstream proxy requires Digest/NTLM authorization. I want the local proxy to deal with the upstream proxy's authorization details and provides authorization free access to users that connect... (0 Replies)
Discussion started by: Russel
0 Replies

9. UNIX for Advanced & Expert Users

Issue setup Transparent proxy and Gateway using Squid on CentOS 7

Hello, We are migrating our gateways from CentOS 6 to CentOS 7 and for setting up a transparent proxy using squid and Firewalld i am using below configuration. #Firewalld configurations firewall-cmd --permanent --zone=public --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=LAN_IP... (4 Replies)
Discussion started by: sunnysthakur
4 Replies

LEARN ABOUT FREEBSD

tcpdrop

TCPDROP(8)						    BSD System Manager's Manual 						TCPDROP(8)

NAME

     tcpdrop -- drop TCP connections

SYNOPSIS

     tcpdrop local-address local-port foreign-address foreign-port
     tcpdrop [-l] -a

DESCRIPTION

     The tcpdrop command may be used to drop TCP connections from the command line.

     If -a is specified then tcpdrop will attempt to drop all active connections.  The -l flag may be given to list the tcpdrop invocation to drop
     all active connections one at a time.

     If -a is not specified then only the connection between the given local address local-address, port local-port, and the foreign address
     foreign-address, port foreign-port, will be dropped.

     Addresses and ports may be specified by name or numeric value.  Both IPv4 and IPv6 address formats are supported.

     The addresses and ports may be separated by periods or colons instead of spaces.

EXIT STATUS

     The tcpdrop utility exits 0 on success, and >0 if an error occurs.

EXAMPLES

     If a connection to httpd(8) is causing congestion on a network link, one can drop the TCP session in charge:

	   # sockstat -c | grep httpd
	   www	    httpd      16525 3	tcp4 
		   192.168.5.41:80	192.168.5.1:26747

     The following command will drop the connection:

	   # tcpdrop 192.168.5.41 80 192.168.5.1 26747

     The following command will drop all connections but those to or from port 22, the port used by sshd(8):

	   # tcpdrop -l -a | grep -vw 22 | sh

SEE ALSO

     netstat(1), sockstat(1)

AUTHORS

     Markus Friedl <markus@openbsd.org>
     Juli Mallett <jmallett@FreeBSD.org>

BSD
								 January 30, 2013							       BSD
All times are GMT -4. The time now is 01:46 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy