www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Direct transparent proxy traffic to a peer?

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> Transparent Proxy
View previous topic :: View next topic  
Author Message
roden



Joined: 10 Jun 2010
Posts: 3
Location: Toronto

PostPosted: Thu Jun 10, 2010 10:27 pm    Post subject: Direct transparent proxy traffic to a peer? Reply with quote

Is it possible to direct all the http traffic with the transparent proxy to another proxy? I need this scenario to test something (I'm a QA analyst). I'd like to do it with the Zeroshell itself. Otherwise I have to allocate another box for squid, which I do not want to do if I can help it.
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Thu Jun 10, 2010 10:45 pm    Post subject: Reply with quote

Actually you can do it with DNAT on PREROUTING chain of IPTABLES.
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
roden



Joined: 10 Jun 2010
Posts: 3
Location: Toronto

PostPosted: Fri Jun 11, 2010 9:58 pm    Post subject: Reply with quote

I tried adding this, but it does not work:

-A PREROUTING -p tcp -m iprange --src-range 192.168.200.20-192.168.200.22 -m tcp --dport 80 -j DNAT --to-destination <IP>:<port>

I omitted the IP and port of my destination above for privacy reasons (it's a public IP).

I tried logging for my rules and I see this (in dmesg):

LINE0 IN=ETH00 OUT= MAC=00:50:56:a8:44:23:00:50:56:a8:4a:19:08:00 SRC=192.168.200.20 DST=10.102.129.240 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=29854 DF PROTO=TCP SPT=3319 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0


I see traffic on both interfaces of my Zeroshell box:

Internal:

21:40:26.540653 192.168.200.20.3368 > 10.102.129.240.80: S 2323931432:2323931432(0) win 64240 <mss> (DF)
21:40:26.546233 arp who-has 192.168.200.20 tell 192.168.200.2
21:40:26.546448 arp reply 192.168.200.20 is-at 0:50:56:a8:4a:19
21:40:26.546456 10.102.129.240.80 > 192.168.200.20.3368: S 1489832951:1489832951(0) ack 2323931433 win 65535 <mss> (DF)
21:40:26.546662 192.168.200.20.3368 > 10.102.129.240.80: . ack 1 win 64240 (DF)
21:40:26.547071 192.168.200.20.3368 > 10.102.129.240.80: P 1:346(345) ack 1 win 64240 (DF)
21:40:26.547780 10.102.129.240.80 > 192.168.200.20.3368: . ack 346 win 65535 (DF)
21:40:26.713389 10.102.129.240.80 > 192.168.200.20.3368: . 1:1461(1460) ack 346 win 65535 (DF)
21:40:26.713491 10.102.129.240.80 > 192.168.200.20.3368: P 1461:1513(52) ack 346 win 65535 (DF)
21:40:26.713533 10.102.129.240.80 > 192.168.200.20.3368: P 1513:2646(1133) ack 346 win 65535 (DF)
21:40:26.713553 10.102.129.240.80 > 192.168.200.20.3368: P 2646:2651(5) ack 346 win 65535 (DF)
21:40:26.713651 192.168.200.20.3368 > 10.102.129.240.80: . ack 2646 win 64240 (DF)
21:40:26.890460 192.168.200.20.3368 > 10.102.129.240.80: . ack 2651 win 64235 (DF)


External:
21:41:12.184460 192.168.200.20.3368 > 10.102.129.240.80: P 2323931778:2323932123(345) ack 1489835602 win 64235 (DF)
21:41:12.185375 10.102.129.240.80 > 192.168.200.20.3368: . ack 345 win 65535 (DF)
21:41:12.354599 10.102.129.240.80 > 192.168.200.20.3368: . 1:1461(1460) ack 345 win 65535 (DF)
21:41:12.354727 10.102.129.240.80 > 192.168.200.20.3368: P 1461:1513(52) ack 345 win 65535 (DF)
21:41:12.354777 10.102.129.240.80 > 192.168.200.20.3368: P 1513:2646(1133) ack 345 win 65535 (DF)
21:41:12.354807 10.102.129.240.80 > 192.168.200.20.3368: P 2646:2651(5) ack 345 win 65535 (DF)
21:41:12.354950 192.168.200.20.3368 > 10.102.129.240.80: . ack 1513 win 64240 (DF)
21:41:12.355001 192.168.200.20.3368 > 10.102.129.240.80: . ack 2651 win 63102 (DF)

