10-20-2002
IPNAT / Transparent proxy loops...
Hi!
My situation:
I have an OpenBSD firewall/proxy (192.168.0.1), running IPF/IPNAT w/ Squid as transparent proxy. This machine is configured to be gateway to the network.
This works great, all the clients WWW-requests on the internal network are rerouted to the proxyport by this IPNAT-rule:
rdr fxp0 0.0.0.0/0 port 80 -> 192.168.0.1 port 3128
However, I would like to use another machine as a transparent proxy and have run into some problems... The new machine runs Solaris 8 i386 (192.168.0.2) and I have succesfully compiled and configured Squid. I use the same config I used with the "firewall-squid-version".
After changing the IPNAT-rule to:
rdr fxp0 0.0.0.0/0 port 80 -> 192.168.0.2 port 3128
It won't work... I can see a message: Website found, waiting for reply, but figure this is only because DNS-lookup of the website was succesfull. DNS-lookups are punched through the firewall and happen independently from the squid-proxy.
What I figure happened is this:
- A client wants to connect to the internet.
- Request travels to 192.168.0.1 port 80
- Request is redirected to squid on 192.168.0.2 port 3128
- Squid on 192.168.0.2 wants to connect to the internet.
- Squid on 192.168.0.2 connects to 192.168.0.1 port 80
- Squid-request is redirected to squid on 192.168.0.2 port 3128 instead of to internet (because of IPNAT-rule stated above)
- And it continues to loop...
How can I change my IPNAT-rules so that all clients are redirected to 192.168.0.2 port 3128 _AND_ 192.168.0.2 itself is allowed direct access to the internet?
9 More Discussions You Might Find Interesting
1. IP Networking
Hello People,
Please can someone help me with destination IP address NAT and Port transalation using ipnat in Solaris 8.
Scenario: Box A(192.168.100.1/24) and Box B (192.168.100.50/24) are connected phyically and logically(vlan) on the same network switch.
Box A hosts an... (0 Replies)
Discussion started by: mandarawachat
0 Replies
2. IP Networking
hi guys!
We are setting up Squid Server. we want the server to be transparent. But I don't know how will i be able to set the network up. is it possible to set the squid server in the same LAN with the Squid Client and still functions as a transparent server? if so, can anybody help me do it?
... (1 Reply)
Discussion started by: init6_
1 Replies
3. IP Networking
Hi,
I am involved in a project on Debian. One of my requirement is to route an IP packet in my application to a proxy server and receive the reply from the proxy server as an IP packet. My application handles data at the IP frame level. My application creates an IP packet(with all the necessary... (0 Replies)
Discussion started by: Rajesh_BK
0 Replies
4. Shell Programming and Scripting
I want to config Transparent Proxy using Shell Script.
I have more questions<exercise of me :D>:
+ Check that the squid is installed or not install and version is installed
+Allows users to choose to run a transparent proxy or not
+Perform configuration and turn on service in accordance... (0 Replies)
Discussion started by: kaka287
0 Replies
5. Linux
I need to figure out how to exclude RDP from mapping, i am mapping as follows
map le0 10.1.0.0/24 -> 10.1.0.10/32
however i need to exclude rdp so i can still rdp to machines on the 10.1.0.0/24 network..
Can somebody please advise how i could do this ? (0 Replies)
Discussion started by: boxalld
0 Replies
6. UNIX for Advanced & Expert Users
I've been going crazy trying to get this working. Here's the situation: we have a Solaris 10 box that connects an internal network to an external network. We're using ipf/ipnat on it. We've added a couple of new boxes to the internal network (192.168.1.100, .101) and want to be able to get to port... (1 Reply)
Discussion started by: spakov
1 Replies
7. IP Networking
All traffic on the LAN is routed through a single machine and filtered using iptables. I'd like to redirect this traffic to a transparent proxy running on the same machine that will rewrite the URL if it matches a specified regex, in which case the user will be redirected to a local server. In... (0 Replies)
Discussion started by: crottyan
0 Replies
8. IP Networking
I need to configure a proxy on my local machine to use an upstream proxy (installed on another machine). The upstream proxy requires Digest/NTLM authorization. I want the local proxy to deal with the upstream proxy's authorization details and provides authorization free access to users that connect... (0 Replies)
Discussion started by: Russel
0 Replies
9. UNIX for Advanced & Expert Users
Hello,
We are migrating our gateways from CentOS 6 to CentOS 7 and for setting up a transparent proxy using squid and Firewalld i am using below configuration.
