Redirecting request to port 443 to directly access the internet

Elijah · 05-19-2006, 04:03 AM

Hi,

It seems that implementing transparent squid proxy will cause https & ssl to not work well on browsers ...

I'd like to be able to redirect all other requests like https/ssl(port 443) or email client's ports to directly access the internet instead of going through our proxy server.

Here's a little diagram of our network:
http://static.flickr.com/49/149174815_48fa51f1a3_o.png

What I did so far is:
1. Block out all connection request from our router settings except for our proxy server (adminserver ) only, this will force our users to use the proxy settings for their other applications.
2. Set all client's pc's to use the gateway 'adminserver'.
3. Setup transparent proxy for squid. For http requests.

Everything else is working fine so far, except that opening up ssl-enabled sites (mail.yahoo.com) creates a timeout error and email clients seems to not work even with proxy settings enabled.

What I need is some sort of iptable rule to grab all port 443 connections and make it connect directly to the internet ... I used webmin to formulate a rule but that didn't work (I have little knowledge of iptables as of the moment) ... so I thought of asking for help here, anyone?

Here's my current rule:
-A PREROUTING -p tcp -m tcp -i eth0 --dport 443 -j DNAT --to-destination 192.168.100.3

gundam00 · 05-19-2006, 04:28 AM

If you block all access from your router, except for proxy server, and all your PCs are set up to use your proxy server you don't need any transparent proxy: the proxy server is able to manage https requests.

Using transparent proxy to redirect https trafic is not the right thing: https direct requests are quite different from https proxy requests.

Elijah · 05-19-2006, 04:42 AM

The reason for it is that there are quite a few pc's to setup proxy settings for. I didn't want to bother our users as often ;-)

Quote:

Using transparent proxy to redirect https trafic is not the right thing: https direct requests are quite different from https proxy requests.

I actually don't plan to proxy any https request, just forward it to a direct connection instead... only http will be proxy-ed, will that be a problem?

gundam00 · 05-19-2006, 04:45 AM

It won't be a problem:
- remove the DNAT rule for https protocol
- open ports on your router

Elijah · 05-19-2006, 05:00 AM

Ok, removed dnat:
-A PREROUTING -p tcp -m tcp -i eth0 --dport 443 -j ACCEPT

Didn't work :-( , edit: we only have a dsl router so I guess all ports are open ...

gundam00 · 05-19-2006, 05:07 AM

Quote:

Originally Posted by Elijah

Ok, removed dnat:
-A PREROUTING -p tcp -m tcp -i eth0 --dport 443 -j ACCEPT

This should be a FORWARD rule instead of a PREROUTING rule.

Elijah · 05-19-2006, 05:38 AM

Can't seem to get a connection...

Tried in all filter, mangle & nat tables

# https / ssl direct connection
-A FORWARD -p tcp -m tcp -i eth0 --dport 443 -j ACCEPT

gundam00 · 05-19-2006, 08:16 AM

I was looking at your net diagram...

If your workstations use the router as default gateway, the forwarding rules of the Adminserver are useless for your LAN trafic... so the problem is in your router ACLs.

Elijah · 05-20-2006, 09:07 PM

hmm.. not really, our dhcp setup is currently pointing to squid server (adminserver) as the default gateway instead of the router. I can see that it's working because transparent proxying is working well =) except for https that is...

Elijah · 05-23-2006, 01:00 AM

Nevermind, solved it. Setted up a new iptable rule :

-A POSTROUTING -p tcp -m tcp --dport 443 -j SNAT --to 192.168.100.2

Thanks for the help though.