Direct transparent proxy traffic to a peer?

Forums Network Management Transparent Proxy Direct transparent proxy traffic to a peer?

  • This topic is empty.
Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
  • #42434

    Is it possible to direct all the http traffic with the transparent proxy to another proxy? I need this scenario to test something (I’m a QA analyst). I’d like to do it with the Zeroshell itself. Otherwise I have to allocate another box for squid, which I do not want to do if I can help it.


    Actually you can do it with DNAT on PREROUTING chain of IPTABLES.


    I tried adding this, but it does not work:

    -A PREROUTING -p tcp -m iprange –src-range -m tcp –dport 80 -j DNAT –to-destination :

    I omitted the IP and port of my destination above for privacy reasons (it’s a public IP).

    I tried logging for my rules and I see this (in dmesg):

    LINE0 IN=ETH00 OUT= MAC=00:50:56:a8:44:23:00:50:56:a8:4a:19:08:00 SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=29854 DF PROTO=TCP SPT=3319 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0

    I see traffic on both interfaces of my Zeroshell box:


    21:40:26.540653 > S 2323931432:2323931432(0) win 64240 (DF)
    21:40:26.546233 arp who-has tell
    21:40:26.546448 arp reply is-at 0:50:56:a8:4a:19
    21:40:26.546456 > S 1489832951:1489832951(0) ack 2323931433 win 65535 (DF)
    21:40:26.546662 > . ack 1 win 64240 (DF)
    21:40:26.547071 > P 1:346(345) ack 1 win 64240 (DF)
    21:40:26.547780 > . ack 346 win 65535 (DF)
    21:40:26.713389 > . 1:1461(1460) ack 346 win 65535 (DF)
    21:40:26.713491 > P 1461:1513(52) ack 346 win 65535 (DF)
    21:40:26.713533 > P 1513:2646(1133) ack 346 win 65535 (DF)
    21:40:26.713553 > P 2646:2651(5) ack 346 win 65535 (DF)
    21:40:26.713651 > . ack 2646 win 64240 (DF)
    21:40:26.890460 > . ack 2651 win 64235 (DF)

    21:41:12.184460 > P 2323931778:2323932123(345) ack 1489835602 win 64235 (DF)
    21:41:12.185375 > . ack 345 win 65535 (DF)
    21:41:12.354599 > . 1:1461(1460) ack 345 win 65535 (DF)
    21:41:12.354727 > P 1461:1513(52) ack 345 win 65535 (DF)
    21:41:12.354777 > P 1513:2646(1133) ack 345 win 65535 (DF)
    21:41:12.354807 > P 2646:2651(5) ack 345 win 65535 (DF)
    21:41:12.354950 > . ack 1513 win 64240 (DF)
    21:41:12.355001 > . ack 2651 win 63102 (DF)

    The destination is on our network. So obviously it’s not redirecting. And no page loads. Am I missing something? Do I need to add something to POSTROUTING? I also see these:

    -A PREROUTING -p tcp -m tcp –dport 80 -j Proxy
    -A Proxy -s -i ETH00 -p tcp -j ACCEPT
    -A Proxy -s -i ETH00 -p tcp -j ACCEPT
    -A Proxy -s -i ETH00 -p tcp -j REDIRECT –to-ports 8080

    I’m not sure where the rule to redirect to 8080 comes from. Possibly someone else at my work added it. I tried disabling it, but it made no difference. Any more help would be greatly appreciated!!


    I changed things around a bit (and disabled Zeroshell’s built-in transparent proxy, which removed this line: -A PREROUTING -p tcp -m tcp –dport 80 -j Proxy) and got a slightly better scenario. So now my rules look like:

    -A PREROUTING -i ETH00 -p tcp -m tcp –dport 80 -j DNAT –to-destination
    -A PREROUTING -i ETH01 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128

    And I get traffic to the upstream proxy:

    17:14:50.952063 > .3128: R 187842165:187842165(0) ack 2449923915 win 0 (DF)
    17:14:52.364742 > .3128: S 1325328404:1325328404(0) win 64240 (DF)
    17:14:52.366500 .3128 > S 3955775135:3955775135(0) ack 1325328405 win 65535 (DF)
    17:14:52.366713 > .3128: . ack 1 win 64240 (DF)
    17:14:52.367808 > .3128: P 1:696(695) ack 1 win 64240 (DF)
    17:14:52.368737 .3128 > . ack 696 win 65535 (DF)

    Note that once again I removed the actual IP and replaced it with “IP”, since this is a public IP. Anyway, the problem now is that the request shows up in my upstream proxy logs as http://:3128/morestuff. So you can see for some reason it’s inserting the :3128 into the forwarding request. Note that this upstream proxy forwards to yet another upstream proxy.

    At least that’s how it forwarding the request. When I look at packet captures from this upstream proxy I notice that when I’m not using transparent proxy for my Zeroshell, and point my browser directly to the upstream proxy, then it will send a correct absolute URI: http:///morestuff. But when I transparently proxy, with no proxy set in the browser, then I see an absolute path sent: /morestuff

    I’m nit sure if this plays a part in the problem. I’m pretty sure that when you specify a proxy in your browser, it then sends requests in absolute URI instead of absolute path. But it may be unrelated to the problem with the :3128 being stuck into my request. Any ideas?


    First of all disable the internal ZS transparent proxy. Then read the manual on DNAT ( ). They have some examples on redirecting the destination. The REDIRECT command is used only for redirecting packets to the ZS itself.


    I don’t think it is possible even if you do some tinkering around…


    @braan wrote:

    I don’t think it is possible even if you do some tinkering around…

    I agree with you. At least, disabling the internal ZS transparent proxy doesn’t make any deal.

Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.