#Firewalld configurations
firewall-cmd --permanent --zone=public --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=LAN_IP... (4 Replies)
Discussion started by: sunnysthakur
4 Replies
LEARN ABOUT DEBIAN
lire::firewall::ipfilterdlfconverter
IpfilterDlfConverter(3pm) LogReport's Lire Documentation IpfilterDlfConverter(3pm)
NAME
Lire::Firewall::IpfilterDlfConverter - convert ipf (ipmon) logs to firewall DLF
DESCRIPTION
Lire::Firewall::IpfilterDlfConverter converts Ipfilter logs into firewall DLF format. Input for this converter is the standard ipf syslog
log file as produced by ipmon. IP Filter is shipped with FreeBSD, OpenBSD (up to 2.9) and some other OS's.
EXAMPLE
A ipfilter logfile which looks like
Oct 30 07:42:29 rolle ipmon[16747]: 07:42:28.585962 ie0 @0:9
b 192.168.48.1,45085 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT
Oct 30 07:40:24 rolle ipmon[16747]: 07:40:23.631307 ep1 @0:6
b 192.168.26.5,113 -> 192.168.26.1,3717 PR tcp len 20 40 -AR OUT
Oct 30 07:42:29 rolle ipmon[16747]: 07:42:28.585962 ie0 @0:9
b 192.168.48.1,45085 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT
Oct 30 07:44:11 rolle ipmon[16747]: 07:44:10.605416 2x ep1 @0:15
b 192.168.26.1,138 -> 192.168.26.255,138 PR udp len 20 257 IN
Oct 30 07:44:34 rolle ipmon[16747]: 07:44:33.891869 ie0 @0:10
b 192.168.48.1,23406 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT
Oct 30 07:49:13 rolle ipmon[16747]: 07:49:12.554420 ep1 @0:15
b 210.132.100.117 -> 192.168.26.5 PR icmp len 20 56 icmp 3/3 for
192.168.26.5,61915 - 210.132.100.117,53 PR udp len 20 23040 IN
Oct 30 07:50:23 rolle ipmon[16747]: 07:50:22.908107 ep1 @0:15
b 210.132.100.117 -> 192.168.26.5 PR icmp len 20 56 icmp 3/3 for
192.168.26.5,4480 - 210.132.100.117,53 PR udp len 20 19712 IN
Oct 30 07:56:11 rolle ipmon[16747]: 07:56:11.113029 2x ep1 @0:15
b 192.168.26.1,138 -> 192.168.26.255,138 PR udp len 20 257 IN
(that's: .... 'PR' protocol 'len' length_of_ip_headers_saved packetlength direction) will get converted to something like
994398737 denied igmp 100.187.115.1 - ep1 LIRE_NOTAVAIL
224.0.0.2 - 56
994398861 denied igmp 100.187.115.1 - ep1 LIRE_NOTAVAIL
224.0.0.1 - 56
994398862 denied igmp 100.187.115.1 - ep1 LIRE_NOTAVAIL
224.0.0.2 - 56
994406849 denied udp 192.168.26.4 137 ie0 LIRE_NOTAVAIL
192.168.26.255 137 116
994406850 denied udp 192.168.26.4 137 ie0 LIRE_NOTAVAIL
192.168.26.255 137 116
994406866 denied udp 192.168.26.4 137 ie0 LIRE_NOTAVAIL
192.168.26.255 137 98
SEE ALSO
ipl(4) for description of log structure.
The ipmon.c source (e.g. on
http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/
src/usr.sbin/ipmon/Attic/ipmon.c?rev=1.27&
content-type=text/plain&hideattic=0
) for the specification of the log syntax.
The IP Filter webpage on http://coombs.anu.edu.au/~avalon/ip-filter.html
AUTHOR
Joost van Baal <joostvb@logreport.org>, Wessel Dankers <wsl@logreport.org>
VERSION
$Id: IpfilterDlfConverter.pm,v 1.7 2009/03/15 08:10:55 vanbaal Exp $
COPYRIGHT
Copyright (C) 2001-2003 Stichting LogReport Foundation LogReport@LogReport.org
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with
http://www.gnu.org/copyleft/gpl.html.
Lire 2.1.1 2009-03-15 IpfilterDlfConverter(3pm)