Hi,
I am trying to figure out how to do transparent proxying. I have managed
to get all of the Squid/SquidGard/Apache items working.
|--------| |---------|
| Net1 |\ Router1 |---------| Router2 |--->???
|--------| \ |-----| | |---------|
\---| | |-| |---------|
|--------| | | | | |NON Linux|
| Net2 |------| |--|X|--|Fire Wall|
|--------| | | | | | |
/---| | |-| |---------|
|--------| / |-----| | | |---------|
| Net3 |/ . |---------| Router3 |------->
|--------| | |---------| Internet
. |--------|
|-.-| Proxy |
|--------|
Figure 1
I have managed to get everything working on my Proxy box, and it works
fine in my test Newark if I set my client hosts to use the Proxy host as
the gateway device (not quite transparet).
What I would like to do is to protect web traffic for networks 1, 2, and
3 only. All other protocols should be untouched. By placing the Proxy
host as seen in figure 1. From here I get a little confused.
In my mind make the transparent proxy functional I need to tell web
packets to go to the Proxy. But how?
1) Router based policy redirects (output extended-access-lists?).
(This is monstrously hard on the router cpu, and very slow.)
2) Use a layer 4 switch to forward all port 80 packets to the proxy.
3) Have the firewall only accept port 80 packets from the proxy and
somehow use promiscuous mode on the proxy to listen only for port
80 connections, grab them and forward them.
4) Set Router1 to have a default route of the ip address of the
Proxy and set the Proxy to have a default route of the firewall.
With a secondary route marked as very expensive of the firewall it's
self so that if the Proxy goes down eventually packets will get out.
5) Insert a second network card in the proxy and turn it in to a
bridge as seen in Figure 2 and setup the firewall rules accordingly.
Though I have not seen anything on the list so far that looks like a
'how-to' for this.
|--------| |---------|
| Net1 |\ Router1 |---------| Router2 |--->???
|--------| \ |-----| | |---------|
\---| | |---------|
|--------| | | |NON Linux|
| Net2 |------| |--- --|Fire Wall|
|--------| | | | | | |
/---| | | | |---------|
|--------| / |-----| | | | |---------|
| Net3 |/ | | |---------| Router3 |------->
|--------| | | |---------| Internet
eth1 | | eth0
|--------|
| Proxy |
|--------|
Figure 2
From my observation, the use of a layer 4 switch seems to be the most
flexible and fault tollerent, though not the least expensive.
I would like to see a 'how-to' on the bridge technique, but that needs
to be sure that it's bi-directional and that an ip address for a host on
network 1 retains it's unique ip address on the other side of the proxy
for protocols other than port 80.
The intriguing one is the use of 'default route' in number 4. Almost
like a lay 4 switch, but not quite as expensive.
Am I barking up the wrong tree? Is this the complicated part? Am I
making it more complicated than it needs to be? Comments? Suggestions?
my /etc/rc.d/fw.local script looks like this:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT \
--to-port 3128
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
-- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Christopher G. Oxenreider | http://www.state.net/~oxenreid oxenreid@state.net | "You only get what you give" -- New Radicals =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=Received on Sat Oct 12 2002 - 19:27:26 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:40 MST