The destination 10.102.129.240 is on our network. So obviously it's not redirecting. And no page loads. Am I missing something? Do I need to add something to POSTROUTING? I also see these:

-A PREROUTING -p tcp -m tcp --dport 80 -j Proxy
-A POSTROUTING -j SNATVS
-A POSTROUTING -o ETH01 -j MASQUERADE
-A Proxy -s 192.168.200.21/32 -i ETH00 -p tcp -j ACCEPT
-A Proxy -s 192.168.200.10/32 -i ETH00 -p tcp -j ACCEPT
-A Proxy -s 192.168.200.20/32 -i ETH00 -p tcp -j REDIRECT --to-ports 8080

I'm not sure where the rule to redirect to 8080 comes from. Possibly someone else at my work added it. I tried disabling it, but it made no difference. Any more help would be greatly appreciated!!
Back to top
View user's profile Send private message
roden



Joined: 10 Jun 2010
Posts: 3
Location: Toronto

PostPosted: Sat Jun 12, 2010 6:49 pm    Post subject: Reply with quote

I changed things around a bit (and disabled Zeroshell's built-in transparent proxy, which removed this line: -A PREROUTING -p tcp -m tcp --dport 80 -j Proxy) and got a slightly better scenario. So now my rules look like:

-A PREROUTING -i ETH00 -p tcp -m tcp --dport 80 -j DNAT --to-destination 67.219.254.22:3128
-A PREROUTING -i ETH01 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

And I get traffic to the upstream proxy:

17:14:50.952063 10.102.132.38.3088 > <IP>.3128: R 187842165:187842165(0) ack 2449923915 win 0 (DF)
17:14:52.364742 10.102.132.38.3092 > <IP>.3128: S 1325328404:1325328404(0) win 64240 <mss> (DF)
17:14:52.366500 <IP>.3128 > 10.102.132.38.3092: S 3955775135:3955775135(0) ack 1325328405 win 65535 <mss> (DF)
17:14:52.366713 10.102.132.38.3092 > <IP>.3128: . ack 1 win 64240 (DF)
17:14:52.367808 10.102.132.38.3092 > <IP>.3128: P 1:696(695) ack 1 win 64240 (DF)
17:14:52.368737 <IP>.3128 > 10.102.132.38.3092: . ack 696 win 65535 (DF)


Note that once again I removed the actual IP and replaced it with "IP", since this is a public IP. Anyway, the problem now is that the request shows up in my upstream proxy logs as http://<domain>:3128/morestuff. So you can see for some reason it's inserting the :3128 into the forwarding request. Note that this upstream proxy forwards to yet another upstream proxy.

At least that's how it forwarding the request. When I look at packet captures from this upstream proxy I notice that when I'm not using transparent proxy for my Zeroshell, and point my browser directly to the upstream proxy, then it will send a correct absolute URI: http://<domain>/morestuff. But when I transparently proxy, with no proxy set in the browser, then I see an absolute path sent: /morestuff

I'm nit sure if this plays a part in the problem. I'm pretty sure that when you specify a proxy in your browser, it then sends requests in absolute URI instead of absolute path. But it may be unrelated to the problem with the :3128 being stuck into my request. Any ideas?
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Mon Jun 14, 2010 8:40 am    Post subject: Reply with quote

First of all disable the internal ZS transparent proxy. Then read the manual on DNAT ( http://www.frozentux.net/iptables-tutorial/chunkyhtml/x4033.html ). They have some examples on redirecting the destination. The REDIRECT command is used only for redirecting packets to the ZS itself.
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
braan



Joined: 07 Sep 2010
Posts: 2

PostPosted: Sun Sep 12, 2010 2:31 pm    Post subject: Reply with quote

I don't think it is possible even if you do some tinkering around...
Back to top
View user's profile Send private message
Hannek



Joined: 19 Oct 2011
Posts: 2

PostPosted: Thu Oct 20, 2011 9:01 am    Post subject: Reply with quote

braan wrote:
I don't think it is possible even if you do some tinkering around...

I agree with you. At least, disabling the internal ZS transparent proxy doesn't make any deal.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> Transparent Proxy All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group