Hi there,

I want to set up a completely transparent proxy. Our network infrastructure looks like this:

xxx.xxx.64.1 Main router to other sites and internet
xxx.xxx.64.xxx Ethernet network
xxx.xxx.65.xxx Ethernet network
xxx.xxx.66.xxx Ethernet network
xxx.xxx.67.xxx Token-ring network.

All subnets are switched and routed by the 64.1 router.

Because the router is too weak for policy routing I want to insert the proxy between our switch and the router so every packet has to cross the proxy. Therefore I installed two nics in the linux box, one attached to the switch (eth0), the other one to the router (eth1).
Because the router is also used to route between the different subnets, I can not use NAT.

Is there a way to get the linux box pass every traffic - without any change - from eth0 to eth1 and vice versa ?
I tried with ip_forwarding but it works only in conjunction with iptables and NAT.

Or has anyone another idea how we can implement a transparent proxy in this kind of infrastructure ?

Thanks for your comments.

Oliver

I would like to try to help you but some information from your post are not clear for me:
1. what about the mask for xxx.xxx.64.xxx - looks like it is 255.255.255.0 because next you've written about subnets
2. the ip adresses are public ones (?)
3. what is the structure of the LAN - for me it can look like
world -- router ----- subnet1
....................| | \------ subnet2
....................| \---------subnet3
....................\-----------subnet4
so router is equipped with 5 eth cards (?) or maybe it is very simple like
world ---------router
.................|----- subnet1
.................|----- subnet2
.................|------subnet3
.................|------subnet4
4. please explain statement 'Because the router is also used to route between the different subnets, I can not use NAT.'
where you cannot use NAT ? at router ? or maybe at new linux box you want to install?
and what for this NAT is needed for you?
5. anyway, it is possible to setup iptables with FORWARD chains but with empty nat table - this is the case when LAN consists the computers with public ip addresses.

BTW: what for you are trying to setup such proxy? it will work like switch.

Sorry, looks like my posting is alittle bit confusing. I will try to explain it in a more detailed way.

1. Netmask of the 64.x subnet is 255.255.254.0
Netmask of the 65.x subnet is also 255.255.254.0
Netmask of the 66.x subnet is 255.255.255.0
Netmask of the 67.x subnet (Token ring) is 255.255.255.0
2. The IP-addresses in our network are privat
3. The LAN structure looks like this:

world----router---switch--3 ethernet subnets (64.x/65.x/66.x)
|
|--- token-ring subnet (67.x)

So the router is equipped with 1 ethernet interface and 1 token ring interface.

4. I want to install the proxy between the switch and the router because all traffic has then to get through this machine. I searched on the internet for help and found out that I have to enable ip forwarding on the proxy and set the following firewall rule:

iptables -t nat -A POSTROUTING -o interface -j SNAT --to-source=interface on the router going to the router

What I want to do is using this proxy between the switch and the router as a transparent proxy because our router is too weak for policy routing. I thought it is possible to let the proxy work as some kind of transparent component where all the internet traffic has to get through (that's why I want to install this machine right in front of our router). In this case, the proxy works just like a switch, gets all https-traffic and lets all the other traffic through.

Perhaps there is a much easier way to get a transparent proxy working on this kind of network structure but I haven't found any solution yet.

Oliver

The structure of our network is diplayed a little bit wrong.

The token ring subnet is attached directly to the router, not to the "world" as it is shown in my drawing.

But please explain what way you want to decrease the traffic using linux box? All the packets to the 'world' send from any subnet machine has to be NATed (ip addresses are private) at router and are going through the router, so in my opinion indpendently on using linux box or not the number of packet will not be reduced.
Am I wrong?
BTW: what is the router ? (PC?) why it has only 2 eths ? what about 'world' connection ? does it not require the extra eth to the 'world' connection?

I don't want to decrease the traffic to the router. I want to install a transparent proxy the decrese web-traffic which is normally send via the router over a WAN to an internet access in our company. That's why I don't want and don't need private addresses to be NATed because this is done by the companys firewall at the internet access point.
Our router is a cisco router equipped with an ethernet and a token ring interface to connect to our LAN and a Frame-relay-card to access the WAN on the other side.

As said, this idea is far away from a perfect solution but with that model of cisco router we have, there's no other way to get transparent proxying working. Please correct me if I'm wrong.

I don't think there is anysuch thing as a transparent proxy, any proxy will only proxy for protocols that it understands, therefore by definition is not transparent. Anyway the only way that a Proxy Server will decrease web traffic is if it is a caching Proxy Server, which again by definition isn't transparent.

If I read this right, you want a proxy server in between the main network and the router to reduce the amount of web traffic crossing your WAN link.

If this is the case you need a cachine proxy server attached to the lan, anywhere is good, with a single ethernet connection. Point all browsers at the proxy server and off you go.

I don't get the connection between policy routing and proxy server, these are two totally different things.

That's exactly what I don't want. I don't want to touch all 200 PCs to set the proxy manually and I even don't want to allow users to change proxy-settings to walk around the proxy. So I need a transparent proxy.

Well, finally you confim my suspicious. You need a http cashing server but in the place you pointed: between cisco router & switch. It can be done. Maybe it do not solve the matter of the web traffic from token ring subnet but allows to control the web traffic from the rest of the subnets. Below my suggetions (no way to check out so please treat this as idea rather than working solution).

I assume that you run the http cashing server like Squid at linux box on port 8080. Next try to direct all the http traffic from subnets 64. 65. 66 to the Squid with the following iptables rules:

#take control over forwarding packets only
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#redirect all the http traffic to local proxy working on port 8080 at linux box
iptables -A FORWARD -d ! xxx.xxx.64.xxx/255.255.254.0 -p tcp --destination-port 80 -j REDIRECT --to-ports 8080
iptables -A FORWARD -d ! xxx.xxx.65.xxx/255.255.254.0 -p tcp --destination-port 80 -j REDIRECT --to-ports 8080
iptables -A FORWARD -d ! xxx.xxx.66.xxx/255.255.255.0 -p tcp --destination-port 80 -j REDIRECT --to-ports 8080
iptables -A FORWARD -d ! xxx.xxx.67.xxx/255.255.255.0 -p tcp --destination-port 80 -j REDIRECT --to-ports 8080

#allow forwarding of all the local traffic
iptables -A FORWARD -d xxx.xxx.64.xxx/255.255.254.0 -j ACCEPT
iptables -A FORWARD -d xxx.xxx.65.xxx/255.255.254.0 -j ACCEPT
iptables -A FORWARD -d xxx.xxx.66.xxx/255.255.255.0 -j ACCEPT
iptables -A FORWARD -d xxx.xxx.67.xxx/255.255.255.0 -j ACCEPT

BTW: lines with xxx.xxx.67.xxx are not required but if you will be able to set up the linux box as default gateway for token ring subnet you will catch all the http traffic.

Is it what you were looking for?